Legal
Data Processing Agreement
DevSafe encrypts your code before it leaves your machine. This DPA covers only the service data we actually hold: your email address and usage metrics. We cannot access your backups.
Plain language summary
DevSafe uses zero-knowledge encryption. Your code is encrypted on your machine with your key before it goes anywhere. We never see it, we cannot decrypt it, and no court order can change that because we do not have the key. This DPA governs the small amount of service data we do hold (email, payment info, usage metrics) and names every sub-processor that touches it.
Section 1
Definitions
The following terms have specific meanings throughout this Agreement.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined by GDPR Article 4(1), CCPA Section 1798.140(v), or equivalent applicable law.
"Processing" means any operation performed on Personal Data, whether or not by automated means, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
"Sub-Processor" means any third party engaged by HXA Labs to process Personal Data on behalf of the Customer in connection with the Services.
"Customer Data" means all data, including source code, git repositories, configuration files, and any other content that the Customer processes using DevSafe. Customer Data is encrypted on the Customer's machine before transmission and is never accessible to HXA Labs.
"Service Data" means the limited Personal Data that HXA Labs processes to provide the Services, including: email address, account identifiers, usage metrics (backup counts, storage volume, feature usage), and payment information handled by Stripe.
"Encrypted Data" means Customer Data that has been encrypted using AES-256-GCM with keys generated and held exclusively by the Customer. Encrypted Data is stored in the Customer's own cloud storage (Cloudflare R2 or S3-compatible). HXA Labs does not possess, store, or have access to the decryption keys for Encrypted Data.
"Controller" means the Customer, who determines the purposes and means of processing Personal Data.
"Processor" means HXA Labs, which processes Service Data on behalf of the Customer.
"Agreement" or "DPA" means this Data Processing Agreement between the Customer and HXA Labs.
"Services" means the DevSafe encrypted git backup tool and related services provided by HXA Labs.
"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this Agreement, including GDPR, UK GDPR, CCPA, and any successor legislation.
Section 2
Scope and roles
This Data Processing Agreement ("DPA") is entered into between the Customer ("Controller") and HXA Labs LLC ("Processor"), operator of DevSafe.
HXA Labs acts as a Processor with respect to Service Data: the email address, account identifiers, and usage metrics necessary to provide the DevSafe service.
HXA Labs does not act as a Processor with respect to Customer Data (source code, git repositories, backup contents). Customer Data is encrypted on the Customer's machine using AES-256-GCM with keys held exclusively by the Customer. Encrypted Data passes through or is stored in the Customer's own cloud storage. HXA Labs never possesses, accesses, or processes Customer Data in unencrypted form.
This DPA applies to all Processing of Service Data carried out by HXA Labs on behalf of the Customer in connection with the Services. It supplements and forms part of the DevSafe Terms of Service.
Section 3
Zero-Knowledge Architecture Statement
Legally binding commitment
HXA Labs cannot access, decrypt, read, copy, or process Customer Data. This is not a policy choice. It is an architectural constraint enforced by the following technical measures:
- Client-side encryption. All Customer Data is encrypted using AES-256-GCM on the Customer's machine before it leaves that machine. The DevSafe binary performs encryption locally.
- Customer-held keys. Encryption keys are generated on the Customer's machine and never transmitted to HXA Labs, any Sub-Processor, or any third party. HXA Labs does not operate a key management service and does not escrow keys.
- User-owned storage. Encrypted backups are stored in the Customer's own Cloudflare R2 bucket or S3-compatible storage. HXA Labs does not host, mirror, or cache encrypted backups on its own infrastructure.
- No server-side processing. DevSafe is a single Go binary that runs on the Customer's machine. There is no server-side component that processes, transforms, or inspects Customer Data.
- Compelled disclosure limitation. Because HXA Labs does not possess decryption keys and does not store encrypted backups, HXA Labs cannot produce Customer Data in response to legal process, law enforcement requests, or regulatory inquiries. HXA Labs will notify the Customer of any such request to the extent permitted by law.
This zero-knowledge architecture reduces GDPR processor exposure for Customer Data because HXA Labs never processes it. The processor obligations in this DPA apply to Service Data only.
Section 4
Processing instructions
HXA Labs will process Service Data only in accordance with the Customer's documented instructions, which are constituted by:
- This DPA and the schedules attached to it.
- The DevSafe Terms of Service.
- Any additional written instructions agreed upon by both parties.
HXA Labs will not process Service Data for any purpose other than providing the Services, unless required to do so by applicable law. If HXA Labs is required by law to process Service Data for another purpose, HXA Labs will inform the Customer of that legal requirement before processing, unless the law prohibits such notification.
