This Data Processing Addendum (the “DPA”) describes the data protection terms that apply when LabsNinja processes personal data on behalf of a customer in connection with the LabsNinja SCIM Connector service (the “Service”). The DPA is provided for transparency and is designed with GDPR principles in mind; data processing terms will be made available in a signed form following legal review before general availability.
1. Controller and processor roles
- SCIM-provisioned user and group data. The customer is the controller. LabsNinja is the processor.
- Account, billing, support, security, and website data. LabsNinja is the controller for the personal data it collects in operating the business of the Service (for example, the email address of the account owner, audit metadata, and contact-form submissions).
2. Subject matter
Provision of the LabsNinja SCIM Connector service, including SCIM 2.0 endpoints, customer portal, operator console, audit logging, and supporting infrastructure.
3. Duration
The DPA applies for the duration of the customer’s use of the Service and any additional period required by law or by the deletion/return obligations in section 11.
4. Nature and purpose of processing
Storing, indexing, retrieving, updating, deleting, transmitting, and protecting the personal data that the customer provisions through its identity provider, solely for the purpose of operating the Service for the customer and meeting LabsNinja’s related obligations (security monitoring, audit, troubleshooting, abuse prevention).
5. Categories of data subjects
- The customer’s employees, contractors, and other individuals whose identities are provisioned through the customer’s identity provider.
- The customer’s administrators who interact with the Service portal or operator console.
6. Categories of personal data
- Identifiers (user IDs, externalId, usernames).
- Names and email addresses.
- Group memberships and role/scope attributes.
- Authentication metadata such as session timestamps and bearer token identifiers (token values themselves are hashed and not retrievable).
- Audit metadata (request IDs, timestamps, IP addresses, user agents, action outcomes).
7. Subprocessors
LabsNinja engages a limited set of subprocessors to deliver the Service. The current list is published on the Subprocessors page and will be kept up to date. Where required, LabsNinja will give the customer reasonable notice of new subprocessors and an opportunity to object.
8. Security measures
LabsNinja implements appropriate technical and organisational measures designed to protect personal data, including:
- TLS in transit on external traffic (enforced at the reverse proxy).
- Bcrypt hashing of SCIM bearer tokens before storage; plaintext credentials are never persisted.
- Tenant-scoped queries enforcing row-level isolation between customers.
- Separation of operator and customer authentication stacks.
- Structured audit logging of privileged actions.
- Fail-fast startup validation of security-critical configuration.
See our Security page for the current detailed control set.
9. International transfers
Where SCIM-provisioned data is transferred outside the jurisdiction in which it was collected, LabsNinja will use appropriate safeguards as required by applicable law (such as Standard Contractual Clauses). The specific mechanism will be finalised through legal review.
10. Assistance with data subject requests
LabsNinja will provide reasonable assistance to enable the customer to respond to requests from data subjects exercising their rights under applicable law. Most data subject requests will be fulfilled by the customer directly through the Service’s management interfaces and identity provider.
11. Deletion or return after termination
On termination of the customer’s use of the Service, the customer may export Customer Data via the portal or by reasonable arrangement with LabsNinja. After a transition period not to exceed the period specified in the finalised agreement, LabsNinja will delete or anonymise Customer Data, subject to retention required by law or by audit obligations.
12. Personal data breach notification
LabsNinja will notify the customer without undue delay after becoming aware of a personal data breach affecting Customer Data, with the information required to enable the customer to meet its own notification obligations under applicable law.
13. Audit and information rights
On reasonable request and subject to confidentiality protections, LabsNinja will make available information necessary to demonstrate compliance with the obligations in this DPA. Onsite audits and certifications will be addressed in a signed enterprise agreement; LabsNinja does not currently hold SOC 2 or ISO 27001 certification.
14. Contact
DPA questions, subprocessor objections, or data subject requests: privacy@labsninja.com. Security incidents: security@labsninja.com.