CloudAgencyOps
Start free trial

Data Processing Addendum

Last updated: 2026-05-31

This Data Processing Addendum ("DPA") forms part of and is incorporated by reference into the CloudAgencyOps Terms of Service. It applies where CloudAgencyOps processes personal data on behalf of an Agency. Capitalized terms not defined here have the meaning given in the Terms. If there is a conflict between the Terms and this DPA regarding the processing of personal data, this DPA controls.

This Data Processing Addendum is available to agencies on request and is being finalized with counsel. The Article 28 clause headings and annexes below describe how CloudAgencyOps processes personal data on an Agency's behalf. To execute a DPA, contact privacy@cloudagencyops.com.

1. Roles and scope

For the data described in Annex I, the Agency acts as controller (or as processor for its own client) and CloudAgencyOps acts as processor (or subprocessor). CloudAgencyOps processes Customer Personal Data only to provide and support the Service and on the Agency's documented instructions. The Agency is responsible for the lawful basis for its processing and for notices owed to data subjects.

2. Processor commitments (Article 28(3))

CloudAgencyOps will:

  • Process Customer Personal Data only on the Agency's documented instructions, including for transfers, unless required by law (with notice where lawful).
  • Ensure persons authorized to process the data are bound by confidentiality.
  • Implement appropriate technical and organizational measures under GDPR Article 32 (see Annex II).
  • Engage subprocessors only under Article 28(2) and (4): general authorization with 30-day advance notice and a right to object (see the Subprocessors page).
  • Assist the Agency, by appropriate measures, to respond to data-subject rights requests.
  • Assist the Agency with security, breach notification, data-protection impact assessments, and prior consultation (Articles 32 to 36).
  • Delete or return Customer Personal Data at the Agency's choice at the end of the services, subject to legal retention (see Annex I retention).
  • Make available information necessary to demonstrate compliance and allow for and contribute to audits.

3. Subprocessors

The Agency provides general authorization for the subprocessors listed on the Subprocessors page. CloudAgencyOps will give at least 30 days' advance notice of any new or replacement subprocessor that processes Customer Personal Data (shorter where urgent security, availability, or legal reasons require) and the Agency may object on reasonable data-protection grounds.

4. International transfers

Before processing EEA, UK, or Swiss personal data on an Agency's behalf, CloudAgencyOps will incorporate the applicable EU Standard Contractual Clauses module, the UK Addendum/IDTA, and the Swiss adaptation, and complete a transfer impact assessment. Operator access from Pakistan is disclosed as an international transfer.

5. Personal-data breach notification

CloudAgencyOps will notify the Agency without undue delay after becoming aware of a personal-data breach affecting Customer Personal Data, with the known facts, the affected data categories, mitigation steps, and a point of contact, and will provide further information as it becomes available.

Annex I: Description of processing

  • Subject matter and duration: processing of AWS cost and access metadata to provide the Service, for the term of the subscription plus the retention windows in the Privacy Policy.
  • Nature and purpose: read-only aggregation of AWS cost data and CloudTrail access-event metadata, generation of white-label reports, retainer-burn tracking, and access governance.
  • Categories of data subjects:the Agency's personnel and its clients' personnel whose identifiers appear in AWS access events.
  • Categories of personal data: IAM principal ARNs, principal / role-session names, source IP addresses, event names, and timestamps; plus agency account and billing identifiers.
  • Special categories: none intended or requested.
  • Retention:cost snapshots and access events 24 months rolling; deletion or return at the Agency's choice on termination, subject to backup cycles and legal holds (see the Privacy Policy).

Annex II: Technical and organizational measures

Summarized on the Security page: TLS 1.2+ in transit, encryption at rest, short-lived AssumeRole credentials with a per-agency ExternalId, least-privilege read-only AWS access, and need-to-know access controls. Customer AWS credentials are never stored at rest.

Annex III: Subprocessor list

See the canonical Subprocessors page.

Contact

DPA questions and signature requests: privacy@cloudagencyops.com.