Our Data Processing Agreement (DPA)

This personal data processing agreement supplements your agreement to the TinyMDM Privacy Policy. Entered between a data controller (your company) and a data processor (TinyMDM), the data processing agreement contains the elements required under Article 28 of the GDPR. This includes the roles and responsibilities of the parties when processing personal data. In the event of any conflict or inconsistency with the terms of the Privacy Policy, this DPA shall prevail over the terms of the Privacy Policy to the extent of such conflict or inconsistency.


Defined terms used in this agreement shall have the same meaning as defined in our Privacy Policy.

Sub-processing of personal data

  • Sub-processing of data by TinyMDM

The personal data sub-processed by TinyMDM is listed exhaustively in our Privacy Policy, paragraph 3c. The Customer shall, in connection with its use of the Service, provide or cause to be provided all Personal Data for Processing in accordance with the requirements of the Data Protection Act. The Customer hereby represents and warrants that all instructions given by the Customer for the Processing of Personal Data shall be in accordance with the Data Protection Act. The Customer shall be solely responsible for the accuracy, quality and legality of the Personal Data and the means by which the Customer has acquired the Personal Data.

  • Sub-processing of data by third party data processors

The Customer agrees that we may engage data processors to process personal data on its behalf. The Customer acknowledges and agrees that: (a) TinyMDM’s affiliates may be retained as data processors; and (b) TinyMDM and TinyMDM’s affiliates may engage third party data processors in connection with the provision of the Services. TinyMDM or a TinyMDM affiliate will enter into a written agreement with the sub-processor imposing data protection obligations on the sub-processor comparable to those imposed on TinyMDM under this Agreement with respect to the protection of personal data. In the event that the sub-processor fails to meet its data protection obligations under such written agreement with TinyMDM, TinyMDM shall remain liable to the Customer for the performance of the sub-processor’s obligations under this agreement, unless otherwise provided in the TinyMDM agreement.

Data Transfer Mechanisms

You acknowledge and agree that we may access and process personal data globally as necessary to provide the Subscription Service in accordance with the Agreement and to other jurisdictions where Subsequent Processors operate. Wherever personal data is transferred outside its country of origin, and in particular outside the European Economic Area (“EEA”), the United Kingdom or Switzerland, each party will ensure that such transfers are made in accordance with the requirements of data protection laws.

Data Processors

  • List of subprocessors

TinyMDM provides a list of Data Processors for the Services in the annex. TinyMDM will update the list to reflect any additions, replacements or other changes to TinyMDM’s subprocessors.

  • Right to object

As a data controller, you acknowledge that these data processors are essential to provide the Service and that objecting to the use of a data processor may prevent TinyMDM from providing its Services. You may, however, reasonably object to TinyMDM’s use of a new Subsequent Processor on legitimate grounds, subject to the termination and liability provisions of the TinyMDM Agreement.

Transfer of Data outside the EU

TinyMDM will not transfer European Data to a country or recipient that is not recognized as offering an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws), unless it first takes all necessary steps to ensure that the transfer complies with applicable European data protection laws. Such measures may include (but are not limited to) transferring such data to a recipient that is covered by an appropriate framework or other legally adequate transfer mechanism recognised by the relevant authorities or courts as providing an adequate level of protection for personal data, to a recipient that has obtained an authorisation of binding corporate rules in accordance with applicable European data protection laws, or to a recipient that has executed the appropriate standard contractual clauses in each case, as adopted or approved in accordance with applicable European data protection laws.

According to the Joint Declaration of the European Commission and the United States dated 25 March 2022, a new transatlantic framework for the protection of personal data has been agreed, which promotes transatlantic data flows and addresses the concerns expressed by the European Court of Justice in the Schrems II judgment of July 2020.

The only data transferred outside of Europe are:

  • Active Campaign: first name, last name, administrator function, email, additional email if applicable, telephone number, additional telephone number if applicable, TinyMDM subscription status. Purpose: Customer / Prospect Relationship Management.
  • Stripe: email address, postal address, means of payment, bank references (CB / Sepa Debit), Stripe reference ID, CB / Sepa type. Purpose: Billing of the Service.
  • Freshdesk: first name, last name, email, additional email if applicable, TinyMDM subscription status, information on devices and users concerned by the support ticket. Purpose: free technical support offered to customers and users of the Service.
  • Calendly: first name, last name, email, additional email if applicable, telephone number. Purpose: platform for booking calls or online demonstrations of the Service with the sales team.
  • Google Analytics: IP address. Purpose: to collect anonymised statistical data about how visitors use the site.
  • Google Recaptcha. Purpose: security to fight against robots.

Cooperation with the supervisory authority of the National Commission for Data Protection and Liberties (CNIL)

The controller and the data processor and, where applicable, their representatives shall cooperate with the supervisory authority, at the latter’s request, in the performance of its tasks.

Operations carried out on processing operations

In accordance with Art. 30 of the GDPR, Ars Nova Systems undertakes to keep an up-to-date processing register, listing all operations carried out on personal data and providing an overview of what is done with personal data.

Security measures

We use various security technologies and procedures to help protect your personal data from unauthorized access, use or disclosure. We secure the personal data you provide on computer servers in a controlled and secure environment, protected from unauthorized access, use or disclosure. All personal data is protected by appropriate physical, technical and organizational measures. To learn more about security at TinyMDM, please visit this page.

Google Analytics

This website uses Google Analytics, a web analytics service provided by Google Inc (“Google”). Google Analytics uses cookies, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage.
Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser. However, if you do this you may not be able to use the full functionality of this website. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.

Annex : List of sub-processors

Amazon Web Services, IncHosting and infrastructureEUROPE - Ireland
JustcallCalling functionalityEUROPE - Germany
Google CloudHosting and infrastructure, Android notificationsEUROPE - Germany
Zoho SignElectronic SignatureEUROPE - Norway
Active CampaignCustomer Management SoftwareUnited-States
StripePayment gateway (PCI compliant and Privacy Shield certified)United-States
FreshdeskTechnical support and knowledge baseUnited-States
CalendlyCall management and demo bookingUnited-States
Google AnalyticsWebsite statistics and performanceUnited-States
Google reCAPTCHAForm spam preventionUnited-States

Have more questions regarding our privacy policy? Contact us at any time to discuss further: