CONFIDENTIAL — Shared under mutual NDA. Do not distribute outside your organization.
Data Handling & Privacy Policy
CloudFive · Effective: June 2026 · Owner: Todd Densmore · Review: Annual
1. Purpose
This document describes how CloudFive collects, uses, stores, protects, and deletes data belonging to clients,
their customers, and other third parties. CloudFive's default position is data minimization: we access and retain
only what is necessary to deliver the agreed scope of work.
2. Data Categories Processed
| Category | Examples | Basis for processing |
|---|
| Client operational data | Databases, logs, files shared for analysis | Contractual necessity |
| Client contact data | Name, email, phone of client personnel | Contractual necessity |
| End-user PII (if applicable) | Names, emails in client systems | Client instruction only; DPA required |
| Financial data | Invoice data, payment records | Legal obligation |
3. Data Collection
- CloudFive collects only the minimum data required to complete the engagement.
- Access to client production systems requires explicit written authorization per engagement.
- Any access to end-user PII requires a signed Data Processing Agreement (DPA) prior to engagement start.
4. Data Storage
- All client data in CloudFive's custody is stored in AWS (us-east-1 or us-east-2 by default, unless client specifies otherwise).
- Data at rest is encrypted with AES-256 (AWS managed keys, or CMKs for sensitive engagements).
- Data in transit uses TLS 1.2+.
- No client data is stored in personal cloud storage (Dropbox, Google Drive personal, iCloud) or unencrypted local disk.
5. Data Access
- Client data is accessed only by CloudFive personnel with a need-to-know for the engagement.
- Access logs are retained for 90 days minimum in AWS CloudTrail.
- Sub-contractors are not granted access to client data without prior written client consent.
6. Data Retention & Deletion
- During engagement: Data is retained as required to deliver services.
- Post-engagement default: 90 days, then permanent deletion.
- On client request: Deletion within 10 business days. Certificate of deletion provided upon request.
- Legal hold: Data may be retained longer if required by law or litigation.
7. Data Sharing
CloudFive does not sell, rent, or share client data. The only permitted disclosures are:
- Subprocessors necessary to deliver the service (see Subprocessor List)
- Legal requirement (court order, regulatory demand) — client notified where legally permissible
- Client-directed sharing
8. Data Processing Agreements
If an engagement requires processing personal data of the client's end users, CloudFive will execute a DPA with the
client prior to data access. Template DPA available upon request.
9. Client Rights
Clients may request at any time:
- A summary of what data CloudFive holds
- Correction of inaccurate data
- Deletion of their data
- Export of their data in a machine-readable format
Requests are fulfilled within 10 business days. Contact: todd@cloudfive.net
10. Breach Notification
In the event of a confirmed data breach affecting client data, CloudFive will notify affected clients within 72 hours
of confirmation, consistent with GDPR Article 33 timelines even where not legally required. Notification will include
the nature of the breach, data affected, mitigation steps taken, and recommended client actions.