Data Processing Agreement (DPA)

Detailed agreement on roles, responsibilities, and data protection compliance.

Updated: March 13, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between **Braveware, operating as Serverfy** ("Data Processor", "we", "us") and the customer ("Data Controller", "you").

This agreement reflects the parties' commitment to abide by applicable data protection laws, including the General Data Protection Regulation (GDPR) and the Brazilian General Data Protection Law (LGPD), concerning the processing of Personal Data.

1. Roles and Responsibilities

  • Data Controller: You, the customer, determine the purposes and means of processing Personal Data on the servers managed via Serverfy.
  • Data Processor: Serverfy acts as the Data Processor. We process server metadata, deployment configurations, and account information solely on your documented instructions to provide our server management services.

2. Scope and Nature of Processing

Serverfy automates infrastructure management. To do this, we process:

  • Account Information: Names, emails, and billing details to maintain your Serverfy account.
  • Infrastructure Data: Cloud provider API keys, IP addresses, and server health metrics (CPU, RAM).
  • VCS Authentication: OAuth tokens or deploy keys from GitHub, GitLab, or Bitbucket strictly to configure webhooks and automated deployments.

Exclusion of Customer Content: Serverfy does not host your applications or databases. We do not download, store, or process the source code of your applications, nor do we access the end-user data stored within the databases on your managed servers. You remain fully responsible for the compliance and security of the data residing on your infrastructure.

3. Security Measures

Serverfy implements strict technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption: All sensitive credentials (API keys, database passwords, OAuth tokens) are encrypted at rest using AES-256 encryption. All data in transit is secured via TLS 1.2 or higher.
  • Access Control: Access to our management infrastructure is strictly limited to authorized personnel and protected by multi-factor authentication (MFA).
  • Isolation: Each server managed by Serverfy communicates via isolated SSH key pairs specifically generated for that environment.

4. Sub-processors

To deliver our services globally, Serverfy engages trusted third-party sub-processors. By accepting this DPA, the Data Controller grants general authorization for Serverfy to use sub-processors in the following categories:

  • Payment Gateways: (e.g., Stripe) for processing subscription fees.
  • Cloud Infrastructure: (e.g., AWS, DigitalOcean) for hosting the Serverfy dashboard and API.
  • Transactional Communication: (e.g., Mailgun, Postmark) for sending system alerts and deployment notifications.

We ensure that all sub-processors are bound by written agreements that require them to provide at least the same level of data protection as required under this DPA.

5. Data Subject Requests

As the Data Processor, Serverfy will assist the Data Controller, insofar as possible, in fulfilling their obligation to respond to requests from individuals exercising their data privacy rights (e.g., the right to access, rectify, or erase data). If Serverfy receives a request directly from an end-user of the Data Controller, we will promptly redirect the request to the Data Controller.

6. Personal Data Breach Notification

In the event of a confirmed security breach that compromises Personal Data processed by Serverfy, we will notify the Data Controller without undue delay (and in any event within 48 hours of becoming aware of the breach). We will provide sufficient information to allow you to meet your reporting obligations under the GDPR or LGPD.

7. Data Deletion and Return

Upon termination of your Serverfy account, we will promptly and securely delete all OAuth tokens, API keys, and deployment metadata associated with your account from our active databases. Infrastructure logs and invoice records may be retained temporarily solely for legal and tax compliance purposes.

8. Governing Law

This DPA shall be governed by and construed in accordance with the laws applicable to the principal Terms of Service agreement.

Serverfy uses cookies strictly necessary for the secure operation of the platform. We do not use third-party advertising trackers. By proceeding, you agree to our Terms of Use and Privacy Policy.