Privacy-First Cloud Audits (EU)

I designed my audit method to minimize legal friction in Europe. By default I do not access personally identifiable information (PII) or raw production data.

Do you need access to production data or PII?

No. I review billing exports, IaC (Terraform), autoscaling/alert configs, logging/metrics schemas and retention policies, aggregated latency/error charts, and architecture/runbook docs. Screenshare is fine.

Will you export data out of our tenant?

No. I do not extract or store your production data. If deeper checks are required, we can add an on-site / tenant-only read-only step under NDA/DPA.

Data location & processors

Work is performed in the EU only. I do not use sub-processors without your written consent.

Retention & deletion

Working notes are deleted within 30 days of final delivery.

Security

Least-privilege access, encrypted transit/storage for exchanged artifacts, purpose-limited use aligned with the audit scope.

Scope boundary

The 2-week audit provides analysis & recommendations. Implementation or tenant-only checks are separate follow-on engagements.

Have a question from Legal or Procurement?
Email me at atabak.kheirkhah@gmail.com and I’ll share the NDA/DPA addendum template.