Data Processing Addendum

Last updated: May 2026

This Data Processing Addendum ("DPA") forms part of the Terms and Conditions between Frust SpA ("Processor") and the Client ("Controller") and governs the processing of personal data carried out by Frust on behalf of the Client. This DPA complies with Chile's Law 21.719, the EU General Data Protection Regulation (GDPR Art. 28), and Mexico's Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP).

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person. "Processing" means any operation or set of operations performed on personal data. "Controller" means the Client who determines the purposes and means of processing. "Processor" means Frust, who processes personal data on behalf of the Controller. "Sub-processor" means any third party engaged by Frust to process personal data.

2. Subject Matter and Duration

Frust processes personal data solely to provide the cloud cost optimization services described in the Terms and Conditions. Processing begins on the effective date of the service agreement and continues until termination, after which Frust will delete or return all personal data as specified in Section 12.

3. Nature and Purpose of Processing

Nature: collection, storage, analysis, and transmission of AWS billing and usage metadata.
Purpose: optimizing the Controller's AWS expenditure through Reserved Instances and Savings Plans managed by Frust.
Lawful basis: performance of a contract (Chile Law 21.719 Art. 13 lit. b; GDPR Art. 6(1)(b)); legitimate interest for aggregate analytics.

4. Categories of Data and Data Subjects

Data processed: AWS account identifiers, IAM role metadata, Cost Explorer usage data, billing line items, resource tags, and contact information of Client administrators (name, business email, job title).

Data subjects: employees and contractors of the Controller who are identified in AWS account metadata or billing contact records.

Frust does not process special categories of personal data (health, biometric, racial origin, political opinions, etc.) under any circumstances.

5. Controller Obligations

The Controller represents and warrants that:

·It has a lawful basis for the personal data it provides to Frust and has notified affected data subjects as required by applicable law.
·It will provide Frust with all information and cooperation necessary to comply with applicable data protection law.
·It will promptly inform Frust of any changes to data subject rights requests or regulatory inquiries that affect the processing.
·It will ensure that its instructions to Frust comply with applicable law and will not instruct Frust to perform any processing that would violate applicable data protection obligations.

6. Processor Obligations (Frust)

Frust shall:

·Process personal data only on documented instructions from the Controller, unless required to do so by applicable law.
·Ensure that authorized personnel are subject to appropriate confidentiality obligations.
·Implement and maintain the technical and organizational security measures described in Section 8.
·Not engage a sub-processor without prior written authorization from the Controller, in accordance with Section 7.
·Assist the Controller in responding to data subject rights requests as described in Section 9.
·Notify the Controller of a personal data breach without undue delay and no later than 72 hours after becoming aware, as described in Section 10.
·Make available all information necessary to demonstrate compliance with this DPA and allow for audits as described in Section 13.
·Promptly inform the Controller if, in Frust's opinion, an instruction violates applicable data protection law.

7. Sub-processors

The Controller grants general written authorization to engage the following sub-processors. Frust will notify the Controller of any intended changes (additions or replacements) at least 30 days in advance, giving the Controller the opportunity to object.

Amazon Web Services, Inc. (AWS)

Cloud infrastructure and data storage. Region: us-east-1 (primary). DPA: aws.amazon.com/compliance/gdpr-center

Neon Tech

Managed PostgreSQL database hosting. Region: AWS us-east-1. Privacy policy available at neon.tech/privacy.

Twilio SendGrid

Transactional email delivery. Privacy policy available at sendgrid.com/privacy.

Google LLC

Google Analytics (anonymized) and Google Tag Manager. Data Processing Amendment available at business.safety.google/adsprocessorterms.

All sub-processors are required to provide at least the same level of data protection as this DPA.

8. Security Measures

Frust implements the following technical and organizational measures:

✓Access control: AWS IAM roles with least-privilege read-only permissions; MFA enforced for all Frust personnel with access to production systems.
✓Encryption: data encrypted in transit (TLS 1.2+) and at rest (AES-256 via AWS KMS).
✓Isolation: each Client's data is logically isolated using separate database schemas and IAM ExternalId conditions.
✓Audit logging: all access to Client AWS roles is logged via AWS CloudTrail and retained for 90 days.
✓Vulnerability management: dependency scanning, security patching, and annual third-party penetration testing.
✓Incident response: documented incident response procedure with defined escalation paths and 72-hour notification SLA.

9. Data Subject Rights

Frust will assist the Controller in fulfilling data subject rights requests (access, rectification, erasure, portability, restriction, objection) within 5 business days of receiving a request from the Controller. Frust will not respond directly to data subjects on behalf of the Controller unless expressly authorized in writing.

10. Personal Data Breach Notification

In the event of a personal data breach affecting Controller data, Frust will notify the Controller without undue delay and no later than 72 hours after becoming aware. The notification will include: (a) the nature of the breach; (b) categories and approximate number of data subjects and records affected; (c) likely consequences; (d) measures taken or proposed to address the breach and mitigate its effects. This timeline applies regardless of whether the breach has been resolved.

11. International Data Transfers

Frust's primary infrastructure is located in AWS us-east-1 (United States). Transfers from the European Economic Area (EEA) to Frust are governed by the European Commission Standard Contractual Clauses (SCCs) for Controller-to-Processor transfers (Module 2), incorporated herein by reference. For transfers from Chile, Frust complies with Law 21.719 Chapter V on international transfers. For Mexico, transfers comply with LFPDPPP Articles 36–37.

Clients in the EEA may request a signed copy of the SCCs by emailing privacy@frust.co.

12. Return and Deletion of Data

Upon termination of the service agreement, Frust will, at the Controller's election: (a) return all personal data in a machine-readable format (CSV/JSON) within 30 days; or (b) securely delete all personal data and provide written confirmation of deletion within 30 days. Frust may retain data required by applicable law for the minimum period mandated, after which it will be deleted.

13. Audit Rights

The Controller may audit Frust's compliance with this DPA once per calendar year by providing 30 days' written notice. Audits will be conducted during business hours and must not unreasonably disrupt Frust's operations. Frust may satisfy audit requests by providing its most recent available security documentation or third-party assessment in lieu of an on-site audit.

14. Governing Law and Jurisdiction

This DPA is governed by Chilean law (Law 21.719 and supplementary legislation). For Clients in the European Union, the GDPR prevails to the extent it conflicts with Chilean law. For Clients in Mexico, LFPDPPP applies. Disputes shall be resolved in accordance with the dispute resolution clause in the Terms and Conditions.

15. Contact

Questions about this DPA or data protection practices should be directed to: privacy@frust.co. Frust's registered address is: Callao 2911, of 4144, Santiago, Metropolitan Region, Chile, 7550285.

← Back to Terms and Conditions