Data Processing

Data Processing Addendum (DPA) and data handling details.

Data Processing Addendum (DPA)

Our Data Processing Addendum governs how CloudFix processes customer data. Below is a summary of key terms.

Term Details
Controller Customer (you)
Processor CloudFix (Aurea, Inc.)
Data Categories AWS cost and usage metadata, account configuration data, resource metadata
Processing Purposes Cost analysis, optimization recommendations, approved fix implementation
Data Location US-East — AWS us-east-1 region
Retention Period Duration of contract + 30 days
Deletion Automated within 30 days of contract termination
View DPA Terms of Service

Sub-Processors

CloudFix uses the following sub-processors to process customer data:

Purpose: Infrastructure provider for CloudFix application, data storage, and compute. Also processes AWS Marketplace billing for customer subscriptions.

Data processed: AWS cost and usage metadata, resource configuration data, billing data

Location: US-East (us-east-1)

Certifications: SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, CSA STAR, FedRAMP

Purpose: CDN, DNS, DDoS protection, and SSL termination for the CloudFix dashboard.

Data processed: HTTP request metadata (does not see customer AWS data)

Location: Global edge network

Certifications: SOC 2 Type 2, ISO 27001, PCI DSS

Purpose: Product analytics — understanding feature usage and improving the CloudFix experience.

Data processed: Anonymized usage events, page views. No customer AWS data or cost data.

Location: US

Certifications: SOC 2 Type 2

Purpose: Customer support platform — managing support tickets and customer communications.

Data processed: Support ticket content, email correspondence, customer name and email

Location: US

Certifications: SOC 2 Type 2, ISO 27001

Notification policy: CloudFix will notify customers at least 30 days before engaging any new sub-processor, providing an opportunity to object.

How Data Is Processed

Data Collection

CloudFix accesses your AWS data through a read-only IAM role created by a CloudFormation StackSet that you deploy. The finder role performs only Describe, List, and Get actions — no write operations.

Data Analysis

Cost and Usage Reports are queried via Amazon Athena and processed in-memory for analysis. Results (optimization recommendations) are stored in CloudFix's database. Raw CUR data is not stored long-term.

Fix Execution

When you approve a fix, CloudFix executes it through a central automation runbook in AWS SSM Automation within your AWS account. The actual fix is executed by a role in your account that CloudFix creates but cannot itself assume or access.

Data Deletion

Upon contract termination, all customer data is automatically deleted within 30 days. This includes:

  • Account metadata and configuration
  • Analysis results and recommendations
  • Fix history and audit logs
  • CloudFormation stacks can be removed by the customer at any time

Need the full DPA?

Download our standard DPA or request a customized version for your organization.

View DPA (Print to PDF) Contact Us