Skip to content
Refine

Data Processing Agreement

Last updated: 3 June 2026

1. Definitions

"Customer Data" means any AWS billing data, security metadata, or account configuration data processed by Refine on behalf of Customer. "Processing" has the meaning given in applicable data protection law.

2. Roles of the parties

Customer is the Data Controller. Refine is the Data Processor. Refine processes Customer Data only on documented instructions from Customer.

3. Nature and purpose of processing

Refine processes Customer Data to (a) read AWS cost and usage information via the read-only IAM role Customer grants; (b) perform security posture analysis; (c) generate cost optimization recommendations; (d) detect anomalies; (e) deliver scheduled reports.

4. Sub-processors

The current list is maintained on our sub-processor list. We will provide notice via email to Customer's primary contact at least 30 days before engaging a new sub-processor. Customer may object in writing within that period.

5. Security measures

Refine implements the following technical and organizational measures:

  • Encryption in transit (TLS 1.2 or higher) and at rest (AWS KMS-managed keys)
  • Read-only IAM role access to Customer AWS accounts as the baseline; remediations are applied only via an optional, narrowly scoped policy that Customer grants per fix type. Refine never holds Customer credentials
  • Audit logging of all administrative actions and of any remediations applied through opt-in scoped permissions
  • Annual review of access controls and key rotation
  • Vulnerability disclosure program at info@habilelabs.io

6. Data retention and deletion

Customer Data is retained for 90 days (configurable) by default. Retention is configurable per account via Settings → Account. Customer may request deletion at any time by emailing info@habilelabs.io; Refine will process the request within 5 business days and confirm in writing.

7. International data transfers

Refine processes Customer Data primarily in AWS region ap-south-1 (Mumbai). Where Customer Data is transferred outside the EEA, Refine relies on Standard Contractual Clauses approved by the European Commission.

8. Data subject rights

Refine will assist Customer in responding to requests from Data Subjects exercising their rights under applicable data protection law (access, rectification, erasure, portability). Requests received directly by Refine will be forwarded to Customer for handling.

9. Personal data breach notification

In the event of a Personal Data Breach, Refine will notify Customer without undue delay and in any event within 48 hours of becoming aware of the breach.

10. Audit rights

Customer may, no more than once per year and on reasonable notice, request information sufficient to demonstrate compliance with this DPA. Refine will provide reasonable evidence including security-attestation documentation when available.

11. Termination

On termination of the underlying agreement, Refine will, at Customer's option, return or delete all Customer Data within 30 days unless retention is required by law.

12. Governing law

This DPA is governed by the laws specified in the underlying agreement between Customer and Refine.

13. Contact

Privacy contact: info@habilelabs.io

Need a signed copy?

Email info@habilelabs.io with your company name and counter-signing contact. Custom Enterprise DPAs available when that tier launches.

Have other privacy or compliance questions?

Talk to a human.

Email privacy teamTalk to Sales

Refine is built and supported by HabileLabs, an AWS Advanced Tier Services Partner.