GDPR · UK Data Protection Act 2018

Data Processing Agreement

Ossvisor Ltd is registered with the ICO and subject to UK GDPR and the Data Protection Act 2018. This page sets out our standard DPA terms — what we process, how, where, and your rights as a data controller.

Processor: Ossvisor Ltd
ICO Registered
Last Updated: May 2026
UK & EU GDPR
Request Signed DPA Security Questionnaire
1

What is a Data Processing Agreement?

A DPA is a legally binding contract required by GDPR Article 28 whenever a data controller (you, the customer) shares personal data with a third-party data processor (Ossvisor). It ensures the processor handles that data only as instructed, with appropriate safeguards.

The legal framework

  • UK GDPR — applies to Ossvisor Ltd as a UK-based processor. Ossvisor is registered with the Information Commissioner's Office (ICO).
  • EU GDPR (Regulation 2016/679) — applies where Ossvisor processes data of EU data subjects or where the customer is an EU-based controller.
  • Data Protection Act 2018 — the UK implementing legislation. Ossvisor complies with both the Act and UK GDPR as a unified regime.

When is a DPA required?

A DPA is required whenever CloudVista processes personal data on behalf of the customer. In practice, this applies to all SaaS (cloud-hosted) customers, as CloudVista stores account user data (names, email addresses, login events) on our infrastructure. Self-hosted customers process data entirely on their own systems — a DPA with Ossvisor is optional for self-hosted deployments but available on request.

2

Parties to the Agreement

Data Controller (you)

The organisation that decides the purposes and means of processing — i.e., your company. You instruct Ossvisor to process data on your behalf. You remain responsible for the lawfulness of the underlying processing.

Data Processor (Ossvisor)

Ossvisor Ltd
Registered in England & Wales
ICO Registered
Contact: [email protected]

Ossvisor processes personal data only on documented instructions from the controller, and only for the purposes defined in this agreement.

3

What Personal Data We Process

CloudVista is a cloud infrastructure management tool — it is not a CRM, HR system, or consumer-facing application. The personal data we process is limited to data about the people who use CloudVista within your organisation, not your end customers' data.
Data Category Specific Fields Data Subjects Legal Basis
Account & Identity Full name, work email address, job title, organisation name Your employees / CloudVista users Contract
Authentication Events Login timestamps, IP address at login, SSO provider reference, MFA status Your employees / CloudVista users Legitimate interest
Audit Log Activity User ID, action type, resource acted on, timestamp, source IP Your employees / CloudVista users Legitimate interest
Support & Communications Name, email, message content of support tickets and email correspondence Your nominated contacts Contract
Cloud resource metadata (EC2 instance IDs, VM names, security group configurations, cost data) is not personal data for GDPR purposes — it describes your cloud infrastructure, not natural persons. This data is covered by your service contract, not the DPA.
4

What We Do Not Process

CloudVista never accesses, reads, or stores the following. Our system connects to your cloud provider APIs to read resource metadata only — it does not access workload data, disk contents, or your end customers' records.

Never accessed

  • Disk contents of virtual machines or storage buckets
  • Application data or database contents
  • End-customer personal data held in your cloud workloads
  • Source code or build artefacts
  • Log file contents from your workloads

Never stored in plaintext

  • Cloud provider access keys / secret keys (encrypted at rest, AES-256)
  • Service account private keys (stored encrypted)
  • User passwords (bcrypt-hashed; never recoverable)
  • SSO tokens (session tokens, not persisted)
5

Purpose & Legal Basis of Processing

Purpose of processing

Ossvisor processes personal data solely to:

  • Provide and maintain the CloudVista SaaS service under the terms of the subscription agreement
  • Authenticate users and manage access control (RBAC) within the platform
  • Maintain audit logs of user actions for your security and compliance requirements
  • Provide customer support and respond to technical queries
  • Send service notifications (downtime alerts, security advisories) to nominated contacts

Processing is strictly limited to controller instructions

Ossvisor will not process personal data for any purpose other than those listed above without documented authorisation from the controller. Ossvisor will not sell, share, or use controller personal data for its own marketing purposes.

