This Data Processing Agreement ("DPA") forms part of the agreement between Adam Harman, sole trader trading as "Sortfully" ("Sortfully", "Processor", "we") and the customer organisation that has subscribed to a Sortfully Business plan ("Customer", "Controller", "you") (the "Agreement"). It applies where Sortfully processes Personal Data on the Customer's behalf and governs that processing under Article 28 of the UK GDPR and the EU GDPR.
If there is a conflict between this DPA and the Agreement on the subject of data protection, this DPA prevails.
1. Definitions
Terms not defined here have the meaning given in the UK GDPR (the retained EU General Data Protection Regulation as it forms part of UK law) and the EU GDPR (Regulation (EU) 2016/679) (together, "Data Protection Law"). "Controller", "Processor", "Personal Data", "Processing", "Data Subject", and "Personal Data Breach" have the meanings given in Data Protection Law. "Sub-processor" means any third party engaged by Sortfully to process Personal Data on the Customer's behalf.
2. Roles of the parties
For the mailbox metadata processed through the Sortfully service on the Customer's instructions (described in Annex I), the Customer is the Controller and Sortfully is the Processor.
For Personal Data that Sortfully determines the purposes of — Customer account administration, billing, and security — Sortfully acts as an independent Controller, and that processing is governed by the Sortfully Privacy Policy rather than this DPA.
3. Scope and instructions
3.1 Sortfully will process Personal Data only on the Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by law (in which case Sortfully will inform the Customer of that requirement before processing, unless the law prohibits it).
3.2 The Customer's complete and final instructions are: (a) this DPA; (b) the Agreement; and (c) the configuration choices the Customer's administrators make in the service (for example: connecting mailboxes, setting the organisation's retention window, and enabling or disabling enhanced audit).
3.3 Sortfully will inform the Customer if, in its opinion, an instruction infringes Data Protection Law.
3.4 By design, Sortfully cannot process the content of the Customer's email. The service reads only routing metadata; message bodies and attachments are technically unreadable to Sortfully, as are subject lines unless the Customer has enhanced audit enabled (it is on by default, and the Customer can disable it — including before a mailbox is connected) — enforced in code and by an automated build gate, not merely by contract.
4. Confidentiality
Sortfully ensures that persons authorised to process the Personal Data are bound by an appropriate duty of confidentiality and process the data only as necessary to provide the service.
5. Security
5.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, Sortfully implements the technical and organisational measures set out in Annex II to ensure a level of security appropriate to the risk (Article 32).
5.2 The cornerstone measure is data minimisation by architecture: Sortfully accesses only mailbox routing metadata and is technically incapable of reading message content.
6. Sub-processors
6.1 The Customer provides general authorisation for Sortfully to engage the Sub-processors listed in Annex III to process Personal Data, under written terms imposing data-protection obligations equivalent to those in this DPA. Sortfully remains liable to the Customer for its Sub-processors' performance.
6.2 Sortfully will give the Customer prior notice of any intended addition or replacement of a Sub-processor, giving the Customer a reasonable opportunity to object on reasonable data-protection grounds. If the Customer objects and the parties cannot resolve the matter, the Customer may terminate the affected service.
Note: The Customer's own Microsoft 365 tenant is the source of the mailbox data; Microsoft is the Customer's own provider, not a Sortfully Sub-processor. Billing (Paddle) concerns Sortfully-as-Controller data and is outside this DPA.
7. Data Subject rights
Taking into account the nature of the processing, Sortfully will assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to Data Subjects exercising their rights (access, rectification, erasure, restriction, portability, objection). The service provides self-service tools — including CSV export of the filing log and account deletion — that the Customer's administrators and users can use directly. Where a request reaches Sortfully directly, Sortfully will promptly forward it to the Customer and will not respond itself unless legally required.
8. Assistance to the Controller
Taking into account the nature of processing and the information available to it, Sortfully will assist the Customer with: (a) security of processing (Article 32); (b) Personal Data Breach notification and communication (Articles 33–34); and (c) data protection impact assessments and prior consultation (Articles 35–36).
9. Personal Data Breach
Sortfully will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting the Customer's Personal Data, and will provide the information the Customer reasonably needs to meet its own notification obligations, as it becomes available.
10. Deletion and return
10.1 On termination or expiry of the service, Sortfully will, at the Customer's choice, delete or return the Customer's Personal Data, and delete existing copies, unless retention is required by law.
