By accessing and using CloudAtler India services, you acknowledge that you have read, understood, and agree to be bound by the terms of this Privacy Policy. If you do not agree with any part of this policy, please do not use our services. Your continued use of our services constitutes your ongoing consent to this policy.

Our services may contain links to third-party websites, applications, or services that are not owned or controlled by CloudAtler India. We are not responsible for the privacy practices or content of these third-party sites. We encourage you to review the privacy policies of any third-party sites you visit, as their practices may differ from ours.

We collect information from you directly, from the devices you use to interact with us, and from other parties. We may combine information from the Services together and with other information we obtain from our business records.
The information we collect from you includes (but may not be restricted to) the following categories of information: Identity Data, Contact Data, Financial Data, Technical Data, Account Data, Usage Data, and Marketing and Communications Data.

• Identity DataIncludes first name, last name, username, or similar identifier. We may also ask for your date of birth to authenticate your identity.
• Contact DataIncludes invoicing address, email address and telephone numbers, business / organization name, as well as your job title.
• Technical DataIncludes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access the Platform.
• Account DataAuthentication / Access Data: Username, password, security-related metadata (login dates, IP); and Cloud Account Metadata: Information you link or provide from your cloud accounts (e.g., billing exports, usage data, resource tags). While much of this is not "personal data," certain metadata may relate to individuals (e.g., your email or user-ID in cloud console).
• Usage DataIncludes information about how you use the Services, its features, frequency, dashboards visited, API calls, logs of actions, etc.
• Marketing and Communications DataIncludes Emails or messages you send to us (for support, onboarding), feedback, survey responses, etc.
• Financial DataIncludes bank account and payment processing details. We use a third party payment provider to process financial data that follows secure encrypted processes.

We process your personal data for the following purposes:

1. To provide, operate, maintain, and improve the Services, including enabling account creation, user authentication and authorization, access management, cost calculation and analysis, display of cloud cost insights, monitoring, governance, and automation functionalities.
2. To enhance platform performance, ensure the security and integrity of the Services, detect and prevent fraud, conduct audits, and maintain service availability and support responsiveness.
3. To communicate with you regarding service updates, feature changes, billing matters, technical support, compliance notifications, and other service related communications.
4. To send you relevant alerts, including cost differences, policy suggestions, and other operational notifications.
5. To comply with legal obligations, regulatory requirements, law enforcement requests, incident or breach notification requirements, and any other mandatory disclosures under applicable law.
6. For security, fraud prevention, and audit.
7. To analyse usage patterns, generate aggregated and anonymized insights, and conduct research to improve the functionality, performance, and quality of the Platform and Services. Such aggregated insights do not identify you and do not contain sensitive personal data.

By accessing, registering for, or using the Services, you hereby provide your free, informed, specific, unconditional, and unambiguous consent for the processing of your personal data for the purposes described in this Policy.

You understand and acknowledge that:

1. You may withdraw your consent at any time, in accordance with applicable law and by using the designated withdrawal mechanisms provided within the Platform.
2. Withdrawal of consent will not affect the lawfulness of processing carried out prior to such withdrawal.
3. Certain Services or features may become unavailable if consent is withdrawn, where processing is essential for providing the Service.
4. You consent to the transfer, storage, and processing of your personal data in accordance with this Policy, subject to applicable safeguards.

We do not knowingly collect personal data of individuals under the age of 18 without verifiable parental consent.

Except as described in this Policy, we will not, without your consent, disclose information about you. We may disclose your personal data to third parties if you consent to us doing so, as well as in the following circumstances:

1. Any information that you voluntarily choose to include in a publicly accessible area of the Platform will be available to anyone who has access to that content, including other Users.
2. We may work with third-party service providers to provide various services such as hosting, payment processing, analytics, cloud infrastructure, email services and communication. These third-party service providers may have access to, or process information about you as part of providing those services for us. Generally, we limit the information provided to these service providers to that reasonably necessary for them to perform their functions, and we require them to agree to maintain the confidentiality of such information.
3. We may disclose information about you if required to do so by law or under good-faith belief that such action is necessary to comply with applicable laws, in response to a court order, judicial or other government subpoena or warrant, or to otherwise cooperate with law enforcement or other governmental agencies.

