Privacy Policy

1. Introduction

Synchplus Consulting (Pty) Ltd ("Synchplus", "the Company", "we", "us"), a company registered in the Republic of South Africa, is committed to protecting the personal information of our users and their managed tenants. This Privacy Policy explains how we collect, use, store, and protect personal information processed through the VaultFuzion platform. VaultFuzion is a product of Kapardyn, a wholly-owned division of Synchplus Consulting. Customers in specific jurisdictions may be covered by additional data-protection terms set out in their signed Master Services Agreement (for example, a Data Processing Addendum for EU/EEA customers).

2. Information We Collect

Account Information:

• Name, email address, organisation name, and role
• Authentication credentials (securely hashed with an industry-standard algorithm)
• Multi-factor authentication enrollment data (encrypted at rest)

Microsoft 365 Data (backed up on your behalf):

• Exchange mailbox content (emails, calendar, contacts)
• OneDrive files and folders
• SharePoint site content
• Teams channel messages and files
• Entra ID configuration snapshots

Endpoint Data (Kapsul8 EndpointBackup customers only — backed up on your behalf):

• Files and folders selected by your backup policy from Windows desktops, laptops, and servers
• Windows system state (registry hives, boot configuration, Active Directory database where applicable, IIS configuration where applicable)
• Endpoint metadata: hostname, OS version, hardware fingerprint, BitLocker status, agent version, last-seen timestamp, network type
• Backup job results, including success/failure status, file counts, byte counts, error messages
• Endpoint-side anomaly signals (file-modification rates, entropy patterns, extension patterns) used for ransomware detection alerting

All Endpoint Data is encrypted on the source machine before transmission. We never see plaintext file content. The Windows agent is code-signed with an Extended Validation certificate; we do not collect keystroke data, screen captures, browser history, microphone or camera content, or any data unrelated to backup operations. We do not deploy persistent surveillance tooling under any tier.

Platform Usage Data:

• Audit trail events (login, backup, restore, configuration changes)
• Threat detection verdicts and security scan results
• API access logs and session metadata

3. Purpose of Processing

We process personal information for the following purposes:

• Providing Microsoft 365 backup, restore, and protection services
• Entra ID configuration monitoring and drift detection
• Email authentication analysis (DMARC, SPF, DKIM)
• eDiscovery, legal holds, and compliance reporting
• Threat detection and phishing protection
• Account management, billing, and customer support
• Platform security, fraud prevention, and abuse detection
• Tamper-evident audit logging for legal and compliance purposes

4. Data Retention

Backup data is retained according to your configured retention policy, supporting configurable retention periods of up to 7 years. Retention policies are configurable per tenant with daily, weekly, and maximum-age parameters.

Audit trail records are retained for the full subscription period plus 2 years, forming a tamper-evident hash chain from which any modification or deletion is cryptographically detectable.

Upon account termination, data is made available for export for 30 days, after which it is securely deleted with SHA-256 destruction certificates issued as proof of deletion.

5. Data Security

• AES-256-GCM encryption for all data at rest
• TLS 1.3 for all data in transit
• Per-tenant HKDF-derived encryption keys for cryptographic isolation
• Industry-standard password hashing with no plaintext storage
• Encrypted MFA secrets using platform master key
• MSP data isolation enforced at every API endpoint
• SHA-256 hash-chain audit trail for tamper detection

6. Rights of Data Subjects

Subject to the data-protection framework that applies to you (which may be set out in your signed Master Services Agreement or Data Processing Addendum), you may generally request to:

• Access the personal information we hold about you
• Have inaccurate personal information corrected
• Have your personal information deleted, subject to legal hold and retention obligations
• Object to or restrict specific processing activities
• Port your data in a structured, machine-readable format

To exercise any of these rights, contact us at the email address in the Contact section below. We respond to verifiable requests within thirty (30) days.

7. Third-Party Sharing

We do not sell or share personal information with third parties for marketing purposes. We may share data with: Microsoft (to facilitate M365 API access), a South African-based cloud infrastructure operator that provides the data-centre hosting and compute on which the Service runs (acting as an operator/sub-processor under POPIA, with data held in South Africa), payment processors for billing (varies by region — specified in your Master Services Agreement), and law enforcement agencies when compelled by valid legal process in the jurisdiction governing your account.

8. Cross-Border Data Transfers

Backup data is stored in the region specified in your signed subscription agreement. Where cross-border transfer is necessary (e.g., Microsoft Graph API calls), we rely on the standard contractual mechanisms applicable to the customer's jurisdiction and maintain appropriate security measures regardless of storage location.

9. Privacy Contact

Our privacy team can be contacted at:

10. Complaints

If you are not satisfied with our response to a privacy concern, you may escalate via the dispute-resolution process set out in your signed Master Services Agreement, or contact the supervisory authority applicable in your jurisdiction.