HXA Labs will immediately inform the Customer if, in its opinion, an instruction from the Customer infringes Applicable Data Protection Law.
Section 5
Sub-Processor management
The Customer authorizes HXA Labs to engage the Sub-Processors listed in Schedule 3. HXA Labs maintains a public Sub-Processor list at devsafe.com/trust.
Notification of changes
HXA Labs will notify the Customer by email at least 30 days before adding or replacing any Sub-Processor. The notification will include the Sub-Processor's name, the nature of the processing, and the categories of data involved.
Objection rights
The Customer may object to a new Sub-Processor by notifying HXA Labs in writing within 30 days of receiving notice. If HXA Labs cannot reasonably accommodate the objection, the Customer may terminate the affected portion of the Services without penalty. HXA Labs will refund any prepaid fees for the terminated period.
Sub-Processor obligations
HXA Labs will impose data protection obligations on each Sub-Processor that are no less protective than those in this DPA. HXA Labs remains fully liable for the acts and omissions of its Sub-Processors.
Current Sub-Processors
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Cloudflare | Website hosting, DNS, DDoS protection, WAF, CDN, SSL/TLS | Request metadata (IP address, HTTP headers) | Global edge |
| Supabase | User authentication, account database | Email address, usage metrics | US (EU option) |
| Stripe | Payment processing | Payment card details (DevSafe never sees card numbers) | US |
| Resend | Transactional email delivery | Email address, email content | US |
The complete Sub-Processor list with privacy policy URLs is provided in Schedule 3.
Section 6
Data security
HXA Labs implements and maintains technical and organizational measures appropriate to the nature, scope, and purposes of the processing. These measures are described in detail in Schedule 2.
Technical measures
- Encryption in transit. All communications between the Customer's browser or CLI and HXA Labs infrastructure use TLS 1.2 or higher. Communications to storage providers use TLS 1.2 or higher. HTTPS is enforced. HTTP connections are rejected.
- Encryption at rest. Service Data stored in Supabase is encrypted at rest using AES-256.
- Access controls. Email and password, magic link, or GitHub OAuth authentication for customer accounts. Optional TOTP multi-factor authentication. Passwords hashed by Supabase Auth, never accessible to DevSafe. API key authentication for programmatic access. Role-based access control for team accounts.
- Infrastructure security. DDoS protection, WAF, and bot detection via Cloudflare. Rate limiting on all API endpoints. Security headers enforced (HSTS, CSP, X-Frame-Options).
Organizational measures
- Principle of least privilege for all internal system access.
- All secrets managed via environment variables. No hardcoded credentials.
- Incident response plan documented and maintained.
- Sub-Processor list publicly maintained and updated.
SOC 2 roadmap
HXA Labs is implementing controls aligned with SOC 2 Type II (Security, Availability, Confidentiality). Observation period target: 2027. The current security posture is documented at devsafe.com/trust.
Section 7
Data Subject Rights
HXA Labs will assist the Customer in responding to data subject requests under Applicable Data Protection Law, to the extent that HXA Labs holds the relevant data.
What HXA Labs can provide
HXA Labs holds Service Data (email address, account identifiers, usage metrics). For this data, HXA Labs can facilitate:
- Access. Export of all Service Data associated with the Customer's account.
- Rectification. Correction of inaccurate Service Data upon request.
- Erasure. Deletion of all Service Data upon account termination or request.
- Portability. Export of Service Data in a structured, machine-readable format.
- Restriction. Restriction of processing upon verified request.
What HXA Labs cannot provide
HXA Labs cannot facilitate access, portability, or erasure requests for Customer Data (encrypted backups). The Customer holds the encryption keys and controls the storage. The Customer must fulfill data subject requests for Customer Data directly.
HXA Labs will respond to data subject rights requests within 30 days. If a data subject contacts HXA Labs directly, HXA Labs will redirect the request to the Customer without undue delay.
Section 8
Data Breach Notification
HXA Labs will notify the Customer of any Personal Data breach affecting Service Data without undue delay and in any event within 48 hours of becoming aware of the breach.
Notification content
The notification will include, to the extent known:
- The nature of the breach, including the categories and approximate number of data subjects and records affected.
- The likely consequences of the breach.
- The measures taken or proposed to address the breach and mitigate its effects.
- The name and contact details of the point of contact for further information.
Scope limitation
Breach notification obligations under this DPA apply to Service Data only. A breach of the Customer's own cloud storage credentials or encryption keys is outside the scope of this DPA because HXA Labs does not hold, manage, or have access to those credentials or keys.
