1. Definitions
"Agreement" means the applicable Terms of Service, order form, master services agreement, or enterprise agreement between Customer and Cloudryption.
"Customer Data" means all data submitted to or ingested by the Cloudryption platform on behalf of Customer, including cloud resource metadata, identity metadata, and security findings.
"Customer Personal Data" means any Customer Data that constitutes personal data as defined under applicable data protection law, including the GDPR.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
"Processing" has the meaning given in the GDPR and cognate expressions shall be construed accordingly.
"Subprocessor" means any third party engaged by Cloudryption to process Customer Personal Data in connection with the provision of the platform.
2. Roles of the Parties
Customer is the controller (or "business" under CCPA) for Customer Data it submits or authorises Cloudryption to process. Cloudryption is the processor (or "service provider") when processing Customer Data to provide the service.
Cloudryption may act as an independent controller for account administration, billing where applicable, security logs required to protect the service, support, and business communications. Processing under this independent controller capacity is described in the Privacy Policy.
This DPA applies to personal data processed by Cloudryption on behalf of Customer under the Agreement.
3. Documented Instructions
Cloudryption will process Customer Personal Data only on Customer's documented instructions, including the Agreement, order form, product configuration, connector setup, support requests, and written instructions agreed by the parties.
If Cloudryption believes an instruction violates applicable data protection law, it will notify Customer unless prohibited by law from doing so.
Cloudryption will not process Customer Personal Data for its own purposes unless independently authorised by applicable law.
4. Confidentiality and Personnel
Cloudryption will ensure personnel authorised to process Customer Personal Data are subject to appropriate confidentiality obligations and receive security and privacy training appropriate to their role.
Production access will be limited to personnel with a legitimate business need, access will be logged, reviewed, and revoked promptly when no longer required.
5. Security Measures
Cloudryption will implement and maintain appropriate technical and organisational measures (TOMs) designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
Measures include, but are not limited to:
- Access controls and least-privilege authentication (MFA required for privileged access)
- Encryption of data in transit (TLS) and at rest (cloud-native encryption)
- Tenant and run isolation enforced at the application and database layers
- Audit logging for privileged actions, connector events, and data exports
- Secure software development lifecycle including code review, dependency scanning, and SBOM generation
- Vulnerability management and security patching programme
- Incident response capability with documented procedures
- Backup and recovery controls with tested restore procedures
- Subprocessor governance and periodic review
Further detail on security architecture is available in the Encryption & Security Architecture Summary and the Security Page.
Cloudryption will review and update TOMs periodically to account for changes in risk, technology, and regulatory requirements.
6. Subprocessors
Customer grants general authorisation for Cloudryption to use subprocessors necessary to provide the service, subject to Cloudryption maintaining a public Subprocessors page and providing advance notice of material new subprocessors.
Cloudryption will provide at least 30 days' prior notice before authorising a material new subprocessor, unless the change is required sooner for security, availability, legal compliance, or continuity of service, unless the applicable agreement specifies a different notice period.
Cloudryption will impose written data protection obligations on subprocessors that are no less protective in substance than this DPA for the services they provide.
Cloudryption remains responsible for subprocessor performance of data protection obligations to the extent required by applicable law.
7. Assistance to Customer
Taking into account the nature of processing and information available to Cloudryption, Cloudryption will provide reasonable assistance to Customer with:
- Data subject access, correction, portability, erasure, and objection requests relating to Customer Personal Data
- Data protection impact assessments (DPIAs) where required by Article 35 GDPR
- Customer's obligations under Articles 32–36 GDPR
- Regulator inquiries or audit requests relating to processing under this DPA
Where Cloudryption receives a request from a data subject regarding Customer Personal Data, Cloudryption will direct the requester to Customer unless legally required to respond directly.
8. Personal Data Breach
Cloudryption will notify Customer without undue delay after becoming aware of a confirmed personal data breach affecting Customer Personal Data. Cloudryption's target notification window is within 48 hours after confirmation, where feasible, unless the applicable agreement specifies a different notification period.
Notification will include, to the extent available:
- A description of the nature of the breach, including affected data categories and approximate numbers of data subjects
- Known or likely consequences of the breach
- Containment measures taken or planned by Cloudryption
- Contact information for the Cloudryption point of contact for coordination
Information may be provided in phases as investigation progresses. Cloudryption will maintain breach documentation sufficient to support accountability and post-incident review and to enable Customer to meet any notification timelines under GDPR Art. 33(1) (72 hours to supervisory authority).
