DMS for Microsoft Teams — Privacy Notice

Last updated: 4th May 2026

This notice explains how Modus Interactive Ltd (“Modus”, “we”) handles personal data in connection with the DMS for Microsoft Teams app and the message-routing relay that supports it. It forms part of, and supplements, the general Modus Privacy Policy.

1. What the app does

DMS is a Microsoft Teams companion to DeployMS, an asset deployment management service operated by Modus for IT teams managing laptops, devices, and workspace logistics. It delivers proactive Teams messages to end users (e.g. “laptop ready for collection”, return reminders, deployment confirmations) and lets them reply in Teams, with replies threading back to the originating deployment record. A central message-routing relay operated by Modus connects each customer’s Microsoft Teams tenant to that customer’s own DeployMS instance, established via a one-time pairing code.

2. Our role — controller and processor

  • For the personal data processed through the app on a customer’s behalf (end users’ Teams messages and the directory data used to deliver them), the customer is the data controller and Modus acts as a data processor. This processing is governed by the data-processing terms in the customer’s DeployMS Service Agreement / Data Processing Agreement (DPA).
  • Where Modus processes personal data for its own business purposes (e.g. account administration, support, billing), Modus is the controller — see the general Modus Privacy Policy.

3. Personal data the app processes

DataPurposeHow it is handled
Directory information — name, email address / user principal name, Azure AD object IDIdentity resolution: matching a Teams user to their DeployMS user record so replies thread correctly and messages reach the right personRetrieved from Microsoft Graph on demand (GET /users/{id}?$select=mail,userPrincipalName), used in memory by the customer’s DeployMS instance. Not persisted by Modus and not stored at the relay. The customer’s DeployMS instance may store it under the customer’s own retention policy.
Presence status — Available / Busy / In a call / AwayShown in the DeployMS admin UI so an administrator can judge whether a message will land at a good timeRead from Microsoft Graph, read-only, cached per user for ~60 seconds. Not persisted.
Message content — the text of Teams messages and repliesDelivering notifications and capturing replies against the deployment recordTransmitted via Microsoft Bot Framework and the Modus relay between the customer’s Teams tenant and their own DeployMS instance. The relay forwards but does not store message content; it is retained only by the customer’s DeployMS instance.
Routing metadata — tenant ID, conversation reference (chat ID), service URL, delivery timestamps, HTTP status codesRouting each message to the correct paired DeployMS instance, and operational logging/diagnosticsProcessed and logged by the relay. Contains no message body and no directory data beyond identifiers.
Bot installation state (this app only)Installing the DMS bot into a recipient’s personal scope so the first proactive message can be deliveredLimited to this app’s own installation; the app cannot install or modify other apps. Used on first send; subsequently cached.

4. The message-routing relay

  • The relay runs at teams.deployms.io and is operated by Modus from United Kingdom infrastructure (OVHCloud).
  • It forwards message content between Microsoft Bot Framework and the customer’s DeployMS instance but retains only routing metadata (see the table above). No message content is stored at the relay.
  • It is stateless with respect to directory data — directory lookups happen on demand at the customer’s DeployMS instance, not at the relay, specifically to avoid holding a standing copy of the tenant’s directory.
  • Traffic between DeployMS and the relay is authenticated in both directions (HMAC-SHA256 with replay protection) and carried over TLS.

5. Microsoft Graph permissions

The app requests the following Microsoft Graph permissions. All directory and catalogue access is read-only; the only write capability is limited to the app’s own installation.

  • User.Read.All (application) — resolve a Teams Azure AD object ID to the corresponding DeployMS user (email / UPN lookup) so replies are attributed correctly. Resolved on demand to keep the relay stateless with respect to directory data.
  • Presence.Read.All (application) — read recipient presence to show availability in the DeployMS admin UI. Read-only; cached ~60 seconds.
  • TeamsAppInstallation.ReadWriteSelfForUser.All (application) — proactively install this app into a recipient’s personal scope so the first message is delivered. The “Self” qualifier restricts it to this app’s own installation.
  • AppCatalog.Read.All (application) — read only this app’s own Teams app-catalogue entry to obtain its teamsAppId immediately before a proactive install.
  • User.Read (delegated) — the standard “sign in and read your own profile” scope; covers only the signed-in user.

No Mail.*Files.*, or Calendar.* permissions are requested. Administrators can revoke these permissions at any time via the Microsoft 365 admin centre; doing so will prevent the app from functioning.

6. Sub-processors

In addition to the sub-processors listed in the general Modus Privacy Policy, the following are engaged for the DMS for Microsoft Teams app:

  • OVHCloud — hosting of the message-routing relay, in the United Kingdom.
  • Microsoft — Microsoft Teams, the Microsoft Bot Framework, and Microsoft Graph, which are the platform the app integrates with. Message content transits Microsoft Bot Framework between the customer’s tenant and their DeployMS instance.

7. Data retention

  • Message content: not retained by Modus; held only by the customer’s DeployMS instance under the customer’s own retention policy.
  • Directory data and presence: not retained by Modus (used in memory, then discarded).
  • Relay routing-metadata logs: retained for 14 days for routing, diagnostics, and abuse prevention. The relay writes daily log files and automatically rotates them, deleting the oldest after 14 days.

8. International transfers

The relay is hosted in the United Kingdom. Microsoft processes Teams/Graph data under the customer’s own Microsoft 365 agreement and Microsoft’s data-protection terms. Any transfer of personal data outside the UK or EEA is made only on a legally appropriate basis as described in the general Modus Privacy Policy.

9. Security

Modus applies technical and organisational measures appropriate to the risk, including mutual HMAC-SHA256 authentication between DeployMS and the relay (with timestamp-based replay protection), TLS for data in transit, and the minimisation described above (no message content or directory data stored at the relay).

10. Your rights and contact

Data subjects may exercise their rights under UK data protection law (including access, rectification, and erasure). Because Modus typically acts as processor for app data, end users of a customer’s DeployMS deployment should direct data-subject requests to that customer (the controller) in the first instance; Modus will assist the controller as required under the DPA.

For app-related data-protection queries, contact the Data Protection Officer at dataprotection@modus-interactive.co.uk, or write to Modus Interactive Ltd, PO Box 7418, Christchurch, BH23 9GX. Suspected security incidents: security@modus-interactive.co.uk.

© 2026 modus interactive. registered in the UK, reg no. 03976377