Data Processing Agreement

This summary is published as version 2026-06.1. You can download it for your records and procurement review, and customer admins can record acceptance in-app from Settings → Data Processing Agreement — acceptance stores the version, timestamp, and accepting user.

Roles (controller and processor)

The customer is the controller of the personal data in their connected clouds. Permafrost is the processor, acting only on the customer's documented instructions.

Processing scope, purpose, and duration

We process identity and entitlement metadata read from all of this customer's connected Microsoft, AWS, and GCP clouds, for the sole purpose of providing the CIEM analysis the Service performs, for as long as the customer's account is active.

Processing on instructions

We process customer personal data only to provide the Service and on the customer's documented instructions, and we tell the customer if an instruction appears to infringe applicable data-protection law.

Confidentiality

Personnel with access are bound by confidentiality obligations and access is limited to what their role requires.

Security measures

Read-only access to connected clouds, zero standing write access, tenant isolation by customer ID, and encryption in transit. We store no customer-cloud credentials: Microsoft reads run under our multi-tenant app authorized by the customer's read-only consent (or, where opted in, a customer-owned app registration whose secret is encrypted in our vault); AWS reads use role assumption with a per-customer external ID; GCP reads use workload identity federation. No standing write token to any connected cloud exists in our backing store.

Sub-processing

We use only the sub-processors listed in the register, each under a data-processing agreement, and notify customers of changes before a new sub-processor processes their data.

International transfers

Cross-border transfers are made to jurisdictions with an adequate level of protection or under standard contractual clauses imposing equivalent safeguards, as set out in the data-residency statement.

Data-subject assistance

We assist the customer in responding to data-subject requests and in meeting their own security, breach, and impact-assessment obligations.

Audit rights

We make available the information needed to demonstrate compliance, maintain a Record of Processing Activities, and allow for and contribute to audits, including inspections, conducted by the customer or an auditor it mandates.

Deletion and return on termination

On termination, customer-scoped data is deleted within the 30-day frozen deletion window (or immediately on request), save for records the law requires us to retain.

If a personal-data breach affects data we process for you, we will notify the affected customer's account administrator by email without undue delay after we confirm the breach.

The notice will set out:

• The nature of the breach and the categories of data and records involved, to the extent known.
• The likely consequences and our assessment of the risk to affected individuals.
• The measures we have taken or propose to take to contain and remediate it.
• A named contact for follow-up questions.

This is the same commitment stated on our breach-notification page and in privacy §10, word for word.

To request the full Data Processing Agreement for signature, email support@permafrostepm.com.