CloudAgencyOps
Start free trial

Privacy Policy

Last updated: 2026-05-31

1. Who we are

CloudAgencyOps ("CloudAgencyOps," "we," or "us") is a software-as-a-service product operated by Muhammad Hassaan Javed, an individual sole proprietor located in Pakistan, doing business as CloudAgencyOps. Contact: privacy@cloudagencyops.com.

CloudAgencyOps currently operates as a sole proprietorship; a postal address for legal notices is available on request at the contact above.

2. Our role: controller and processor

We handle two distinct categories of data in two distinct roles.

  • As controller for agency account, user, and billing data, website operation, support, and security. For this data we determine the purposes and means of processing, and the legal bases in Section 4 are ours.
  • As processor (or sub-processor)for the AWS cost metadata, AWS access-event metadata, client metadata, runbook inputs, and generated reports we process on behalf of an Agency. For this data we act only on the Agency's documented instructions under our Data Processing Addendum. The Agency (as controller, or as processor for its own client) is responsible for establishing the lawful basis for processing its clients' and users' personal data, and for the notices owed to those individuals.

3. What data we collect

  • Agency account data: agency name, slug, and members' email addresses. Sign-in is passwordless (an emailed magic link), so we do not collect or store passwords.
  • Client metadata you enter: client name, optional logo URL, retainer amounts and dates. This is metadata your agency owns about its own customers.
  • AWS account configuration: the 12-digit account IDs and role ARNs you connect, plus a per-agency ExternalId we generate. We do NOT store long-lived AWS credentials — see Section 4.
  • AWS cost and access metadata (read-only, processed as processor): cost-by-service totals and cost-allocation tag values from Cost Explorer, and CloudTrail-summarized access events, fetched via short-lived AssumeRole credentials. The access-event records we store may include personal data, specifically the IAM principal ARN, the principal/role-session name (best-effort), the source IP address, the event name (action), and the event timestamp. We do not read object-level data, secret values, database contents, or workload payloads. We process this data only to provide, secure, and troubleshoot the Service and as instructed by the Agency under the Data Processing Addendum.
  • Billing data: handled by Polar (Merchant of Record) — we do not store payment card details. Polar provides us with a Customer ID and card last-4 for support.
  • Technical data: IP address, browser user agent, request timestamps, error logs. We do not include client AWS data in our application logs.

4. Why we collect it (purposes and legal bases)

The legal bases below apply to the data for which we act as controller (agency account, user, billing, website, support, and security data).

  • To provide the Service (legal basis: contract performance — GDPR Art. 6(1)(b)) — account administration, billing-status sync, generating client reports, rendering the governance and runbook views.
  • To prevent fraud and abuse (legal basis: legitimate interest — GDPR Art. 6(1)(f)) — rate limiting, security monitoring.
  • To communicate with you (legal basis: contract performance / consent) — transactional emails are always sent; product updates only with consent.

For the AWS cost and access metadata we read from your connected accounts, we act as a processor on your behalf and process it only per your documented instructions under our Data Processing Addendum; the legal basis for that processing is determined by you as controller, not by us.

5. What we do NOT collect or store

CloudAgencyOps is built with a deliberately narrow data surface. We do not collect or store:

  • Long-lived AWS access keys or secrets for any account. We use short-lived AssumeRole credentials issued at sync time and held only in memory for the duration of a single API call sequence.
  • Object data inside AWS accounts: no S3 object contents, no DB snapshots, no secret values from Secrets Manager / SSM, no workload payload.

Note on access metadata.The AWS cost and access-event metadata we do store is operational data about your agency's and your clients' AWS usage. It may include personal data, for example IAM user names, role-session names, and source IP addresses tied to identifiable individuals. We process it only as a processor on your documented instructions under the Data Processing Addendum; we do not access object-level workload contents. We do not treat this metadata as "not personal data."

6. Sub-processors

We maintain a single canonical list of the subprocessors that process Customer Data on our Subprocessors page, including each provider's role, region, and privacy link. That page is the authoritative source; the Terms, this Policy, and the Data Processing Addendum all reference it so the list cannot drift between pages.

We will notify Agencies at least 30 days before adding or replacing a subprocessor that processes Customer Personal Data, except where urgent security, availability, or legal reasons require shorter notice. Agencies may object on reasonable data-protection grounds.