We follow generally accepted industry standards to protect the information submitted to us, both during transmission and once we receive it. For example, we take physical and electronic process-specific security measures, including firewalls, personal passwords, and encryption and authentication technologies. Such measures include, but are not limited to, encryption (in transit and at rest), access control, regular security audits, incident response planning, and internal data governance.

Although we make good faith efforts to store personal data in a secure operating environment that is not open to the public, you should understand that there is no such thing as complete security, and we do not guarantee that there will be no unintended disclosures of your personal data. If we become aware that your personal data has been disclosed in a manner not in accordance with this Privacy Policy, we will use reasonable efforts to notify you of the nature and extent of the disclosure (to the extent we know that information) as soon as reasonably possible and as required by applicable law. In addition, in the event of a personal data breach, we will assess the risk to the Data Principals and notify affected individuals (Data Principals), in a clear and timely manner, about the nature of the breach, potential impact, and remediation steps, CERT-IN, and the Data Protection Board of India, as required under applicable law.

We retain your personal data only as long as needed for the purposes for which it was collected, or as required by law. We regularly review our retention periods on the basis of business needs, legal obligations, and data minimization principles. Cloud Provider billing data is retained as long as the User's account remains active. User logs are retained up to 12 to 24 months for audit and operational continuity. For data principals who have not interacted with the Platform for a prolonged period, we may delete or anonymize personal data. In line with our obligations under DPDPA, we will notify you in advance (e.g., 48 hours before deletion) if deletion is automated.

We may collect, process, and store your information outside India (except in countries restricted by the Government of India) if required to operate our Services, or for efficiency (for instance, on cloud infrastructure in other jurisdictions). Any such transfers will comply with safeguards as required by relevant law.

We use automated algorithms (e.g., to generate cost-optimization suggestions) as part of the Services, but these are only advisory, and you make the final determination regarding any such suggestion. We do not carry out automated decision making that produces legally binding decisions about you without human review. We do not use your personal data for profiling in a way that would infringe on your rights (unless explicitly disclosed and consented).

We may update this Privacy Policy at any time, with or without advance notice. In the event there are significant changes, we will display a notice on the Platform or notify you by email. Your continued use after such updates constitutes acceptance of the revised terms.

Specific terms and conditions relating to the processing of personal data.

CloudAtler ("CloudAtler") and the counterparty agreeing to these terms ("Customer") have entered into an Order Form or other written or electronic agreement for the Services provided by CloudAtler (the "Order Form"). This Data Processing Addendum, including the appendices (the "DPA"), forms part of the Order Form.

• This DPA will be effective, and will replace and supersede any previously applicable terms relating to their subject matter (including any data processing amendment, agreement or addendum relating to the Services), from the date on which Customer signed or the parties otherwise agreed to this DPA ("DPA Effective Date").
• If you are accepting this DPA on behalf of a Customer, you warrant that: (a) you have full legal authority to bind the Customer to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of Customer, to this DPA. If you do not have the legal authority to bind Customer, please do not accept this DPA.
• This DPA applies where CloudAtler processes Personal Data as a Data Processor on behalf of Customer to provide the Services and such Personal Data is subject to Applicable Data Protection Law.

