What happens to your data if the worst happens

Before the three scenarios, the fact that bounds all of them: Permafrost stores no standing write credential to any of your connected clouds. Microsoft reads run under read-only consent (or a customer-owned app registration whose secret is encrypted in our vault); AWS reads use short-lived role assumption with a per-customer external ID; GCP reads use workload identity federation. Remediation writes are performed only with a session-only delegated token your administrator authorizes, in memory, for under an hour, then gone.

The consequence is the single most important line on this page: a breach of Permafrost cannot mutate your Microsoft, AWS, or GCP environment, because there is no standing key in our backing store to steal. What an attacker could reach is the entitlement metadata we analyze — which is why we hold it to the bar set out in the breach section — not a write path into your clouds.

If we detect a security incident affecting your data, we contain it, investigate scope, and notify you in line with our published commitment — promptly, with the facts you need to meet your own regulator obligations.

• Containment first. We isolate affected systems and revoke credentials on the Permafrost side.
• Notification. We notify you of a personal-data breach in line with the timeframe on our breach-notification page, with the nature of the breach, likely consequences, and the measures taken.
• No tenant write-path exposure. Because we store no standing write token to your clouds, a Permafrost compromise does not give an attacker the ability to change your Azure, AWS, or GCP configuration.

The full commitment, notice contents, and the regulator-versus-customer distinction are on our breach-notification page.

If Permafrost or its operating entity (DuneCodeForge Ltd) is acquired, your data does not change hands on different terms without your knowledge.

• Successor obligations.Any successor entity is bound by the data-protection commitments in force when you signed up, including this Trust Center's processing terms, until you agree otherwise.
• Notice. We will notify you of a change of control that affects the processing of your data.
• Your right to leave. You may terminate and have your data deleted rather than continue under new ownership. The deletion path is the same 30-day frozen deletion window described below, and immediate deletion on request remains available.

If Permafrost ceases operations, the locked commitment applies: your access ends and all customer-scoped data is deleted within the 30-day frozen deletion window, save for the narrow billing, tax, and deletion-audit records the law requires us to keep. Immediate deletion on request is available at any point.

In an orderly wind-down we commit to giving advance notice and a window to export your data before shutdown, so the end of the service is never the loss of your records.

This ties directly to the locked deletion window stated in Terms §5 and Privacy §5.