1. Definitions
- "Controller" means the Customer (you), the entity that determines the purposes and means of processing personal data.
- "Processor" means Xplorr, acting on the Controller's documented instructions.
- "Personal Data" has the meaning given in GDPR Article 4.
- "Sub-processors" means third parties engaged by Xplorr to process data on behalf of the Controller.
2. Scope of Processing
- Purpose: To provide cloud cost management services as described in the service agreement.
- Data types processed: User email, name, and role; cloud billing metadata (costs, resource IDs, tags). No PII from cloud workloads is collected.
- Duration: For the term of the service agreement between Controller and Processor.
3. Data Processing Principles
Xplorr, as Processor, shall:
- Process personal data only on documented instructions from the Controller
- Ensure that persons authorised to process personal data have committed to confidentiality
- Implement appropriate technical and organisational security measures
- Assist the Controller with data subject requests (access, deletion, portability)
- Delete or return all personal data at the end of the service, at the Controller's choice
4. Security Measures
Xplorr implements the following technical and organisational controls:
| Control | Implementation |
|---|---|
| Encryption at rest | AES-256-GCM for all credentials and sensitive data |
| Encryption in transit | TLS 1.2+ for all connections |
| Access control | RBAC with 4 roles, per-account scoping |
| Authentication | SSO/SAML, WebAuthn, TOTP 2FA |
| Audit logging | Full audit trail, 14-day retention |
| Data isolation | Multi-tenant with org_id scoping on all queries |
| Infrastructure | Kubernetes with network policies, non-root containers |
| Backups | Daily automated database backups |
5. Sub-processors
Xplorr uses the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| AWS / Azure / GCP | Cloud cost data retrieval (read-only) | Customer-selected regions |
| Resend | Transactional email delivery | US |
| OpenAI | AI-powered cost analysis and recommendations | US |
| Sentry | Error monitoring (no PII) | US |
| Cloudflare | DNS, CDN, DDoS protection | Global |
- Xplorr will provide 30 days notice before adding new sub-processors
- The Controller may object to a new sub-processor within 14 days of notification
6. Data Transfers
Data is processed primarily in the region where the Controller's infrastructure runs. International transfers comply with GDPR Chapter V, using Standard Contractual Clauses (SCCs) where applicable.
7. Data Breach Notification
In the event of a personal data breach, Xplorr will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include:
- The nature of the breach
- The categories and approximate number of data subjects affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach
8. Contact
To enquire about data protection or execute this DPA:
Data Protection: [email protected]
Execute this DPA: [email protected]