Terms · Annex 1
Annex 1 to ilion's Terms of Business (GDPR Article 28). One English-language document; it applies to both the English and Danish versions of the Terms.
This Data Processing Agreement ("DPA") forms part of, and is subject to, ilion's Terms of Business. It applies whenever ilion ApS ("Processor") processes personal data on behalf of the Customer ("Controller") in connection with the Deliverables — in particular where ilion exercises delegated administrative access to the Customer's Microsoft environment as a Cloud Solution Provider.
Where the terms of the underlying suppliers' own data-protection terms (notably the Microsoft Products and Services Data Protection Addendum, "DPA") apply to the same processing, those terms govern the processing carried out by the sub-processor; this Annex governs ilion's own processing as Processor.
1.1. The Customer is the Controller; ilion is the Processor. Where the Customer is itself a processor for a third party, ilion acts as sub-processor and this Annex applies correspondingly.
1.2. ilion processes personal data only to deliver the Deliverables and provide the agreed advisory/administration, and only on the Controller's documented instructions (these Terms and the Customer's orders being such instructions).
2.1. Subject matter / nature / purpose: administration of the Customer's Microsoft tenant and licenses, support, and the advisory services ordered.
2.2. Duration: for as long as ilion provides the Deliverables, and until deletion or return of personal data under clause 8.
3.1. Data subjects: the Customer's users, employees, and other persons whose data exist in the Customer's Microsoft environment.
3.2. Personal data: primarily account and administrative data (names, work email addresses, user/tenant identifiers, role and license assignments, sign-in and configuration data). ilion does not require, and the Customer should not provide, special-category data for the administration services.
ilion shall:
4.1. process personal data only on the Controller's documented instructions, including as regards transfers to third countries, unless required by EU/Member-State law (in which case ilion informs the Controller first, unless prohibited);
4.2. ensure persons authorised to process the data are bound by confidentiality;
4.3. implement appropriate technical and organisational security measures (Article 32) — see clause 7;
4.4. assist the Controller, taking into account the nature of the processing, in fulfilling its obligations to respond to data-subject requests and to ensure security, breach notification and data-protection impact assessments (Articles 32–36);
4.5. notify the Controller without undue delay after becoming aware of a personal-data breach, with the information the Controller needs to meet its own notification duties;
4.6. make available the information necessary to demonstrate compliance and allow for and contribute to audits, including inspections, by the Controller or an auditor it mandates (subject to reasonable notice, confidentiality and not compromising other customers' security).
5.1. The Controller gives general authorisation for ilion to engage sub-processors. ilion's principal sub-processor is Microsoft (and ilion's distributors, e.g. Arrow/ALSO, where relevant to provisioning).
5.2. ilion imposes on each sub-processor data-protection obligations equivalent to this Annex, and remains liable for the sub-processor's performance.
5.3. ilion informs the Controller of intended additions or replacements of sub-processors with reasonable notice, giving the Controller the opportunity to object on reasonable data-protection grounds.
6.1. Personal data are processed within the EU/EEA where the service allows. Where the Customer selects, or a Microsoft service entails, processing outside the EU/EEA, transfers are made on a valid transfer basis (EU Standard Contractual Clauses or an adequacy decision), as provided under Microsoft's DPA and the Customer's tenant configuration.
7.1. Taking into account the state of the art and the risk, ilion maintains measures including: access control and least-privilege administration; multi-factor authentication for administrative access; encryption of data in transit and, where applicable, at rest (as provided by the underlying Microsoft services); logging of administrative actions; and confidentiality undertakings for personnel.
7.2. The bulk of technical security for the data resides in the Microsoft platform; ilion relies on and passes through Microsoft's certifications and security commitments for the underlying services.
8.1. On termination of the Deliverables, ilion deletes or returns all personal data processed on the Controller's behalf, at the Controller's choice, and deletes existing copies, unless EU/Member-State law requires storage.
8.2. Data residing in the Customer's own Microsoft tenant remain the Customer's; their retention/deletion follows Microsoft's terms and the Customer's tenant settings.
9.1. Liability under this Annex is subject to the limitations in the Terms (clause 12).
9.2. This Annex is governed by Danish law; disputes are settled as set out in clause 18 of the Terms.
Last updated: 30 June 2026.