HXA Labs will cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of any breach.
Section 9
Audits
Annual security report
HXA Labs will make available to the Customer, upon request, a summary of security measures, certifications, and audit results relevant to this DPA. When SOC 2 Type II certification is achieved (target: 2027), the audit report will be made available under NDA.
Customer audit rights
The Customer may audit HXA Labs' compliance with this DPA, subject to the following conditions:
- The Customer will provide at least 30 days' written notice.
- Audits will be conducted during normal business hours and will not unreasonably disrupt operations.
- The Customer may engage a qualified, independent third-party auditor, subject to confidentiality obligations.
- The scope of the audit is limited to HXA Labs' processing of Service Data and compliance with this DPA.
- The Customer bears the cost of the audit.
HXA Labs will cooperate with the audit and provide reasonable access to relevant information, systems, and personnel.
Section 10
International Data Transfers
HXA Labs is based in the United States. When Service Data is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States, the following safeguards apply:
Standard Contractual Clauses
The parties agree to the European Commission's Standard Contractual Clauses (SCCs), Module 2 (Controller to Processor), as adopted by Commission Implementing Decision (EU) 2021/914. The SCCs are incorporated into this DPA by reference.
UK International Data Transfer Addendum
For transfers from the United Kingdom, the UK International Data Transfer Addendum (IDTA) to the EU SCCs, as issued by the UK Information Commissioner's Office, is incorporated into this DPA by reference.
Supplementary measures
The zero-knowledge architecture described in Section 3 provides supplementary technical measures for Customer Data. Customer Data is encrypted before transfer and cannot be accessed by HXA Labs or any government authority. For Service Data, the technical and organizational measures described in Schedule 2 apply.
EU hosting option
Customers who require EU data residency for Service Data may request Supabase EU region hosting. Contact privacy@devsafe.com for availability.
Section 11
Data Retention and Deletion
HXA Labs retains Service Data only for as long as necessary to provide the Services or as required by applicable law.
Upon termination
- HXA Labs will delete all Service Data within 30 days of account termination or Customer request, unless retention is required by applicable law.
- Usage logs and analytics data will be deleted or anonymized within 90 days of account termination.
- Payment records required for tax and accounting purposes may be retained for up to 7 years as required by law.
Customer Data
Encrypted backups reside in the Customer's own cloud storage. HXA Labs does not store, retain, or have the ability to delete Customer Data. The Customer is solely responsible for retention and deletion of their encrypted backups.
Certification of deletion
Upon request, HXA Labs will provide written confirmation that Service Data has been deleted in accordance with this section.
Section 12
CCPA / US State Law Compliance
To the extent that the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), or other US state privacy laws apply to the processing of Service Data, HXA Labs certifies the following:
- No sale of Personal Data. HXA Labs does not sell Personal Data as defined by the CCPA/CPRA. HXA Labs has not sold Personal Data in the preceding 12 months and will not sell Personal Data.
- No sharing for cross-context behavioral advertising. HXA Labs does not share Personal Data for cross-context behavioral advertising as defined by the CPRA.
- Service provider obligations. HXA Labs processes Service Data solely for the business purposes specified in this DPA. HXA Labs does not retain, use, or disclose Service Data for any purpose other than providing the Services.
- No third-party analytics. DevSafe does not use third-party analytics or tracking services. No customer data is shared with advertising networks.
- Consumer rights. HXA Labs will assist the Customer in responding to consumer rights requests (access, deletion, correction, portability) under applicable US state privacy laws.
HXA Labs will notify the Customer if it determines that it can no longer meet its obligations under applicable US state privacy laws.
Section 13
Liability and Termination
Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the DevSafe Terms of Service, except that neither party limits its liability for breaches of its obligations under Applicable Data Protection Law to the extent such limitation is prohibited by that law.
Term
This DPA takes effect when the Customer accepts the DevSafe Terms of Service and remains in effect for the duration of the Customer's use of the Services. The obligations in this DPA that by their nature should survive termination will survive, including data deletion obligations, confidentiality, and cooperation with data subject requests and regulatory inquiries.
Termination
Either party may terminate this DPA upon termination of the DevSafe Terms of Service. The Customer may also terminate this DPA if HXA Labs materially breaches this DPA and fails to cure the breach within 30 days of written notice.
Effect of termination
Upon termination, HXA Labs will delete Service Data in accordance with Section 11. Encrypted backups in the Customer's own storage are unaffected by termination of this DPA.
