Data Processing Agreement
Last updated: 12 July 2026
This Data Processing Agreement ("DPA") applies where TenantThrift, operated by Simon Vedder (Schulstrasse 38, 8952 Schlieren, Switzerland; "Processor", "we"), processes personal data on behalf of a customer ("Controller", "you") in providing the Service. It forms part of the Terms of Service. Where the GDPR applies, this DPA implements Article 28; the Swiss FADP applies equivalently.
1. Roles
For the Azure metadata we read from your tenant to run the Service, you are the controller (or a processor acting for your own customers) and we are your processor. For our own account and billing data we are an independent controller, as described in the Privacy Policy.
2. Subject-matter, nature & purpose
We process the data only to provide the Service: to read billing and resource metadata from the Azure tenants you connect (read-only), analyse it for cost-saving opportunities, and produce findings, cost analyses and report PDFs for you. Processing lasts for the duration of your subscription.
3. Your instructions
We process the data only on your documented instructions, which are given by your configuration and use of the Service and by these documents. We will tell you if, in our opinion, an instruction infringes applicable data-protection law. We never use your scan data to train models, for advertising, or for any purpose other than providing the Service to you.
4. Categories of data & data subjects
The data we process on your behalf is business and technical metadata: tenant and subscription identifiers, resource metadata (resource names, types, resource groups, locations), cost and usage figures, bounded cost aggregates, and the report PDFs generated from them, together with the contact details of your authorised users and report recipients. We do not receive your Azure credentials or secrets, and we do not copy the contents of your workloads. Resource names occasionally contain personal data if you name resources after individuals — we recommend you avoid this. Data subjects are your authorised administrators and users.
5. Confidentiality & security
Persons authorised to process the data are bound by confidentiality. We implement appropriate technical and organisational measures (Art. 32 GDPR): EU hosting; encryption in transit; per-organisation isolation with row-level security; least-privilege, read-only access to your tenant with no stored credentials; access controls and available two-factor authentication; and operational monitoring. A summary is in the Privacy Policy.
6. Sub-processors
You authorise us to engage the sub-processors below to provide the Service. Each is bound by data- protection obligations no less protective than this DPA.
| Sub-processor | Purpose | Data location | Transfer safeguard |
|---|---|---|---|
| Supabase | Database & file storage (accounts, findings, report PDFs) | EU — Frankfurt, Germany | In EU |
| Microsoft Azure | Compute that runs the scan; storage of report PDFs | EU — West Europe | In EU |
| Microsoft (Entra) | Sign-in / identity when you use "Continue with Microsoft" | Global (your tenant's region) | Adequacy / SCCs |
| Vercel | Hosting of the application and website | EU region (fra1) with global edge | Adequacy / SCCs |
| Stripe | Payment processing & billing | EU / US | Adequacy / SCCs |
| Resend | Transactional & report email delivery | EU / US | Adequacy / SCCs |
We will give reasonable advance notice of any new or replacement sub-processor. You may object on reasonable data-protection grounds; if we cannot accommodate the objection, you may terminate the affected subscription.
7. International transfers
Primary storage of your data is in the EU. We are domiciled in Switzerland, for which the EU has issued an adequacy decision (and vice-versa). Where a sub-processor processes data outside Switzerland or the EU, the transfer is covered by an adequacy decision or the EU Standard Contractual Clauses.
8. Assistance
Taking into account the nature of the processing, we will assist you with appropriate measures to respond to data-subject requests, and to meet your obligations on security, breach notification and data-protection impact assessments. Many actions (export, deletion) you can perform yourself in the app.
9. Personal-data breaches
We will notify you without undue delay after becoming aware of a personal-data breach affecting your data, with the information you reasonably need to meet your own notification obligations.
10. Deletion & return
On termination, or on your request, we delete your scan data — findings, aggregates and report PDFs, including from file storage — as described in the Privacy Policy. You can trigger this yourself by deleting a connection or your organisation. Encrypted backups rotate out on the provider's cycle. We may retain data where the law requires.
11. Audit
We will make available the information reasonably necessary to demonstrate compliance with Art. 28 and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable notice, confidentiality and our security requirements.
12. Contact
For data-processing matters, or to request a countersigned copy of this DPA, contact info@simonvedder.com.