Legal
Our commitments for processing your data in compliance with applicable regulations.
Last updated: April 1, 2026
"Controller" means the entity that determines the purposes and means of processing Personal Data. In most cases, this is you, the customer.
"Processor" means the entity that processes Personal Data on behalf of the Controller. This is Stratl.
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Stratl in the course of providing services.
"Sub-processor" means any third party engaged by Stratl to assist in processing Personal Data on behalf of the Controller.
Stratl processes Personal Data solely for the purpose of providing the monitoring and alerting services described in your subscription agreement. This includes ingesting AWS CloudTrail events, generating alert enrichments, and delivering notifications.
The types of Personal Data processed may include IP addresses, user identifiers, email addresses, and any personal data contained within your AWS CloudTrail event logs.
Stratl will not process Personal Data for any purpose other than providing the contracted services unless explicitly instructed by the Controller in writing.
The Controller is responsible for ensuring that it has a lawful basis for sharing Personal Data with Stratl and that any necessary consents or authorizations have been obtained.
The Controller is responsible for the accuracy of the Personal Data provided to Stratl and for providing any necessary notices to data subjects regarding the processing.
Stratl shall process Personal Data only on documented instructions from the Controller, unless required by applicable law to process for other purposes.
Stratl shall ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
Stratl shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
Stratl maintains a list of approved sub-processors that assist in delivering our services. This list is available upon request and is updated at least 30 days before any new sub-processor is engaged.
Stratl imposes data protection obligations on all sub-processors that are no less protective than those contained in this DPA. Stratl remains liable for the acts and omissions of its sub-processors.
The Controller may object to a new sub-processor by notifying Stratl within 14 days of receiving notice. If the objection cannot be resolved, the Controller may terminate the affected services.
Where Personal Data is transferred outside the European Economic Area (EEA), Stratl ensures that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission.
Stratl participates in and has certified its compliance with the EU-U.S. Data Privacy Framework where applicable.
Stratl shall assist the Controller in fulfilling its obligations to respond to data subject requests to exercise their rights under applicable data protection laws, including rights of access, rectification, erasure, restriction, portability, and objection.
Stratl shall notify the Controller without undue delay upon receiving a request from a data subject, unless prohibited by law from doing so.
Stratl implements comprehensive security measures as detailed in our Security page, including encryption at rest and in transit, access controls, network segmentation, vulnerability management, and incident response procedures.
Stratl conducts regular security assessments and audits to verify the effectiveness of its security measures and makes audit reports available to customers upon request.
In the event of a Personal Data breach, Stratl shall notify the Controller without undue delay, and in any case within 72 hours of becoming aware of the breach.
The notification shall include the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed to address the breach.
Upon termination of services or upon the Controller's written request, Stratl shall delete or return all Personal Data within 30 days, unless applicable law requires retention.
Stratl shall provide written confirmation of data deletion upon the Controller's request.
The Controller has the right to audit Stratl's compliance with this DPA upon reasonable notice. Stratl shall cooperate with such audits and provide access to relevant documentation, facilities, and personnel.
Alternatively, the Controller may accept Stratl's SOC 2 Type II report or other independent audit certifications as evidence of compliance.
For questions about this DPA or to request a signed copy, please contact our data protection team at dpa@stratl.dev.