Schedule 1
Processing Details
Categories of data subjects
Individual developers, team administrators, and team members who use the DevSafe service.
Categories of Personal Data
| Data Category | Examples | Purpose | Retention |
|---|---|---|---|
| Account data | Email address, display name | Authentication, account management, service communications | Duration of account + 30 days |
| Usage metrics | Backup count, storage volume, feature usage, last active timestamp | Service delivery, capacity planning, billing | Duration of account + 90 days (then anonymized) |
| Payment data | Payment card details (processed by Stripe; DevSafe never sees card numbers) | Subscription billing | As required by tax law (up to 7 years for records) |
| Request metadata | IP address, HTTP headers, user agent | Security (DDoS protection, abuse prevention), service delivery | 30 days (Cloudflare managed) |
| Email delivery data | Email address, email content (transactional only) | Account notifications, security alerts, billing receipts | 30 days (Resend managed) |
Sensitive data
HXA Labs does not intentionally collect or process special categories of Personal Data (Article 9 GDPR) or sensitive Personal Data as defined by US state privacy laws.
Nature and purpose of processing
Processing is limited to: user authentication, account management, subscription billing, transactional email delivery, usage metering, and service improvement. HXA Labs does not use Service Data for profiling, automated decision-making, or marketing purposes beyond service-related communications.
Schedule 2
Security Measures
HXA Labs implements the following technical and organizational measures to protect Service Data.
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2 or higher to HXA infrastructure and storage providers. HTTP rejected. HSTS headers with long max-age. |
| Encryption at rest | AES-256 encryption at rest for all Service Data in Supabase. Customer Data encrypted with AES-256-GCM by the customer before transmission. |
| Authentication | Email and password, magic link, or GitHub OAuth authentication. Optional TOTP MFA. API key authentication for CLI. Passwords hashed by Supabase Auth, never accessible to DevSafe. |
| Access control | Principle of least privilege. Role-based access (Owner, Member) for team plans. No shared credentials. |
| Network security | Cloudflare WAF, DDoS protection, bot detection. Rate limiting on all API endpoints. CORS restricted to devsafe.com. |
| Input validation | Parameterized queries on all database access. Input validation on every API request. Security headers (CSP, X-Frame-Options, X-Content-Type-Options). |
| Secret management | All secrets stored as environment variables. No hardcoded credentials in source code. Secrets rotated on a regular schedule. |
| Deployment security | Immutable deployments with instant rollback capability. Private networking between services. Automated SSL certificate provisioning. |
| Monitoring | Tamper-evident audit trail on all operations. Anomaly detection for unusual access patterns. |
| Incident response | Documented incident response plan. 48-hour breach notification commitment. Post-incident review process. |
| Data minimization | No third-party analytics or tracking. No customer data used for training. Minimum data collected for service operation. |
| Vendor management | Sub-Processor list publicly maintained. Data processing agreements with all Sub-Processors. 30-day change notification. |
Schedule 3
Sub-Processor List
The following Sub-Processors are authorized to process Personal Data on behalf of the Customer as of the effective date of this DPA.
| Provider | Purpose | Data Processed | Location | Privacy Policy |
|---|---|---|---|---|
| Cloudflare, Inc. | Website hosting, DNS resolution, DDoS protection, Web Application Firewall, CDN, SSL/TLS termination | Request metadata: IP address, HTTP headers, user agent. No query content or PII beyond IP. | Global edge network | cloudflare.com/privacypolicy |
| Supabase, Inc. | User authentication, account database, usage metrics storage | Email address, account identifiers, usage metrics (backup count, storage volume, feature usage, timestamps) | United States (EU region available on request) | supabase.com/privacy |
| Stripe, Inc. | Payment processing, subscription management | Payment card details, billing address, transaction history. DevSafe never receives or stores card numbers; Stripe handles all PCI-DSS obligations. | United States | stripe.com/privacy |
| Resend, Inc. | Transactional email delivery (account notifications, security alerts, billing receipts) | Email address, email content (transactional messages only; no marketing email) | United States | resend.com/legal/privacy-policy |
Important
No Sub-Processor has access to Customer Data (source code, git repositories, encrypted backups). Customer Data is encrypted on the Customer's machine and stored in the Customer's own cloud storage. The Sub-Processors listed above process only Service Data as described in the table.
Changes to this list are published at devsafe.com/trust and communicated to customers by email with 30 days' notice.
Questions about this DPA?
Data Protection Contact
HXA Labs LLC
Email: privacy@devsafe.com
For DPA execution requests, compliance inquiries, or Sub-Processor change notifications, contact us at the address above.