Data Processing & Transfer Policy

1. Introduction

Ambrstack ("the Company," "we," "us," or "our") is committed to safeguarding the personal data of its customers, end users, and other stakeholders. This Data Processing & Transfer Policy ("Policy") sets out Ambrstack's practices relating to the processing, storage, and transfer of data—particularly in scenarios where data may be transferred outside the European Union ("EU") and the European Economic Area ("EEA"). This document is designed to address compliance requirements under data protection regulations such as the General Data Protection Regulation (GDPR) and other relevant global privacy laws.

2. Purpose & Scope

Purpose:

The purpose of this Policy is to ensure that any personal data collected, stored, processed, or transferred by Ambrstack is handled securely and in compliance with all applicable data protection laws and regulations.

Scope:

This Policy applies to all Ambrstack employees, contractors, affiliates, and authorized third-party service providers ("sub-processors") that process data on our behalf. It covers all data processing activities that involve personal data, including but not limited to data collection, storage, transmission, analysis, and deletion.

3. Definitions

Personal Data:

Any information relating to an identified or identifiable natural person.

Processing:

Any operation or set of operations performed on personal data (e.g., collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction).

Data Controller:

The entity that determines the purposes and means of processing personal data.

Data Processor:

The entity that processes personal data on behalf of the Data Controller.

Sub-Processor:

Any third party appointed by Ambrstack to process personal data on Ambrstack's behalf.

EU:

Member States of the European Union.

EEA:

The European Economic Area, which includes all EU Member States plus Iceland, Liechtenstein, and Norway.

4. Roles & Responsibilities

Ambrstack as a Data Processor:

Ambrstack does not process personal data of or on behalf of our customers (who may act as the Data Controllers). In a situation where data processing is required for successful completion or execution of a task related to any of our products, we follow the instructions of our customers with respect to the processing of that data.

Ambrstack as a Data Controller:

Where Ambrstack collects personal data for its own purposes (e.g., employee data, sales leads), we act as a Data Controller and adhere to all data controller obligations under relevant laws. As regards any of our products, we do not collect any personally identifiable information as part of usage of any of the products.

Employees & Staff:

All Ambrstack employees and staff are obligated to comply with this Policy.

Sub-Processors:

Ambrstack carefully selects and manages sub-processors who must meet our security, privacy, and regulatory compliance standards.

5. Data Collection & Usage

Types of Data Collected

• Customer-Provided Data: Any information that our customers intentionally submit (e.g., account creation details, usage logs, support tickets).
• Service Metadata: Automatic collection of non-personally identifiable information related to service performance, logs, and usage metrics.

Purposes of Data Processing

• Service Provision: We process data primarily to deliver and improve our core services.
• Customer Support: This includes handling queries, troubleshooting, and resolving technical issues.
• Internal Analytics: We may analyze anonymized or aggregated data to refine our services but do not read or utilize raw customer data beyond what is necessary to maintain and optimize our platform.

6. Sub-Processors & Data Transfers

Sub-Processors Outside the EU/EEA

These sub-processors facilitate secure and scalable database hosting solutions. Although they are based in the United States, Ambrstack implements appropriate safeguards to ensure the legality and security of these transfers.

Legal Basis for International Transfers

• Standard Contractual Clauses (SCCs): Where required, Ambrstack enters into EU-approved SCCs with sub-processors outside the EU/EEA.
• Adequacy Decisions: In the absence of an adequacy decision, Ambrstack ensures equivalent levels of data protection are in place via contractual obligations.
• Additional Technical Safeguards: Encryption at rest and in transit, strict access controls, and robust authentication mechanisms.

Minimization of Data Access

• No Reading of Customer Data: Ambrstack and its sub-processors do not "store" the contents of customer data unless upon explicit instruction by the customer.
• Access on a Need-to-Know Basis: Any access to customer data by Ambrstack staff or sub-processors is tightly restricted and audited.

7. Data Security Measures

Ambrstack employs a comprehensive information security program that includes administrative, technical, and physical safeguards. Key elements include:

Encryption

• Data in Transit: TLS/SSL encryption for all data transfers.
• Data at Rest: Encrypted storage through sub-processor-managed encryption (e.g., AES-256).

Access Controls

• Role-Based Access: Access to systems is restricted based on job role and function.
• Multi-Factor Authentication: Enabled for all administrative access.
• Least Privilege Principle: Users have the minimum level of access necessary to perform their roles.

Network Security

• Firewalls & IDS: Firewalls, intrusion detection, and prevention systems are in place to prevent unauthorized external access.
• Logging & Monitoring: Comprehensive logs are maintained, and real-time monitoring is conducted to detect anomalies.

Physical Security

• Secure Facilities: Data centers used by our sub-processors maintain industry-standard physical security controls.

Incident Response

• Cyber Incident Response Plan (CIRP): We maintain a detailed incident response procedure to contain, mitigate, and investigate any security incident swiftly. See separate Incident Response & Security Vulnerability Policy for more details.

8. Data Subject Rights

When acting as a Data Processor, Ambrstack assists Data Controllers in responding to data subjects' requests as legally required, such as:

• Access: Providing information about what personal data is held.
• Rectification: Correcting inaccurate or incomplete data.
• Erasure: Deleting personal data upon request, where appropriate.
• Restriction/Objection: Restricting or ceasing certain data processing activities.

Data Controllers remain primarily responsible for the fulfillment of these requests; however, Ambrstack offers all necessary support under the applicable data protection laws.

9. Data Retention & Deletion

Retention Periods

• Customer Data: Retained as long as necessary to provide services to our customers or as directed by the Data Controller.
• Backups: Maintained for disaster recovery and business continuity purposes within standard retention periods outlined in our Data & Log Retention Policy.

Secure Deletion

• Data Disposal: Once data is no longer required, it is securely deleted or anonymized, using industry-standard methods that prevent data reconstruction.

10. Compliance & Review

Compliance Audits:

Ambrstack may conduct or commission periodic audits to ensure compliance with this Policy, relevant contractual obligations, and data protection laws.

Policy Review:

This Policy is reviewed at least annually and updated as needed to reflect legal, technological, or operational changes.

11. Breaches & Notification

In the event of a confirmed breach of personal data, Ambrstack will promptly notify the relevant parties (including Data Controllers, regulatory authorities, and/or affected individuals, if required) in accordance with our Incident Response & Security Vulnerability Policy and applicable data protection laws.

12. Contact & Further Information

For questions or more information regarding this Data Processing & Transfer Policy, please contact: