Skip to content

Privacy Policy

Last updated: 2026-06-27

Permafrost EPM ("Permafrost," "we," "us") is a Cloud Infrastructure Entitlement Management (CIEM) product for Microsoft cloud surfaces, with Amazon Web Services and Google Cloud support in preview. This policy explains what data we collect, how we use it, where it goes, and your rights as a data subject. Permafrost is operated by DuneCodeForge Ltd, a company incorporated in the United Arab Emirates, which is the data controller for the personal data described here.

1. Law that applies and your regulator

We process personal data under the United Arab Emirates Personal Data Protection Law — Federal Decree-Law No. 45 of 2021 (the "PDPL") — overseen by the UAE Data Office. Because we offer the Service worldwide, we also comply, for the data subjects and processing they cover, with the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act as amended by the CPRA. Where any of these grants you a stronger right than another, we honor the stronger right.

Your supervisory authority depends on where you are. In the United Kingdom it is the Information Commissioner's Office (the "ICO"). In the European Union it is the data protection authority of your country of residence or workplace. In the UAE it is the UAE Data Office. You can contact any of them directly, though we ask that you raise concerns with us first so we can resolve them.

Permafrost's controller, DuneCodeForge Ltd, is established in the UAE, outside the United Kingdom and the European Union. Where Article 27 of the UK GDPR and the EU GDPR requires it, we are appointing a representative in the UK and the EU to act as a point of contact for data subjects and supervisory authorities on matters relating to our processing. Until that appointment is published here, you can reach us directly at support@permafrostepm.com and we will handle your request without delay.

2. Data we collect

When you connect an Azure tenant, Permafrost reads the following from Microsoft Graph and Azure ARM via read-only OAuth scopes you grant:

  • Identities (users, groups, service principals, managed identities)
  • Directory and ARM role assignments
  • Audit logs and sign-in activity (Entra ID)
  • Activity logs (Azure ARM)
  • Permission grants and consent state
  • Inventory metadata for connected Microsoft cloud surfaces (Exchange, SharePoint, Purview, Defender, Power BI, Power Platform, Azure DevOps, Intune, Teams, Viva Engage)

We do not read mailbox content, document content, chat messages, or any user-generated content. The product is read-only and never modifies your tenant.

Support for Amazon Web Services and Google Cloud is in preview. When you connect one of those clouds, Permafrost reads identity and entitlement metadata on the same read-only basis as Microsoft:

  • AWS— IAM users, roles, groups, and policies, and access-related metadata, read by assuming a role you create that trusts Permafrost with a per-customer external ID. We store no AWS access keys.
  • Google Cloud— IAM principals, roles, and policy bindings, read via workload identity federation. We store no GCP service-account keys.

For every connected cloud the model is the same: read-only access and no stored customer-cloud credentials in our backing store. Where a mechanism above is in preview, it is described here so your review reflects what each connection will read when it is enabled for your account.

We additionally store:

  • Your Azure Entra ID profile (name, email, tenant id) for sign-in
  • Sign-in metadata (IP, user agent, timestamp)
  • Billing email and Stripe customer/subscription identifiers when on a paid tier

For a category-by-category breakdown of what we read, the purpose for each, how long we keep it, and the zero-stored-credential read path, see what we read and why in our Trust Center.

3. How we use your data

We use the data only to:

  • Compute CIEM analysis (UPR scores, findings, role recommendations)
  • Display your tenant's state in the dashboard
  • Send transactional email (welcome, finding alerts, billing)
  • Authenticate you and meter your subscription

We do not:

  • Sell, rent, or share your data with third parties for marketing
  • Train AI/ML models on your data
  • Aggregate your data with other customers' data for any product

Our analysis (UPR scores, findings, recommended roles) is decision-support: it informs a human reviewer and never produces an automated decision with legal or similarly significant effect on an individual. You remain in control of every change to your tenant.

4. Legal basis for processing

Under PDPL Art. 4 and GDPR Art. 6, we rely on the following bases:

  • Performance of a contract— reading your tenant, computing analysis, and operating your account so we can deliver the Service you signed up for.
  • Legitimate interests— securing the Service, preventing abuse, and keeping audit records, balanced against your rights.
  • Legal obligation— retaining billing and tax records we are required by law to keep.
  • Consent— for website analytics and any optional alert email, each of which is strictly opt-in and withdrawable at any time without affecting the lawfulness of processing already carried out.

5. Data retention

The full per-category retention schedule — how long we keep each category of data and the deletion trigger for each — lives in our retention schedule. Tier-specific numeric windows for activity logs and findings are published at permafrostepm.com/pricing and are incorporated into this policy by reference. Inventory state (current identities, role assignments) is replaced on each sync. Audit logs (admin actions, sync history) are retained for the lifetime of your account. On account closure, your access is suspended and all customer-scoped data is deleted within 30 days (or sooner if you request immediate deletion — see the Terms of Service).

