Compliance

Data Processing & GDPR

How Authfyio processes personal data on your behalf, our DPA, sub-processors, and the uptime commitment for Enterprise customers.

Data Processing Agreement (DPA)

Authfyio acts as a data processor for the end-user data you store with us; you are the controller. Our DPA incorporates the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum for transfers outside the EEA/UK.

The DPA is pre-signed and available to every workspace. Business and Enterprise customers can counter-sign a copy by emailing privacy@authfyio.comfrom the workspace owner's address.

GDPR posture

  • Data minimization — we store only what authentication requires: identifiers, credential hashes, and session metadata. We never sell personal data.
  • Right to access & portability — export any end user's data as JSON via the Admin API or the dashboard.
  • Right to erasure — delete a user and all associated data (sessions, identities, MFA, tokens) in one call; the deletion cascades immediately.
  • Encryption — TLS in transit; per-app RSA keys envelope-encrypted at rest (AES-GCM).
  • Breach notification — we notify affected controllers without undue delay, consistent with Art. 33.

Sub-processors

We use a short list of infrastructure sub-processors, each bound by their own DPA:

  • Hosting & database — primary cloud infrastructure (compute, managed Postgres, Redis).
  • Email delivery — transactional email (verification, magic links, alerts).
  • SMS delivery — one-time passcodes over SMS.
  • Payments — Stripe, for billing and end-user subscription processing.

We give 30 days' notice before adding a sub-processor — subscribe at privacy@authfyio.com.

Uptime SLA

Enterprise plans carry a 99.9% monthly uptime SLA with service credits for missed targets, plus a SIEM log sink for streaming audit events into your own monitoring. Live status and incident history are published at status.


For DPA execution or privacy questions, email privacy@authfyio.com.