6

Data Retention

Data Type Retention Period Basis
User account data (name, email) Duration of subscription + 30 days after account closure Contract fulfilment
Audit log entries 12 months (configurable to 24 months on Enterprise) Legitimate interest / customer compliance requirement
Login / authentication events 90 days Security monitoring
Support correspondence 3 years from last interaction Legitimate interest
Billing & invoicing data 7 years Legal obligation (UK company law / HMRC)
Cloud resource metadata Duration of subscription; purged within 30 days of termination Contract (not personal data under GDPR)
On account closure, Ossvisor will delete all personal data within 30 calendar days, except where retention is required by law (e.g., billing records). A written deletion confirmation is available on request.
7

Technical & Organisational Security Measures (Article 32)

GDPR Article 32 requires processors to implement appropriate technical and organisational measures. The measures below constitute Ossvisor's Article 32 commitment under this DPA.

Encryption

  • At rest: AES-256 encryption for all stored data (database volumes, credential secrets)
  • In transit: TLS 1.2 or higher for all API and UI traffic; HSTS enforced
  • Credentials: Cloud provider keys encrypted with per-tenant keys before database storage

Access Control

  • Role-based access control (RBAC) — per-page, per-action permissions
  • Multi-factor authentication (MFA) — supported for all users, required for admin accounts
  • SSO (SAML 2.0 / OIDC) on Enterprise plan
  • Ossvisor staff access to production data requires MFA + logged break-glass procedure

Infrastructure

  • Hosted on Oracle Cloud Infrastructure (OCI) — ISO 27001 / SOC 2 certified data centres
  • UK (London) and EU (Frankfurt) regions; US available on Enterprise
  • Network segmentation — API, database, and cache layers on private subnets
  • Automated patching for OS and dependencies

Monitoring & Audit

  • Full audit log of all user actions within CloudVista (immutable, append-only)
  • Infrastructure-level access logging (OCI audit trail)
  • Automated alerting on failed logins, unusual access patterns
  • Annual internal security review; external pen test planned H2 2026
8

Sub-processors

Under GDPR Article 28(2), Ossvisor will not engage a new sub-processor without providing prior written notice to the controller and an opportunity to object. Customers subscribed to DPA notifications will be emailed at least 30 days before any new sub-processor is engaged.
Sub-processor Service Data Processed Location Transfer Basis
Oracle Cloud Infrastructure (OCI)
oracle.com 		Cloud infrastructure hosting (compute, database, object storage, networking) All CloudVista data — account data, audit logs, resource metadata, credentials (encrypted) UK: London
EU: Frankfurt
US: Ashburn (optional)		 UK Adequacy / SCCs
Stripe, Inc.
stripe.com 		Payment processing and billing Billing contact name, email, payment card tokens (no full card numbers held by Ossvisor) USA / EU (Stripe Ireland) SCCs (Stripe Ireland → EU)
Twilio SendGrid
sendgrid.com 		Transactional email delivery (account verification, alerts, support) Recipient email address, email content (alert text, account notifications) USA (Twilio US) SCCs

SCCs = Standard Contractual Clauses (EU 2021/914 or UK IDTA). All sub-processors are bound by data processing agreements that meet or exceed GDPR Article 28 requirements.

9

International Data Transfers

Default hosting — UK/EU

SaaS deployments default to OCI UK (London) or EU (Frankfurt) data centres. No personal data leaves the UK or EEA as part of normal platform operation, unless the customer requests the US region.

Where transfers to third countries occur

Transactional emails are delivered via SendGrid (USA) and payment processing is handled by Stripe (USA/EU). Both are covered by Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Agreement (IDTA).

