TenantThrift
Why trust it How it works Pricing Docs
Start free trial

Data Processing Agreement

Last updated: 12 July 2026

This Data Processing Agreement ("DPA") applies where TenantThrift, operated by Simon Vedder (Schulstrasse 38, 8952 Schlieren, Switzerland; "Processor", "we"), processes personal data on behalf of a customer ("Controller", "you") in providing the Service. It forms part of the Terms of Service. Where the GDPR applies, this DPA implements Article 28; the Swiss FADP applies equivalently.

1. Roles

For the Azure metadata we read from your tenant to run the Service, you are the controller (or a processor acting for your own customers) and we are your processor. For our own account and billing data we are an independent controller, as described in the Privacy Policy.

2. Subject-matter, nature & purpose

We process the data only to provide the Service: to read billing and resource metadata from the Azure tenants you connect (read-only), analyse it for cost-saving opportunities, and produce findings, cost analyses and report PDFs for you. Processing lasts for the duration of your subscription.

3. Your instructions

We process the data only on your documented instructions, which are given by your configuration and use of the Service and by these documents. We will tell you if, in our opinion, an instruction infringes applicable data-protection law. We never use your scan data to train models, for advertising, or for any purpose other than providing the Service to you.

4. Categories of data & data subjects

The data we process on your behalf is business and technical metadata: tenant and subscription identifiers, resource metadata (resource names, types, resource groups, locations), cost and usage figures, bounded cost aggregates, and the report PDFs generated from them, together with the contact details of your authorised users and report recipients. We do not receive your Azure credentials or secrets, and we do not copy the contents of your workloads. Resource names occasionally contain personal data if you name resources after individuals — we recommend you avoid this. Data subjects are your authorised administrators and users.

5. Confidentiality & security

Persons authorised to process the data are bound by confidentiality. We implement appropriate technical and organisational measures (Art. 32 GDPR): EU hosting; encryption in transit; per-organisation isolation with row-level security; least-privilege, read-only access to your tenant with no stored credentials; access controls and available two-factor authentication; and operational monitoring. A summary is in the Privacy Policy.

6. Sub-processors

You authorise us to engage the sub-processors below to provide the Service. Each is bound by data- protection obligations no less protective than this DPA.

Sub-processorPurposeData locationTransfer safeguard
SupabaseDatabase & file storage (accounts, findings, report PDFs)EU — Frankfurt, GermanyIn EU
Microsoft AzureCompute that runs the scan; storage of report PDFsEU — West EuropeIn EU
Microsoft (Entra)Sign-in / identity when you use "Continue with Microsoft"Global (your tenant's region)Adequacy / SCCs
VercelHosting of the application and websiteEU region (fra1) with global edgeAdequacy / SCCs
StripePayment processing & billingEU / USAdequacy / SCCs
ResendTransactional & report email deliveryEU / USAdequacy / SCCs

We will give reasonable advance notice of any new or replacement sub-processor. You may object on reasonable data-protection grounds; if we cannot accommodate the objection, you may terminate the affected subscription.

7. International transfers

Primary storage of your data is in the EU. We are domiciled in Switzerland, for which the EU has issued an adequacy decision (and vice-versa). Where a sub-processor processes data outside Switzerland or the EU, the transfer is covered by an adequacy decision or the EU Standard Contractual Clauses.

8. Assistance

Taking into account the nature of the processing, we will assist you with appropriate measures to respond to data-subject requests, and to meet your obligations on security, breach notification and data-protection impact assessments. Many actions (export, deletion) you can perform yourself in the app.

9. Personal-data breaches

We will notify you without undue delay after becoming aware of a personal-data breach affecting your data, with the information you reasonably need to meet your own notification obligations.

10. Deletion & return

On termination, or on your request, we delete your scan data — findings, aggregates and report PDFs, including from file storage — as described in the Privacy Policy. You can trigger this yourself by deleting a connection or your organisation. Encrypted backups rotate out on the provider's cycle. We may retain data where the law requires.

11. Audit

We will make available the information reasonably necessary to demonstrate compliance with Art. 28 and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable notice, confidentiality and our security requirements.

12. Contact

For data-processing matters, or to request a countersigned copy of this DPA, contact info@simonvedder.com.

TenantThrift Docs · Terms · Privacy · DPA · Imprint · Built by Simon Vedder · read-only access, EU-hosted, credentials never stored. © 2026 Simon Vedder · TenantThrift is an independent product, not affiliated with or endorsed by Microsoft. Microsoft, Azure and Microsoft Entra are trademarks of the Microsoft group of companies.