For our clients with a European audience it's important to understand how and where customer data is being stored and who is responsible for what under the GDPR guidelines.
Responsibilities
As a platform we act as a 'Data Processor'. We attempt to collect as little end-user PII as possible so that our clients, the 'Data Controllers', are able to also minimise the PII that there project is ultimately responsible for collecting.
It is the Data Controller's responsibility to ensure end-users are aware of any PII which might be being collected about them, which includes any data used by sub-processors, including Servd.
Data Servd Collects Directly
The only end-user PII that we collect directly consists of:
IP addresses
User-Agent strings
Both of these pieces of information are stored within a short-term buffer which is used to implement traffic management tools (such as rate limiting and IP blocking) as well as to be able to provide our client's with detaild traffic logs. This data is stored for no longer than 12 hours within our platform and is not exported beyond the data centre within which the associated project is running or to any other external entity, unless the client configures a log export integration, in which case we'll also send this data via that integration in the form of logs.
Data collected by Servd's Sub-Processors
In order to provide our services we also make use of services provided by other companies. These companies also have their own policies on the handling of PII. A list of current sub-processors can be found at the bottom of this page.
We aim to ensure that our subprocessors also follow our own policy of collecting as little PII as possible, and only that is required for the services to operate normally.
Data Our Client's Collect
Our client's are free to collect any additional data from end-users as desired. Any data stored by the client within our platform has the potential to be held in two physical locations:
The data centre in which the associated project is running
A separate data centre which is used to house database backups
If your project is hosted in an EU or UK data centre, all database backups will also be held within an EU data centre.
The length of time that data is stored is down to the discretion of the Client. Our automated backups exist in storage for approximately 30 days.
โ
DPA
All of the above can be formally agreed upon between Servd and our Client's using a signed DPA which can be found here: