Privacy Policy
Last updated: April 16, 2026
1. Who We Are
CloudGovernancePulse (“CGPulse”, “we”, “us”) is a multi-cloud governance SaaS platform operated by SmartSpirit that helps organisations scan, evaluate, and remediate cloud resource configurations.
2. Data We Collect
2.1 Account Information
When you sign in via Microsoft, Google, or GitHub OAuth we receive your display name, email address, and profile identifier. We use this solely to create and manage your CGPulse account.
2.2 Cloud Resource Metadata
During scans we read resource metadata (names, types, configuration properties) from your Azure or AWS environments using read-only API calls. This metadata is stored as scan snapshots so you can track compliance over time.
2.3 Compliance Results & Audit Logs
Policy evaluation results, remediation actions, and account activity are logged to provide audit trails and compliance evidence. Audit logs may include IP addresses for security and fraud detection purposes.
2.4 Technical Telemetry
We collect performance metrics, error logs, and HTTP request metadata via Application Insights for service reliability and debugging. This may include user identifiers and resource type names in error context. Telemetry data is retained for 90 days.
3. Data We Do NOT Collect
- Passwords — authentication is handled entirely by your identity provider.
- Payment card data — card numbers are processed exclusively by Stripe (PCI DSS Level 1 certified). CGPulse never stores, transmits, or has access to card data.
- Resource content — we never read blobs, database rows, key vault secrets, or any actual data stored in your cloud resources.
4. Cloud Credentials & Token Handling
OAuth access tokens obtained during Azure connections are cached temporarily in encrypted form (Azure Key Vault + Data Protection) to enable token refresh without re-authentication. Token caches are scoped per connection and deleted when the connection is removed. AWS credentials use temporary STS AssumeRole sessions that expire automatically.
5. How Data Is Stored
All customer data is stored in Azure Cosmos DB (EU West region by default) with encryption at rest enabled. Each tenant’s data is logically isolated using per-tenant partition keys, ensuring that no tenant can access another tenant’s data.
6. Third-Party Services (Subprocessors)
| Service | Purpose | Data Region |
|---|---|---|
| Microsoft Entra ID | Authentication (OAuth / OpenID Connect) | EU / US |
| Google OAuth | Authentication (alternative sign-in) | US |
| GitHub OAuth | Authentication (alternative sign-in) | US |
| Stripe | Subscription billing & payment processing (PCI DSS Level 1) | US |
| Microsoft Azure | Application hosting, Cosmos DB, Key Vault, Service Bus | EU (North Europe) |
| Application Insights | Performance monitoring, error tracking, telemetry (90-day retention) | EU (North Europe) |
| Anthropic (Claude AI) | AI-powered compliance summaries and IaC template reviews (opt-in, Team & Business plans) | US |
We will notify you at least 30 days before adding new subprocessors. AI summaries transmit aggregated compliance scores and rule names to Anthropic — never raw resource data, credentials, or PII.
7. Data Retention
Audit log and scan snapshot retention depends on your subscription plan:
- Free — 7 days
- Team — 90 days
- Business — 365 days
Data exceeding its retention window is permanently deleted from all systems within 7 days of expiry. You may request earlier deletion at any time by emailing cgpulse.support@smartspirit.eu with your tenant ID. We will process deletion requests within 5 business days.
8. Your Rights
You have the right to:
- Access & export your data in machine-readable format.
- Delete your account and all associated data.
- Rectify inaccurate personal information.
- Object to processing or request restriction.
- Data portability — receive your compliance data in JSON format.
We comply with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). To exercise any of these rights, contact us at cgpulse.support@smartspirit.eu.
9. Cookies
CGPulse uses session cookies strictly necessary for authentication and application functionality. We do not use tracking cookies, advertising cookies, or any third-party cookie-based analytics.
10. Security
We implement industry-standard security measures including encryption at rest and in transit (TLS 1.2+), per-tenant data isolation, role-based access control, and regular security reviews. To report security vulnerabilities, contact cgpulse.security@smartspirit.eu.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notification at least 30 days before they take effect.
12. Contact
If you have questions about this Privacy Policy, please contact us at cgpulse.support@smartspirit.eu.
For data protection inquiries specifically, contact our Data Protection contact at privacy@smartspirit.eu.