Legal
Subprocessors
Last updated: 2026-05-11
To deliver the Dependency Firewall service, Bitfront AB uses third-party subprocessors to process personal data. Data retention and residency terms may be customized by written agreement.
Processing activities
| Activity | Purpose | Data | Retention | On termination |
|---|---|---|---|---|
| User account management | Create and manage accounts and access | Name, email, organization, role | Active subscription | Deleted within 90 days |
| Audit and access logs | Security, traceability, diagnostics | Username, IP address, action | 180 days | Deleted within 90 days |
| Backups | Disaster recovery | Encrypted service data | 30 days | Deleted within 90 days |
| Support and issue tracking | Respond to customer requests | Contact details, ticket content | Active subscription | Deleted within 90 days |
| Product analytics | Service improvement | Aggregated usage metrics (no PII content) | 12 months | N/A (aggregated) |
| Billing and invoicing | Financial and compliance | Company name, billing contact, payment info | 7 years (Swedish law) | Deleted after retention period |
Data residency
All customer data is stored and processed within the European Union. No personal data is transferred or stored outside the EU/EEA without prior written consent.
Data is deleted within 90 days after contract termination. Backups are automatically overwritten within 30 days.
Subprocessors
| Subprocessor | Registered entity | Purpose | Location |
|---|---|---|---|
| Amazon Web Services EMEA SARL | Luxembourg | Cloud hosting and infrastructure | EU (Germany) |
| Vercel | United States | Frontend hosting | EU |
| Stripe Payments Europe | Ireland | Subscription and payment processing | EU (Ireland) |
| PostHog | United Kingdom | Product analytics | EU (Ireland) |
| Mailgun (Sinch) | United States | Transactional email delivery | EU (Germany) |
| Sentry | United States | Error tracking and performance monitoring | EU (Germany) |
| Crisp IM SAS | France | Customer support chat | EU (France, Ireland) |
Data processing agreements
All subprocessors operate under Data Processing Agreements in accordance with GDPR Article 28. These agreements require processing only on documented instructions, appropriate security measures, assistance with data subject rights, and data deletion or return on termination.
Our complete Data Processing Agreement is available at /legal/gdpr-dpa.
Changes
We may update our subprocessors. Material changes will be communicated by email with 15 days' notice. If you object to a new subprocessor, you may terminate your account per our Terms of Service.
Questions: support@bytesafe.dev or security@bytesafe.dev.