Customer remains responsible for notifying relevant supervisory authorities and data subjects where required by applicable law. Cloudryption's notification does not constitute an admission of fault or liability.
9. Data Return and Deletion
Upon termination or expiry of the Agreement, or upon written request by Customer, Cloudryption will, at Customer's election:
- Return Customer Personal Data in a commonly used machine-readable format; and/or
- Delete Customer Personal Data from active production systems within 30 days, subject to backup expiration windows (typically 30–90 days).
Cloudryption may retain Customer Personal Data for longer where required by applicable law, legal hold, or for legitimate security and abuse-prevention purposes, in which case Cloudryption will inform Customer of the retention basis.
Deletion does not automatically remove records that Cloudryption is permitted or required to retain as an independent controller, such as billing, legal, and security records.
10. International Transfers
Where Customer Personal Data is transferred outside the European Economic Area (EEA) or UK to a country that does not benefit from an adequacy decision, Cloudryption will use an appropriate transfer mechanism, such as the European Commission Standard Contractual Clauses, together with supplementary measures where required.
Details of subprocessor locations and applicable transfer mechanisms are published on the Subprocessors page. Cloudryption will ensure compliance with local data residency requirements where specified in the applicable agreement.
11. Audit and Compliance
Cloudryption will provide Customer with reasonable assistance and information to demonstrate compliance with its obligations under this DPA and applicable data protection law.
Cloudryption will respond to reasonable written security and compliance questionnaires from Customer. Where Customer requires an audit beyond questionnaire review, the parties will agree in writing on scope, timing, and cost allocation, and audits shall be conducted no more than once per year absent a suspected breach.
Cloudryption may satisfy audit obligations by providing current third-party audit reports or certifications (such as SOC 2, ISO 27001, or equivalent) under NDA where available.
12. Term and Termination
This DPA takes effect on the date the Agreement takes effect and terminates upon expiry or termination of the Agreement, subject to obligations that survive termination (including data return/deletion obligations under Section 9 and breach notification obligations that may arise after termination).
Annex A — Details of Processing
Subject matter
Cloudryption processes Customer Personal Data to provide cloud security posture analysis, cloud infrastructure modelling, attack-path computation, exposure prioritisation, remediation recommendations, reporting, support services, and related platform services.
Duration of processing
Processing occurs for the duration of the applicable agreement between Customer and Cloudryption, plus any additional retention period necessary for data deletion, backup expiration, legal compliance, security investigation, or dispute resolution.
Nature of processing
Collection, ingestion, transmission, storage, organisation, normalisation, analysis, enrichment, querying, reporting, retrieval, consultation, support-related access, deletion, and anonymisation.
Purpose of processing
To provide the Cloudryption platform services, including:
- Cloud environment modelling and risk analysis
- Security findings generation and attack-path computation
- Remediation prioritisation and recommendations
- Reporting and decision-support
- Platform support and troubleshooting
- Security monitoring of the platform itself
- Service reliability and improvement
Categories of Customer Personal Data processed
The categories of personal data that may be processed include:
- Cloud identity metadata (user identifiers, emails, or usernames contained in cloud IAM systems)
- Account and user identifiers from cloud environments
- Email addresses or contact information where present in cloud metadata
- Role and group membership information
- Access metadata and resource ownership information
- Audit logs and security metadata
- Support content and communications
- Other personal data that Customer chooses to submit or connect to the platform
Categories of data subjects
The individuals whose personal data may be processed include:
- Customer employees and contractors
- Cloud account administrators and security teams
- Cloud platform users and service account owners
- Support contacts and representatives
- Other individuals whose personal data appears in Customer Data
Customer obligations and rights
Customer is responsible for:
- Ensuring it has a lawful basis and all necessary authorisations to submit, connect, ingest, or authorise Cloudryption to process Customer Data
- Obtaining appropriate consents or providing notice to data subjects as required by applicable data protection law
- Providing accurate, up-to-date contact and instruction information to Cloudryption
- Notifying Cloudryption promptly of any data subject requests or suspected breaches affecting Customer Data
- Exercising its rights as controller, including the right to request data return, deletion, or cessation of processing
13. Contact
For questions about this DPA, data subject requests, or to request a copy of the standard DPA for enterprise review, contact:
Privacy / DPA enquiries: support@cloudryption.com
Security incidents: security@cloudryption.com
Enterprise customers requiring a signed DPA addendum should contact their account representative or reach out via the contact form.