Data Processing Addendum
This Data Processing Addendum ("DPA") supplements the Peel Terms of Service and Privacy Policy. It describes the parties' rights and obligations when Peel processes Personal Data on behalf of a Customer in connection with the Service.
1. Definitions
Capitalised terms not defined here have the meanings given in the Terms of Service or in the GDPR (Regulation (EU) 2016/679), UK GDPR, and the Australian Privacy Act 1988 (Cth) as applicable.
- Controller, Processor, Data Subject, Personal Data, Processing: as defined in the GDPR.
- Customer Data: data Customer submits to the Service, including cloud cost data retrieved via IAM role.
- Subprocessor: a third-party processor engaged by Peel to process Customer Data.
2. Roles and scope
In respect of Customer Data, Customer is the Controller and Peel is the Processor. Peel processes Customer Data only on documented instructions from Customer, as reflected in the Terms and this DPA, except where required by applicable law.
3. Nature and purpose of processing
| Subject matter | Provision of the Peel cloud cost intelligence service. |
|---|---|
| Duration | For the term of Customer's subscription, plus retention periods below. |
| Nature and purpose | Collection, storage, analysis, display and reporting of cloud cost data. |
| Types of Personal Data | Account contact details, authentication data, usage and audit logs. |
| Categories of Data Subjects | Customer's authorised users. |
4. Peel's obligations
- Process Customer Data only on Customer's documented instructions.
- Ensure personnel with access are under confidentiality obligations.
- Implement appropriate technical and organisational security measures (see Annex 2).
- Assist Customer in responding to Data Subject requests.
- Notify Customer without undue delay after becoming aware of a Personal Data breach (target: within 48 hours).
- Delete or return Customer Data at end of service, subject to legal retention requirements.
- Make available information needed to demonstrate compliance, and allow audits on reasonable notice.
5. Subprocessors
Customer authorises Peel to engage the Subprocessors listed in Annex 1. Peel will provide at least 30 days' notice of any new Subprocessor (published on this page). If Customer has a reasonable objection, Customer may terminate the subscription for convenience.
6. International transfers
Primary infrastructure is in Australia. Where Subprocessors process Personal Data outside Australia, the EEA, or the UK, Peel will ensure an adequate transfer mechanism is in place (such as Standard Contractual Clauses or an adequacy decision).
7. Data Subject rights
Peel provides tools within the Service for Customer to access, correct, export, and delete Customer Data. For requests that cannot be fulfilled through the Service, Peel will assist Customer at no additional cost.
8. Security
See Annex 2 below. Peel will not materially reduce the security of the Service during the subscription term.
9. Return and deletion
On termination, Customer may export all Customer Data from the Service for up to 30 days. After that, Peel will delete Customer Data from production within 30 days and from backups within 35 days, except where longer retention is legally required.
10. Governing law
This DPA is governed by the laws of New South Wales, Australia, except where mandatory EU, UK, or other laws apply.
Annex 1 — Authorised Subprocessors
| Subprocessor | Purpose | Location |
|---|---|---|
| Hostinger | VPS infrastructure hosting | Australia |
| Stripe | Payment processing | United States / Ireland |
| Resend | Transactional email | United States |
| Amazon Web Services | Cost data retrieval (read-only, Customer-authorised) | Customer's region |
| Telegram | Alert delivery (opt-in) | Global |
Annex 2 — Technical and organisational measures
- Encryption in transit (TLS 1.2+) on all endpoints, HSTS with preload enabled.
- Encryption at rest for data stored on the VPS and in backups.
- Access to cloud accounts only via IAM Role + External ID — no long-term credentials.
- Password storage uses argon2id with per-user salt.
- Least-privilege access for Peel personnel; administrative actions recorded in an append-only audit log.
- Rate limiting and bot protection on public endpoints.
- Secrets stored in environment variables with restricted file permissions; migration to a managed secrets service planned.
- Regular dependency updates and CVE monitoring.
- Daily backups with 30-day retention.
- Incident response plan with a 48-hour target for customer breach notification.
Contact
To request a signed DPA or discuss specific data protection requirements, email privacy@peel.cloud.