CloudFix (Aurea, Inc.) — Data Processing Terms
Effective Date: May 27, 2026 | Version: 1.0
This Data Processing Addendum ("DPA") forms part of the Terms of Service between Aurea, Inc. ("CloudFix", "Processor") and the customer identified in the applicable order ("Customer", "Controller") and governs the processing of personal data in connection with the CloudFix and RightSpend services.
"Controller" means the Customer who determines the purposes and means of processing personal data.
"Processor" means CloudFix (Aurea, Inc.) who processes personal data on behalf of the Controller.
"Data Subjects" means individuals whose personal data is processed under this DPA.
"Personal Data" means any information relating to an identified or identifiable natural person processed by Processor on behalf of Controller.
"Processing" means any operation performed on Personal Data.
"Sub-processor" means any third party engaged by Processor to process Personal Data.
"Services" means the CloudFix and/or RightSpend services provided to Customer.
2.1 This DPA applies to the Processing of Personal Data by Processor on behalf of Controller in connection with the Services.
2.2 The parties acknowledge and agree that: (a) Controller is the controller of Personal Data; (b) Processor is the processor of Personal Data on behalf of Controller; and (c) Processor will process Personal Data only in accordance with Controller's instructions.
2.3 Processor shall process Personal Data only for the purposes described in this DPA and shall not process Personal Data for any other purpose unless expressly instructed by Controller.
The subject matter of the Processing is the provision of the Services as described in the Terms of Service.
The Processing will continue for the duration of the Services agreement unless terminated earlier in accordance with its terms.
CloudFix collects and processes AWS account metadata (account configuration, cost and usage reports, resource metadata) to provide cost optimization recommendations and automated fixes. RightSpend processes EC2 usage and reservation data to optimize Convertible Reserved Instances.
Controller's employees and authorized users who access the CloudFix or RightSpend dashboard.
| Data Category | Description | Source |
|---|---|---|
| Account Information | Name, email address, company name | Provided by Customer during signup |
| Usage Data | Feature usage, dashboard interactions, fix approvals | Generated through Service use |
| AWS Metadata | Account ID, resource configuration, cost data | AWS APIs via read-only IAM role |
| Support Data | Support ticket content, communications | Customer support interactions |
Processor does NOT collect: AWS credentials (secret keys, access keys), application data or content from customer AWS environments, or personally identifiable information from customer AWS accounts.
4.1 Processor shall process Personal Data only on documented instructions from Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law.
4.2 Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3 Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate: (a) encryption of Personal Data; (b) ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems; (c) ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (d) regular testing and evaluation of the effectiveness of technical and organizational measures.
4.4 Processor shall not engage a Sub-processor without prior specific or general written authorization of the Controller.
Processor maintains the following security measures:
Controller acknowledges and agrees that Processor may engage the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Infrastructure hosting, Marketplace billing | US (us-east-1) |
| Cloudflare | CDN, DNS, DDoS protection | Global edge network |
| PostHog | Product analytics | US |
| Kayako | Customer support platform | US |
Processor shall inform Controller of any intended changes concerning the addition or replacement of Sub-processors, giving Controller the opportunity to object to such changes.
7.1 Processor shall assist Controller in fulfilling its obligations to respond to Data Subject requests for exercising their rights under applicable data protection law.
7.2 Upon written request, Processor shall provide reasonable assistance to Controller in the performance of its obligation to carry out data protection impact assessments.
8.1 Processor shall notify Controller without undue delay and no later than 24 hours after becoming aware of a Personal Data breach.
8.2 Such notification shall include: (a) the nature of the breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (b) the name and contact details of the contact point where more information can be obtained; (c) a description of the likely consequences of the Personal Data breach; and (d) a description of the measures taken or proposed to be taken to address the Personal Data breach.
9.1 Upon termination of the Services agreement, Processor shall, at the election of Controller: (a) return all Personal Data to Controller; or (b) delete all Personal Data, unless storage is required by applicable law.
9.2 Processor shall complete the return or deletion within 30 days of termination.
9.3 Active account data is retained for the duration of the subscription. Deleted account data is purged within 30 days. Audit logs are retained for 1 year.
10.1 Processor shall make available to Controller all information necessary to demonstrate compliance with this DPA.
10.2 Processor shall allow for and contribute to audits, including inspections, conducted by Controller or an auditor mandated by Controller, subject to reasonable notice and confidentiality obligations.
10.3 Processor's SOC 2 Type 2 report is available upon request and may satisfy Controller's audit requirements.
11.1 Processor processes Personal Data primarily in the United States. For transfers of Personal Data from the European Economic Area, the parties agree to comply with applicable data transfer mechanisms, including Standard Contractual Clauses where required.
This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of law provisions.
For questions about this DPA or to exercise any rights described herein, please submit a request through the CloudFix Trust Center contact form.
The parties have executed this Data Processing Addendum as of the Effective Date.
Processor: Aurea, Inc. (CloudFix)
Name: ________________________
Title: ________________________
Date: ________________________
Controller: Customer
Name: ________________________
Title: ________________________
Date: ________________________
© 2026 Aurea, Inc. All rights reserved. | CloudFix Trust Center