Data Processing Addendum
Last Updated: April 1, 2026
1. Overview
This Data Processing Addendum (“DPA”) supplements the Fervae Terms of Service and describes how Fervae LLC (“Fervae,” “we,” “us”) processes personal data in connection with providing the Service, in accordance with the EU General Data Protection Regulation (GDPR), UK GDPR, and other applicable data protection laws.
In the event of a conflict between this DPA and the Terms of Service, this DPA governs with respect to the processing of personal data subject to applicable data protection law. This DPA is governed by the laws of the State of Delaware, except where applicable data protection law requires otherwise.
For transfers of personal data from the EEA or the UK to the United States, Fervae relies on Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the UK International Data Transfer Agreement (IDTA). You may request a copy of the applicable transfer mechanism by contacting us at legal@fervae.com.
2. Data Controller and Processor
For the purposes of GDPR, the roles depend on the type of data being processed:
- Your content and audience data — You are the Data Controller; Fervae acts as Data Processor, processing data solely on your instructions as described in the Terms of Service.
- Account information and usage data we collect directly — Fervae acts as the Data Controller. See our Privacy Policy for details.
3. Data We Process
- Account information (name, email address, profile picture)
- Content you create (posts, drafts, scheduled content, source pages)
- Connected social media account tokens (encrypted at rest with AES-256-GCM)
- Engagement data from connected platforms (comments, analytics, insights)
- Media files you upload (images, videos)
- Usage data (feature interactions, error logs)
- Merchandise order data (customer name, shipping address, email, order details, transaction amounts)
4. Security Measures
- AES-256-GCM encryption for all OAuth tokens at rest
- TLS 1.3 for all data in transit
- Row-level security (RLS) enforced on all database tables
- Role-based access controls
- CSRF protection on all mutating endpoints
- Rate limiting on all API endpoints
- Regular security reviews
5. Sub-Processors
We use the following sub-processors to provide the Fervae platform. Each has GDPR-compliant data processing terms or a Data Processing Addendum in place. We will provide at least 30 days’ notice before adding or replacing a sub-processor by updating this page and notifying customers by email. You may object to any new sub-processor within that period by contacting us at legal@fervae.com.
| Service | Purpose | Location | Terms / DPA |
|---|---|---|---|
| Vercel Inc. | Application hosting and serverless compute | United States | View → |
| Neon Inc. | Database hosting (PostgreSQL) | United States | View → |
| Cloudflare, Inc. | Media storage (R2), CDN, and DNS | United States | View → |
| WorkOS Inc. | Authentication and user management | United States | View → |
| Stripe, Inc. | Payment processing and billing | United States | View → |
| Functional Software, Inc. (Sentry) | Error monitoring and performance tracking | United States | View → |
| Resend Inc. | Transactional email delivery | United States | View → |
| Groq, Inc. | AI-powered coaching and content evaluation | United States | View → |
| Giphy, Inc. | GIF search and delivery for content creation (search queries only; no personal data transmitted) | United States | Privacy → |
| Printful, Inc. | Print-on-demand merchandise fulfillment (receives customer name, shipping address, and order details; US shipping only) | United States / Latvia | Privacy → |
6. Data Retention and Deletion
We retain your data for as long as your account is active. When you delete your account, we delete all associated data within 30 days, including posts, drafts, media files, source pages, engagement records, and connected account tokens. Some data may be retained in encrypted backups for up to 90 days before permanent deletion.
Merchandise order records (including shipping addresses, order details, and transaction amounts) are retained for up to 7 years after the transaction date as required for tax, accounting, and legal compliance purposes, even after account deletion. Shipping and order information shared with our fulfillment partner (Printful) for completed orders cannot be recalled after fulfillment.
7. Data Subject Rights
We support your obligation to respond to data subject access requests. You can export, correct, or delete personal data through the Fervae platform. For requests we need to handle directly, contact us at legal@fervae.com. We will respond within 30 days.
8. Breach Notification
In the event of a personal data breach, Fervae will notify you without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach, in accordance with GDPR Article 33(2). Notification will include the nature of the breach, categories of data affected, approximate number of records involved, and measures taken or proposed to address the breach. This obligation applies to breaches originating from Fervae’s own systems; breaches by sub-processors will be escalated to you as soon as reasonably practicable after we receive notice. You, as the Data Controller, remain responsible for notifying your national supervisory authority and, where required, affected data subjects under Articles 33(1) and 34 of the GDPR.
9. Contact
Fervae LLC
Data Protection Contact: Dr. Raven Baxter
Email: legal@fervae.com