Permafrost EPM
Skip to content

Privacy Policy

Last updated: 2026-06-14

Permafrost EPM ("Permafrost," "we," "us") is a Cloud Infrastructure Entitlement Management (CIEM) product for Microsoft cloud surfaces. This policy explains what data we collect, how we use it, where it goes, and your rights as a data subject. Permafrost is operated by DuneCodeForge Ltd, a company incorporated in the United Arab Emirates, which is the data controller for the personal data described here.

1. Law that applies and your regulator

We process personal data under the United Arab Emirates Personal Data Protection Law — Federal Decree-Law No. 45 of 2021 (the "PDPL") — overseen by the UAE Data Office. Because we offer the Service worldwide, we also comply, for the data subjects and processing they cover, with the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act as amended by the CPRA. Where any of these grants you a stronger right than another, we honor the stronger right.

2. Data we collect

When you connect an Azure tenant, Permafrost reads the following from Microsoft Graph and Azure ARM via read-only OAuth scopes you grant:

  • Identities (users, groups, service principals, managed identities)
  • Directory and ARM role assignments
  • Audit logs and sign-in activity (Entra ID)
  • Activity logs (Azure ARM)
  • Permission grants and consent state
  • Inventory metadata for connected Microsoft cloud surfaces (Exchange, SharePoint, Purview, Defender, Power BI, Power Platform, Azure DevOps, Intune, Teams, Viva Engage)

We do not read mailbox content, document content, chat messages, or any user-generated content. The product is read-only and never modifies your tenant.

We additionally store:

  • Your Azure Entra ID profile (name, email, tenant id) for sign-in
  • Sign-in metadata (IP, user agent, timestamp)
  • Billing email and Stripe customer/subscription identifiers when on a paid tier

3. How we use your data

We use the data only to:

  • Compute CIEM analysis (UPR scores, findings, role recommendations)
  • Display your tenant's state in the dashboard
  • Send transactional email (welcome, finding alerts, billing)
  • Authenticate you and meter your subscription

We do not:

  • Sell, rent, or share your data with third parties for marketing
  • Train AI/ML models on your data
  • Aggregate your data with other customers' data for any product

Our analysis (UPR scores, findings, recommended roles) is decision-support: it informs a human reviewer and never produces an automated decision with legal or similarly significant effect on an individual. You remain in control of every change to your tenant.

4. Legal basis for processing

Under PDPL Art. 4 and GDPR Art. 6, we rely on the following bases:

  • Performance of a contract— reading your tenant, computing analysis, and operating your account so we can deliver the Service you signed up for.
  • Legitimate interests— securing the Service, preventing abuse, and keeping audit records, balanced against your rights.
  • Legal obligation— retaining billing and tax records we are required by law to keep.
  • Consent— for website analytics and any optional alert email, each of which is strictly opt-in and withdrawable at any time without affecting the lawfulness of processing already carried out.

5. Data retention

Historical retention of activity logs and findings is set per tier. The current retention windows are published at permafrostepm.com/pricing and are incorporated into this policy by reference. Inventory state (current identities, role assignments) is replaced on each sync. Audit logs (admin actions, sync history) are retained for the lifetime of your account. On account closure, your access is suspended and all customer-scoped data is deleted within 30 days (or sooner if you request immediate deletion — see the Terms of Service).

Two narrow categories survive that deletion. Billing and invoice records are retained to meet our legal and tax obligations, and a minimal audit record of the deletion itself is kept for accountability. Everything else tied to your account is erased.

6. Sub-processors

We rely on the following sub-processors:

  • Vercel — application hosting and edge runtime (US)
  • Neon — managed PostgreSQL database (US)
  • Stripe — billing and payment processing (US)
  • Resend — transactional email delivery (US)
  • Microsoft — authentication via Entra ID and the Microsoft Graph / ARM APIs you have authorized
  • Google — Google Analytics for traffic measurement on our public website (US). It is loaded only with your opt-in consent and is used for analytics only, never advertising. It does not run in the signed-in application, so customer product usage is never sent to Google.

Error monitoring is first-party: application errors are captured in our own infrastructure with secrets and customer PII redacted at the point of capture. We do not send error data to a third-party error-tracking provider.

7. International data transfers

We are based in the UAE and our sub-processors above are based in the United States, so operating the Service involves transferring personal data across borders. We make those transfers under PDPL Art. 22 and 23 — to jurisdictions with an adequate level of protection, or under a contract imposing PDPL-equivalent safeguards (standard contractual clauses), or with your express consent where required. For data covered by the EU or UK GDPR, transfers rely on the European Commission / UK Standard Contractual Clauses and, where a sub-processor is certified, the EU-US and UK-US Data Privacy Framework. Each sub-processor is bound by a data-processing agreement restricting use of your data to providing its service to us.

8. Cookies and tracking

We use essential cookies (Auth.js session + CSRF, and an operator impersonation cookie used by support staff) and a small set of preference cookies (your theme choice and your analytics choice). On the public website we additionally offer Google Analytics, which is off by default and loads only if you opt in via the cookie banner; declining keeps you browsing with no analytics, and you can withdraw consent at any time. We honor Do-Not-Track and Global Privacy Control signals as a standing decline, and analytics never runs in the signed-in application. We use no advertising or cross-site tracking cookies. The full per-cookie table, including retention windows, lives in our Cookie Policy.

9. Your rights

Subject to the PDPL and, where they apply, the GDPR / UK GDPR and CCPA/CPRA, you may request:

  • Access to the personal data we hold about you
  • Rectification of inaccurate or incomplete data
  • Erasure ("right to be forgotten")
  • Portability of your data in a machine-readable format
  • Restriction of, or objection to, processing
  • Withdrawal of any consent you have given (for example, analytics or alert email), at any time
  • To opt out of the "sale" or "sharing" of personal information (CCPA/CPRA) — note we do not sell or share your data

To exercise any of these rights, contact us at the address below. We will respond within the period required by the applicable law (30 days under the PDPL). You also have the right to lodge a complaint with your regulator — the UAE Data Office, or, if the GDPR applies to you, your local data protection supervisory authority.

10. Security

OAuth tokens are encrypted at rest. Database connections use TLS. Tenant data is logically isolated by customer ID at every query boundary. The application is read-only against your tenant — we cannot modify your Azure environment. If a personal-data breach occurs, we will notify the UAE Data Office and affected data subjects as required by the PDPL and any other applicable law.

11. Children

The Service is a business product not directed to children, and we do not knowingly collect personal data from anyone under 18.

12. Changes to this policy

We will notify you by email and via an in-app banner before any material change takes effect.

13. Contact

Questions or data-subject requests: support@permafrostepm.com.