1. "Affiliate" means, with respect to a party, any corporate entity that, directly or indirectly, Controls, is Controlled by, or is under Common Control with such party (but only for so long as such Control exists).
2. "Applicable Data Protection Laws" means all laws and regulations that are applicable to the processing of Personal Data under the Order Form.
3. "CloudAtler Group" means CloudAtler and any of its Affiliates.
4. "Data Fiduciary" means an entity that determines the purposes and means of the processing of Personal Data, and includes "controller," "business," or analogous term as defined under the Applicable Data Protection Laws.
5. "Data Processor" means an entity which processes Personal Data on behalf of the Data Fiduciary, and includes "processor," "service provider," or analogous term defined under the Applicable Data Protection Laws.
6. "Data Principal" includes 'data principal', 'data subject' (or analogous term) and shall have the meanings ascribed to them under Applicable Data Protection Laws.
7. "Personal Data" means all data which is defined as 'digital personal data', 'personal data', 'personal information', or 'personally identifiable information' (or analogous term) under Applicable Data Protection Laws.
8. "Processing" shall have the meanings ascribed to them under Applicable Data Protection Laws.
9. "Services" shall refer to all of the cloud-based solutions offered, marketed or sold by CloudAtler or its authorized partners that are designed to compare cloud service pricing, manage cloud spend, automate governance policies, and monitor workloads across multiple Cloud Providers, along with any software, software development kits and application programming interfaces ("APIs") made available in connection with the foregoing.
10. An entity "Controls" another entity if it: (a) holds a majority of the voting rights in it; (b) is a member or shareholder of it and has the right to remove a majority of its board of directors or equivalent managing body; (c) is a member or shareholder of it and controls alone or pursuant to an agreement with other shareholders or members, a majority of the voting rights in it; or (d) has the right to exercise a dominant influence over it pursuant to its constitutional documents or pursuant to a contract; and two entities are treated as being in "Common Control" if either controls the other (directly or indirectly) or both are controlled (directly or indirectly) by the same entity.
11. For the purposes of this DPA, "to provide" or "providing" the Services means delivering the Services as defined in the Order Form.

1. The type of Personal Data processed pursuant to this DPA and the subject matter, duration, nature and purpose of the processing, and the categories of data subjects, are as described in Annexure 1.
2. Each party warrants in relation to Personal Data that it will comply with and provide the same level of privacy protection as required by the Applicable Data Protection Laws. As between the parties, the Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Customer acquired Personal Data.
3. In respect of the parties' rights and obligations under this DPA regarding the Personal Data, the parties acknowledge and agree that the Customer is the Data Fiduciary and CloudAtler is a Data Processor.

1. With respect to all Personal Data it processes in its role as a Data Processor, CloudAtler shall:
   1. only process Personal Data for the limited and specified business purpose of providing the Services and in accordance with: (i) the Customer's written instructions as set out in the Order Form and this DPA, unless required to do so by applicable law to which CloudAtler is subject, and (ii) the requirements of Applicable Data Protection Laws;
   2. not use the Personal Data for the purposes of marketing or advertising;
   3. implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data, in particular protection against the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data ("Security Measures"). Customer acknowledges that the Security Measures are subject to technical progress and development and that CloudAtler may update or modify the Security Measures from time to time, provided that such updates and modifications do not degrade or diminish the overall security of the Service;
   4. ensure that only authorized personnel have access to such Personal Data and that any persons whom it authorizes to have access to the Personal Data are under contractual or statutory obligations of confidentiality;
   5. without undue delay, and as prescribed under Applicable Data Protection Laws, notify the Customer upon becoming aware of any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data (a "Personal Data Breach") and provide the Customer with reasonable cooperation and assistance in respect of that Personal Data Breach, including all reasonable information in CloudAtler's possession concerning such Personal Data Breach insofar as it affects the Personal Data;
   6. to the extent CloudAtler is able, and in line with applicable law, provide reasonable assistance to Customer in responding to a data subject request to exercise any data protection rights under Applicable Data Protection Laws (including rights of access, rectification or erasure) in respect of that data subject's Personal Data if the Customer does not have the ability to address a Data Subject Request without CloudAtler's assistance. The Customer is responsible for verifying that the requestor is the data subject in respect of whose Personal Data the request is made. CloudAtler bears no responsibility for information provided in good faith to Customer in reliance on this subsection. Customer shall cover all costs incurred by CloudAtler in connection with its provision of such assistance;
   7. other than to the extent required to comply with applicable law, following termination or expiry of the Order Form or completion of the Service, at the choice of Customer, delete or return all Personal Data (including copies thereof) processed pursuant to this DPA.
2. CloudAtler will disclose Personal Data to sub-Processors only for the specific purpose of providing the Services.
3. CloudAtler will ensure that any sub-Processor it engages to provide an aspect of the Service on its behalf in connection with this DPA does so only on the basis of a written contract which imposes on such sub-Processor terms that are no less protective of Personal Data than those imposed on CloudAtler in this DPA (the "Relevant Terms"). CloudAtler shall procure the performance by such sub-Processor of the Relevant Terms and shall be liable to the Customer for any breach by such sub-Processor of any of the Relevant Terms.
4. The Customer grants a general written authorization: (a) to CloudAtler to appoint other members of the CloudAtler Group as sub-Processors, and (b) to CloudAtler and other members of the CloudAtler Group to appoint third party data centre operators, and business, engineering and customer support providers as sub-Processors to support the performance of the Service.