  • Stripe: Billing processing routed via Stripe Ireland (EU) where possible. US transfers covered by SCCs.
  • SendGrid: Email content (alert subject lines, account notifications) transmitted to Sendgrid US infrastructure. SCCs in place.

Self-hosted deployments

Customers on the Enterprise Self-Hosted plan run CloudVista entirely within their own infrastructure. No data is transmitted to Ossvisor servers. International transfer provisions of this DPA do not apply to self-hosted deployments (other than support correspondence).

10

Data Subject Rights

As the data controller, you are responsible for handling data subject rights requests from your employees / CloudVista users. Ossvisor will provide technical assistance to help you fulfil these requests within the timelines required by GDPR Article 12.

Right of Access (Art. 15)

Ossvisor can provide a data export of all personal data held for a specific user. Contact us with the user's email address.

Right to Rectification (Art. 16)

Account holders can update name, email, and job title directly in CloudVista Settings. Admins can update on behalf of users.

Right to Erasure (Art. 17)

User accounts can be deleted by an admin. All personal data for that user is purged within 30 days. Audit log entries referencing the user ID are anonymised.

Right to Restriction (Art. 18)

Ossvisor can suspend processing for a specific user account while a dispute is resolved, on written instruction from the controller.

Right to Portability (Art. 20)

Personal data (name, email, login history, audit trail) is exportable in JSON format from the CloudVista admin panel or on request.

Right to Object (Art. 21)

Where processing is based on legitimate interest, data subjects may object. Contact us at [email protected] to raise an objection.

Ossvisor will respond to data subject rights assistance requests within 5 business days, giving the controller sufficient time to meet the 30-day GDPR deadline.

11

Breach Notification

GDPR Article 33 requires controllers to notify the supervisory authority (ICO for UK) within 72 hours of becoming aware of a personal data breach. Ossvisor's obligation as processor is to notify the controller without undue delay so the controller can meet that deadline.
Hour 0

Ossvisor detects or is notified of a security incident

Incident declared internally. Security response team activated. Investigation begins to determine whether personal data is involved.

Within 24 hours

Controller notified without undue delay

The controller's nominated security contact is emailed with: nature of the incident, categories and approximate number of data subjects affected, likely consequences, and measures being taken. We will not wait for the investigation to be complete before notifying.

Ongoing

Ossvisor cooperates fully with the controller's response

Technical details, logs, and forensic findings are shared as they become available. Ossvisor participates in any ICO investigation on the controller's behalf if requested.

Post-incident

Written incident report provided

Ossvisor provides a written incident summary including root cause, remediation steps taken, and controls added to prevent recurrence. Typically within 14 days of incident closure.

Current breach record: Ossvisor has had no reportable personal data breaches in the 12 months preceding the date of this DPA.
12

How to Request a Signed DPA

Standard process

To receive a countersigned copy of Ossvisor's standard DPA:

  1. Email [email protected] with the subject line "GDPR DPA Request"
  2. Include your company name, registered country, and the email address of your DPA signatory
  3. Ossvisor will send the standard DPA as a PDF within 3 business days
  4. You countersign and return — Ossvisor countersigns and returns the executed copy within 2 business days

Using your own DPA template

If your legal team has a preferred DPA template, send it alongside your request. Ossvisor will review and respond within 5 business days. We aim to sign customer DPAs with minimal redlines — the terms on this page reflect our standard commitments and we are unlikely to resist clauses consistent with them.

Also available on request

  • Security Questionnaire Response — pre-filled SIG Lite answers: view online
  • Sub-processor list (formal) — countersigned sub-processor register
  • Technical & Organisational Measures (TOM) schedule — detailed Annex II for DPA
  • Data Protection Impact Assessment (DPIA) support — Ossvisor can provide a completed DPIA template for your procurement or compliance team

Ready to sign your DPA?

Send us your company details and we'll have a countersigned DPA back to you within 3 business days.

Request Signed DPA
[email protected] · Subject: GDPR DPA Request