Data Processing Addendum

For personal data contained in the Azure cost data and workspace content you connect, the customer acts as the Controller and Cloud Halo acts as the Processor. Cloud Halo processes such personal data only on the customer's documented instructions, including as set out in the agreement and this DPA.

• Subject matter: provision of the Cloud Halo Azure FinOps service.
• Duration: the term of the agreement plus any retention period described in our Privacy Policy.
• Nature and purpose: collecting and analysing Azure cost and resource metadata to provide visibility, alerting, optimisation, and reporting.
• Types of personal data: account identifiers (names, work emails), and any identifiers present in customer-defined Azure resource names, resource groups, and tags.
• Categories of data subjects: the customer's authorised users and personnel.

Cloud Halo will:

• Process personal data only on the Controller's documented instructions, including for international transfers, unless required by law.
• Ensure persons authorised to process the data are bound by confidentiality.
• Implement appropriate technical and organisational security measures (Section 6).
• Assist the Controller, taking into account the nature of processing, in responding to data subject rights requests and in meeting its security, breach-notification, and data protection impact assessment obligations.
• Notify the Controller without undue delay after becoming aware of a personal data breach.
• At the Controller's choice, delete or return personal data at the end of the provision of services, save where storage is required by law.
• Make available information necessary to demonstrate compliance and allow for and contribute to audits, subject to reasonable confidentiality and security conditions.

The Controller authorises Cloud Halo to engage the sub-processors listed below to process personal data to deliver the service. Each sub-processor is bound by data protection obligations no less protective than those in this DPA. We will give advance notice of changes and the Controller may object on reasonable data protection grounds.

Microsoft Azure is the customer-controlled source environment that Cloud Halo reads from with read-only access; it is not engaged by Cloud Halo as a sub-processor.

Where Cloud Halo or its sub-processors transfer personal data outside the UK/EEA, such transfers are made under an appropriate transfer mechanism, including UK adequacy regulations, the UK International Data Transfer Addendum, or the EU Standard Contractual Clauses, together with any supplementary measures required.

Technical and organisational measures include:

• Encryption of data in transit using TLS.
• Tenant-isolated workspaces enforced by row-level security.
• Least-privilege access controls and read-only Azure access.
• Audit logging of billing, onboarding, recommendation, report, and account-deletion events.
• Provider-managed backups and documented incident response procedures.

Each party's liability under this DPA is subject to the limitations and exclusions in the agreement. In the event of conflict between this DPA and the Terms of Service on the subject of data protection, this DPA prevails.

For data protection matters, contact dpo@cloud-halo.io. Customers requiring a countersigned copy of this DPA can request one at that address.