Customer acknowledges that the provision of the Services under the Order Form may require CloudAtler (and its sub-processors) to process certain Personal Data protected by the national data protection laws of one or more jurisdictions from which the Personal Data originate (each an "Originating Country") in other jurisdictions that are outside of Originating Countries (each a "Recipient Country").

1. CloudAtler shall, in accordance with Applicable Data Protection Laws, make available to Customer such information in CloudAtler's possession or control as Customer may reasonably request with a view to demonstrating CloudAtler's compliance with the obligations of Processors under Applicable Data Protection Laws in relation to its processing of Personal Data.
2. CloudAtler shall enable Customer to request one onsite audit per annual period during the Term (as defined in the Order Form) to verify CloudAtler's compliance with its obligations under this DPA.
   1. Following receipt by CloudAtler of a request for audit, CloudAtler and Customer will discuss and agree in advance on the reasonable start date, scope, duration of, and security and confidentiality controls applicable to any audit. Whenever possible, evidence for such an audit will be limited to the evidence collected for CloudAtler's most recent third-party audit.
   2. CloudAtler may charge a fee (based on CloudAtler's reasonable costs) for any audit.
   3. CloudAtler will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.
   4. CloudAtler may object in writing to an auditor appointed by Customer to conduct any audit if the auditor is, in CloudAtler's reasonable opinion, not suitably qualified or independent, a competitor of CloudAtler, or otherwise manifestly unsuitable (i.e., an auditor whose engagement may have a harmful impact on CloudAtler's business comparable to the aforementioned aspects). Any such objection by CloudAtler will require Customer to appoint another auditor or conduct the audit itself.

1. This DPA is without prejudice to the rights and obligations of the parties under the Order form which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Order Form, the terms of this DPA shall prevail so far as the subject matter concerns the processing of Personal Data.
2. CloudAtler's liability under or in connection with this DPA is subject to the exclusions and limitations on liability contained in the Order Form.
3. This DPA does not confer any third-party beneficiary rights and is intended for the benefit of the parties hereto and their respective permitted successors and assigns only.
4. This DPA and any action related thereto shall be governed by and construed in accordance with the laws as specified in the Order Form, without giving effect to any conflicts of laws principles. The parties consent to the personal jurisdiction of, and venue in, the courts specified in the Order Form.
5. If any provision of this DPA is, for any reason, held to be invalid or unenforceable, the other provisions of the DPA will remain enforceable. Without limiting the generality of the foregoing, Customer agrees that 2 (Limitation of Liability) will remain in effect notwithstanding the unenforceability of any provision of this DPA.
6. This DPA is the final, complete and exclusive agreement of the parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter.

This Annex 1 forms part of the DPA and describes the processing that CloudAtler will perform on behalf of Customer.