GOVERNANCE & TRUST

Data Processing Agreement

Effective date: 22 June 2026 · Costframe may update this policy from time to time.

1. Scope & Purpose

This Data Processing Agreement (DPA) governs the processing of personal data by Costframe as a Processor on behalf of the customer (acting as the Controller) in connection with the cloud cost control services provided by Costframe.

Costframe provides read-only cloud cost analysis and related reporting. In doing so, we retrieve and process metadata associated with your cloud environment configurations and billing profiles.

2. Data Categories & Processing

Our processing activities are strictly confined to cloud configuration metadata, usage indicators, billing logs, and essential user identification attributes (emails, roles, usernames) required to operate the platform and maintain secure workspaces.

We do not ingest, query, store, or process raw customer application data, SQL databases, or end-user identity profiles residing within your cloud workloads.

3. Technical & Organizational Safeguards

Costframe implements robust security mechanisms to protect metadata and keys:

  • Strict Read-Only Access: Scopes are limited to Reader and Cost Management Reader. Our codebase does not support any write or modification operations inside your tenant.
  • Credential Encryption: Connected secrets are encrypted using AES-256-GCM and are not rendered back in clear-text inside our application interface after setup.
  • Tenant Isolation: Database queries partition data by verified Clerk organization IDs to prevent cross-tenant leakage, supported by database-level security policies (RLS).

4. Subprocessor Directory

We use trusted subprocessors (such as Supabase for secure databases, Clerk for authorization, and Vercel/AWS for edge hosting) to deliver the platform. All subprocessors are bound by written data-processing obligations that meet or exceed this agreement.

Contact Us

For privacy, security, DPA, or data-processing questions, contact us at legal@costframe.co.