Two narrow categories survive that deletion. Billing and invoice records are retained to meet our legal and tax obligations, and a minimal audit record of the deletion itself is kept for accountability. Everything else tied to your account is erased.

6. Sub-processors

We rely on a small set of sub-processors — including Vercel (hosting), Neon (database), Stripe (billing), Resend (transactional email), Microsoft (authentication and the Graph / ARM APIs you authorize), and Google Analytics (opt-in, public website only, never run in the signed-in application). The maintained, versioned register — with each processor's purpose, the data categories it processes, its processing region, and its cross-border transfer basis — is the single source of truth and lives at our sub-processor register. That page also states how we notify you before a new sub-processor begins processing your data.

Error monitoring is first-party: application errors are captured in our own infrastructure with secrets and customer PII redacted at the point of capture. We do not send error data to a third-party error-tracking provider.

7. International data transfers and data residency

We are based in the UAE and our sub-processors above are based in the United States, so operating the Service involves transferring personal data across borders. We make those transfers under PDPL Art. 22 and 23 — to jurisdictions with an adequate level of protection, or under a contract imposing PDPL-equivalent safeguards (standard contractual clauses), or with your express consent where required. For data covered by the EU or UK GDPR, transfers rely on the European Commission / UK Standard Contractual Clauses and, where a sub-processor is certified, the EU-US and UK-US Data Privacy Framework. Each sub-processor is bound by a data-processing agreement restricting use of your data to providing its service to us. For an explicit, layer-by-layer statement of where your data is stored and processed and the transfer basis for each hop, see our data-residency and data-flow statement.

For the specific transfer instruments — the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), the UK International Data Transfer Agreement or Addendum, the Data Privacy Framework where a sub-processor is certified, and the PDPL Art. 22/23 basis for UAE-origin processing — together with the SCC module logic and how to request a transfer-impact assessment, see our international data-transfer mechanism.

8. Cookies and tracking

We use essential cookies (Auth.js session + CSRF, and an operator impersonation cookie used by support staff) and a small set of preference cookies (your theme choice and your analytics choice). On the public website we additionally offer Google Analytics, which is off by default and loads only if you opt in via the cookie banner; declining keeps you browsing with no analytics, and you can withdraw consent at any time. We honor Do-Not-Track and Global Privacy Control signals as a standing decline, and analytics never runs in the signed-in application. We use no advertising or cross-site tracking cookies. The full per-cookie table, including retention windows, lives in our Cookie Policy.

9. Your rights

Subject to the PDPL and, where they apply, the GDPR / UK GDPR and CCPA/CPRA, you may request:

  • Access to the personal data we hold about you
  • Rectification of inaccurate or incomplete data
  • Erasure ("right to be forgotten")
  • Portability of your data in a machine-readable format
  • Restriction of, or objection to, processing
  • Withdrawal of any consent you have given (for example, analytics or alert email), at any time
  • To opt out of the "sale" or "sharing" of personal information (CCPA/CPRA) — note we do not sell or share your data

To exercise any of these rights, use our data rights request form, which documents how to submit, how we verify your identity, and our response SLA — or contact us at the address below. We will respond within the period required by the applicable law — one month under the UK GDPR and the EU GDPR (extendable by up to two further months for complex requests, with notice), and 30 days under the PDPL. We honor the shorter period where more than one applies.

You also have the right to lodge a complaint with your supervisory authority. In the United Kingdom that is the Information Commissioner's Office (the "ICO"), at ico.org.uk. In the European Union it is your local data protection authority. In the UAE it is the UAE Data Office. We ask that you raise the matter with us first so we have the chance to put it right.

10. Security and breach notification

OAuth tokens are encrypted at rest. Database connections use TLS. Data is logically isolated by customer ID at every query boundary. The application is read-only against all of your connected clouds — we cannot modify your Microsoft, AWS, or GCP environment. We store no standing credential to any connected cloud: Microsoft reads run under read-only consent (or a customer-owned app registration whose secret is encrypted in our vault), AWS reads use role assumption with a per-customer external ID, and GCP reads use workload identity federation.

If a personal-data breach affects data we process for you, we will notify the affected customer's account administrator by email without undue delay after we confirm the breach.As the controller for our own corporate data, we also notify the UAE Data Office and affected data subjects of qualifying breaches as required by the PDPL and any other applicable law. Where you are the controller of the affected tenant data, our prompt notice to you is what lets you meet your own regulator obligation — for UK controllers, reporting a qualifying breach to the ICO within 72 hours. The full commitment, the notice contents, and the regulator-versus-customer distinction are set out on our breach-notification page.

11. Children

The Service is a business product not directed to children, and we do not knowingly collect personal data from anyone under 18.

12. Changes to this policy

We will notify you by email and via an in-app banner before any material change takes effect.

13. Contact

Questions or data-subject requests: support@permafrostepm.com.