10.2 In practice, on cancellation the Customer's data is disconnected and scheduled for deletion after a 30-day grace period (during which the Customer can recover it by re-subscribing), after which it is permanently and irreversibly purged by an automated process; the Customer may also request immediate deletion.
10.3 Sortfully will, on the Customer's written request, certify deletion.
11. Audits
11.1 Sortfully will make available to the Customer the information necessary to demonstrate compliance with Article 28 and this DPA, including a description of its technical and organisational measures (Annex II) and, where available, third-party certifications or reports.
11.2 Where that information is insufficient, Sortfully will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates, on reasonable prior notice (at least 30 days), no more than once per year (save where required by a supervisory authority or following a breach), during business hours, subject to confidentiality, and in a manner that does not compromise other customers' data or security.
12. International transfers
12.1 Sortfully hosts the Customer's Personal Data in the European Union.
12.2 Where any processing of the Customer's Personal Data involves a transfer outside the UK or EEA, it is carried out under an appropriate transfer mechanism — the EU Standard Contractual Clauses and/or the UK International Data Transfer Addendum — which are incorporated into this DPA by reference and completed with the parties' details and the information in the Annexes.
13. Liability
Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
14. Term
This DPA takes effect when the Customer accepts the Agreement (or on the date of signature below) and continues for as long as Sortfully processes the Customer's Personal Data.
Signed for the Customer (Controller): Name: ________________ Title: ________________ Date: __________
Signed for Sortfully (Processor): Name: Adam Harman (sole trader t/a Sortfully) Date: __________ Contact: dpo@sortfully.app
Annex I — Details of the processing
| Subject matter | Automated organisation (filing) of the Customer's users' Outlook / Microsoft 365 mailboxes into folders or category labels, grouped by sender domain. |
| Duration | For the term of the Customer's subscription, plus the deletion grace period (§10). |
| Nature & purpose | Reading mailbox routing metadata via Microsoft Graph and moving/labelling messages and writing a filing audit log, to provide the filing service the Customer subscribes to. |
| Categories of Data Subjects | (a) the Customer's users whose mailboxes are connected (mailbox owners / delegates); (b) where the Customer uses Microsoft 365 group sync, the members of the synced Entra group; (c) incidentally, the senders of email received by those mailboxes (their email addresses and domains appear in routing metadata). |
| Types of Personal Data | Routing metadata only: message identifiers, sender address and domain, containing folder, received date/time, Outlook categories, read/unread status. Account identifiers of the Customer's users (email, name, Microsoft object ID/UPN). Where group sync is used: Entra directory / group-membership data — group ID(s) and name, member object IDs, user principal name / display name, and group membership — read via an app-only directory-only Graph registration (Directory.Read.All / GroupMember.Read.All) that cannot access mailbox contents. Where enhanced audit is enabled (on by default; the Customer can disable it, including before connecting a mailbox): the message subject line and sender address are additionally recorded in the filing log. Never processed: message bodies, message previews, and attachments; Sortfully does not take app-only mailbox access — shared mailboxes are filed only through a Customer delegate's own token. |
| Special category data | None intentionally processed. Sortfully does not read content; any special-category data within message subjects (only where enhanced audit is enabled, which is the default) is processed only as incidental metadata at the Customer's instruction. |
Annex II — Technical and organisational measures (Article 32)
- Minimisation by architecture (primary control). All mailbox reads pass through a single component hard-coded to an allow-list of metadata fields; message body, preview, and attachments can never be requested, and the subject line only through one reviewed path used solely where enhanced audit is enabled (on by default; the Customer can disable it). An automated build gate (CI) fails the build if any code attempts to read a forbidden content field.
- Encryption. Personal Data is encrypted in transit (TLS). Microsoft connection (refresh) tokens are encrypted at rest and never written to logs.
- Access control & authentication. Customer access is protected by passwords and optional two-factor authentication, with trusted-device tokens stored only as hashes.
- Administrative/operator access. Internal operator access (for support and licensing) is restricted to a separate console protected by mandatory one-time-passcode authentication and an IP allow-list, with all operator actions recorded in a tamper-evident audit log; support diagnostics are sanitised and the affected Customer is notified.
- Data segregation & retention. Filing logs are automatically pruned to the retention window the Customer's administrator sets (default 90 days for organisations; minimum 30), limiting data held.
- Deletion lifecycle. Cancellation triggers a 30-day recovery grace followed by irreversible, cascading deletion of all Customer data.
- Resilience & integrity. Per-mailbox rate limiting and job isolation; reversible filing (undo) so actions can be corrected.