We do not sell Customer Data or disclose it to advertisers. We disclose Customer Data only to the authorized subprocessors listed on our Subprocessors page, to the extent necessary to provide, secure, support, and maintain the Service, or as required by law.

7. Data retention

  • Agency + user data: for the duration of your subscription plus 90 days after cancellation for restore purposes.
  • Cost snapshots + access events: 24 months rolling. Older snapshots are aggregated into monthly summaries and the per-day rows are dropped.
  • Generated client report PDFs: retained for the life of the subscription unless you delete them sooner or instruct us to apply a shorter retention period.
  • Technical logs: 30 days.
  • Billing records: as required by applicable tax and accounting law (typically 7 years).

For Customer Personal Data we process as processor, we delete or return the data at the Agency's choice on termination, subject to backup deletion cycles and legal retention requirements. Agencies can request deletion of individual client accounts, cost snapshots, access-event metadata, and generated reports by contacting privacy@cloudagencyops.com, subject to documented backup retention.

8. Security

HTTPS / TLS 1.2+ for all transport. Encryption at rest for database and storage. Cross-account AWS access uses AssumeRole + per-agency ExternalId to mitigate the confused-deputy class of attack. Access to customer data on our side is restricted on a need-to-know basis. No system is perfectly secure; we cannot guarantee absolute security.

Where we act as a processor, we will notify the affected Agency without undue delay after becoming aware of a personal-data breach affecting Customer Data, with the known facts, affected data categories, and a point of contact. See the Security page for the operational detail and the binding commitment in the Data Processing Addendum.

9. Your GDPR rights

If you are in the EEA, UK, or Switzerland, you have the right to access, correct, delete, restrict processing of, port, or object to processing of your personal data, and to withdraw consent and lodge a complaint with a supervisory authority.

To exercise any of these rights, email privacy@cloudagencyops.com. We respond within 30 days. Where we process personal data as a processor on an Agency's behalf (for example, the CloudTrail access-event data), we will forward any rights request to the relevant Agency (the controller) and assist them in responding, rather than actioning it directly.

10. Your CCPA / California rights

We do not currently believe we meet the statutory thresholds to be a "business" under the CCPA/CPRA. Where we voluntarily provide California-style disclosures, they are provided for transparency and do not concede statutory applicability.

If you are a California resident, you have the right to know, delete, correct, opt out of sale or sharing (we do not sell or share for cross-context behavioral advertising), and non-discrimination. You may use an authorized agent to submit a request; we may verify your identity before acting. Email privacy@cloudagencyops.com. We respond within 45 days.

11. International transfers

CloudAgencyOps primarily hosts and processes data in the United States (Vercel iad1 region, Neon US East). The operator administers and accesses the Service from Pakistan, which has no EU/UK adequacy decision; access from Pakistan is itself a restricted transfer.

  • For transfers of personal data out of the EEA, we rely on the EU Standard Contractual Clauses (Commission Decision 2021/914).
  • For UK transfers, we use the UK Addendum to those Clauses (or the UK International Data Transfer Agreement).
  • For Swiss transfers, we use the Clauses as adapted for Switzerland.
  • Transfers from you (or your clients) to CloudAgencyOps are governed by the data-transfer terms in our Data Processing Addendum.

CloudAgencyOps will execute the applicable transfer mechanisms (the EU Standard Contractual Clauses, the UK Addendum/IDTA, and the Swiss adaptation), between the Agency and CloudAgencyOps and with each subprocessor, and complete a transfer impact assessment, before onboarding agencies in the EEA, UK, or Switzerland. Operator access from Pakistan is disclosed as an international transfer.

12. EU / UK representative

CloudAgencyOps does not yet serve agencies in the EEA or UK. Before onboarding customers in those regions, CloudAgencyOps will appoint and name an EU representative (GDPR Art. 27) and a UK representative (UK GDPR Art. 27) with contact details here.

13. Children

The Service is intended for business use by adults. We do not knowingly collect personal information from anyone under 18.

14. Updates to this Policy

We may update this Policy to reflect changes in our services or legal requirements. Material changes will be notified by email and posted on this page with a revised "Last updated" date.

15. Contact

For privacy questions or to exercise your rights: privacy@cloudagencyops.com. See also the Terms of Service, the Subprocessors page, and the Data Processing Addendum.