This policy describes the personal data collected by FerrLabs (Bryan Ferrando, sole proprietor, SIREN 104 243 951) acting as data controller for the FerrVault service, in accordance with the GDPR.
<h2>Encryption architecture</h2>
<p>
FerrVault encrypts your secrets <strong>client-side</strong> before any transmission to our
servers (end-to-end encryption: the data encryption key — DEK — is derived from your master
password and is never transmitted in clear text to FerrLabs). FerrVault servers store
encrypted data only. <strong>FerrLabs cannot technically read the contents of your secrets.</strong>
Key encryption keys (KEKs) are managed by Google Cloud KMS under our GCP tenant, in the EU
region <code>eu-west1</code>. Consequence: if you forget your master password, your secrets
are unrecoverable — this is by design.
</p>
<h2>Data collected</h2>
<ul>
<li>
<strong>Account</strong>: email address, master password (never stored — only a verifier
derived via Argon2id), display name, timezone, locale.
</li>
<li><strong>Organization</strong>: name, slug, team size, country.</li>
<li>
<strong>Vaults and secrets metadata</strong>: vault name, slug, description, owner,
members, role assignments. Secret name, version history, last rotation timestamp. The
<strong>encrypted</strong> secret content (opaque ciphertext to FerrLabs).
</li>
<li>
<strong>Audit log</strong>: every secret access (read, write, rotation, share) with actor,
IP address, user-agent, timestamp.
</li>
<li>
<strong>Cookies</strong>: <code>fl_session</code> (httpOnly, SameSite=Lax, 7-day lifetime)
— strictly necessary for authentication.
</li>
<li><strong>Server logs</strong>: 30-day retention.</li>
</ul>
<h2>Purposes</h2>
<ul>
<li>Authentication and access to the service.</li>
<li>Storage and synchronization of your encrypted secrets.</li>
<li>Operation, integrity and security of the platform (audit log, abuse detection).</li>
<li>Billing of paid subscriptions.</li>
<li>Compliance with legal obligations.</li>
</ul>
<h2>Legal bases (GDPR art. 6)</h2>
<ul>
<li>
<strong>Performance of the contract</strong> (6.1.b) for accounts, vaults and
subscriptions.
</li>
<li><strong>Legitimate interest</strong> (6.1.f) for security, audit log and server logs.</li>
<li><strong>Legal obligation</strong> (6.1.c) for accounting and tax data.</li>
</ul>
<h2>Sub-processors</h2>
<ul>
<li><strong>OVH SAS</strong> — primary hosting (France).</li>
<li>
<strong>Google Cloud Platform</strong> — Cloud KMS for key wrapping (KEK custody), EU
region <code>eu-west1</code>. KMS holds wrapping keys only; encrypted secret content is
never sent to GCP.
</li>
<li>
<strong>Stripe Inc.</strong> — payments (United States, certified under the Data Privacy
Framework) — active when a paid subscription is activated.
</li>
<li>
<strong>Resend</strong> — transactional emails — active when transactional emails are sent.
</li>
</ul>
<h2>Audit log</h2>
<p>
FerrVault records every access to a secret in an append-only audit log: actor (user or
service token), source IP address, user-agent, timestamp, action (read, write, rotation,
share), and the affected secret reference. The audit log records
<strong>metadata only</strong> — never the plaintext content of the secret, which FerrLabs
cannot decrypt server-side.
</p>
<p>Retention: <strong>90 days</strong>, after which entries are purged.</p>
<h2>Retention period</h2>
<table>
<thead>
<tr><th>Data</th><th>Retention</th></tr>
</thead>
<tbody>
<tr>
<td>Active account, vaults, encrypted secrets</td>
<td>For the lifetime of the workspace</td>
</tr>
<tr><td>Deleted account or workspace</td><td>30 days, then permanent purge</td></tr>
<tr><td>Audit log</td><td>90 days</td></tr>
<tr><td>Server logs</td><td>30 days</td></tr>
<tr>
<td>Billing data</td>
<td>10 years (art. L.123-22 of the French Commercial Code)</td>
</tr>
</tbody>
</table>
<h2>Your rights</h2>
<p>
Under the GDPR, you have the rights of access, rectification, erasure, portability,
objection, and restriction of processing. <strong>Important:</strong> the right of access
only applies to metadata (account details, vault names, audit log entries). It does not
extend to the encrypted content of your secrets, which FerrLabs cannot decrypt — only you,
as the holder of the master password, can produce the plaintext.
</p>
<p>To exercise your rights: <strong>privacy@ferrlabs.com</strong>.</p>
<p>
You may also lodge a complaint with the CNIL (<a href="https://www.cnil.fr">cnil.fr</a>).
</p>
<h2>Data Protection Officer (DPO)</h2>
<p>
FerrLabs has not appointed a DPO. This is not required for a sole proprietorship that does
not carry out large-scale processing of sensitive data (GDPR art. 37).
</p>
<h2>Transfers outside the European Union</h2>
<p>
Where applicable, transfers occur to sub-processors located in countries with an adequacy
decision or certified under the Data Privacy Framework (Stripe Inc., United States). The
primary data store (OVH) and key custody (Google Cloud KMS) are both located in the European
Union.
</p>
<h2>Changes</h2>
<p>
This policy may be updated. The date of the last revision is shown at the top of this page.
</p>