Data residency & data flow

Permafrost is operated by DuneCodeForge Ltd, incorporated in the United Arab Emirates, which is the data controller. The Service runs on managed infrastructure; the table below states each layer, its location, and the legal basis that covers any cross-border transfer.

Region values marked “confirm” are pending verification against the live deployment and will be stated exactly once confirmed. We do not name a region we have not verified.

Reading and analyzing a connected tenant follows one path, end to end:

1. You grant read-only consent. By default Permafrost reads from your Microsoft tenant under its own multi-tenant application, authorized by that consent — no per-tenant secret is held. (Pro and above can opt into a dedicated app registration you own, whose secret is held encrypted in our secrets vault.)
2. Data is processed in the compute region to compute CIEM analysis (UPR scores, findings, recommended roles).
3. Results and the supporting inventory state are stored in the database region, logically isolated by customer ID at every query boundary.
4. Nothing is sent to advertising networks or used to train models, and no customer's data is aggregated with another's.

That last point is consistent with our security posture: analysis is decision-support for a human reviewer, never an input to a shared model or a cross-customer dataset.

A dedicated EU or UK data-residency option (data at rest and compute kept in-region) is on our roadmap. We have not committed a date yet. If your procurement requires in-region residency, contact us so we can discuss your requirement and where it sits against the roadmap.