Data Controller and Processor

• Data Controller: Your organization (the Sleam customer)
• Data Processor: Sleam Technologies
• Sub-processors: Cloud infrastructure, Slack, Paddle (as listed below)

Personal Data Categories

• Slack user identifiers and profile information
• Cloud account metadata (no personal data from cloud workloads)
• Usage and interaction data within Sleam
• Support and communication records

Processing Purposes

• Providing cloud cost optimization services
• Delivering insights and recommendations via Slack
• User authentication and access control
• Service improvement and support

Data Subject Rights

• Right of access to personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing

Technical Safeguards

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Multi-factor authentication for administrative access
• Network segmentation and access controls
• Regular security assessments and penetration testing

Organizational Measures

• Staff training on data protection principles
• Confidentiality agreements for all personnel
• Incident response procedures
• Regular compliance audits

Sleam engages the following sub-processors to provide our services:

We will notify customers 30 days in advance of any changes to our sub-processor list.

When personal data is transferred outside the European Economic Area (EEA), we ensure adequate protection through:

• Standard Contractual Clauses (SCCs): As approved by the European Commission
• Adequacy Decisions: For transfers to countries with adequate protection
• Binding Corporate Rules: Where applicable for sub-processors

Notification Timeline

• Sleam will notify customers of personal data breaches without undue delay
• Initial notification within 24 hours of becoming aware
• Detailed report within 72 hours including impact assessment
• Regular updates until the incident is resolved

Notification Content

• Nature of the breach and categories of data affected
• Approximate number of data subjects affected
• Likely consequences of the breach
• Measures taken to address the breach

Retention Periods

• Personal data retained only as long as necessary for service provision
• Account data deleted within 30 days of subscription termination
• Backup data permanently deleted within 90 days
• Some data may be retained longer for legal compliance

Deletion Process

• Secure deletion using industry-standard methods
• Certification of deletion provided upon request
• Coordinated deletion from all systems and backups

Audit Rights

• Customers may request information about processing activities
• Annual compliance reports available upon request
• Third-party audit reports (SOC 2, ISO 27001) shared under NDA
• On-site audits available for customers requiring formal compliance (costs apply)

Compliance Certifications

• SOC 2 Type II certification (annual)
• ISO 27001 compliance
• GDPR compliance assessment
• Regular penetration testing