DSGVO-Compliance & Datenhoheit
Fast, GDPR-Compliant Package Infrastructure for Germany
All logs, metadata, and user records stored exclusively in Frankfurt — no cross-border transfers, no hidden third parties.
Data Location
Everything Stays in Frankfurt
CodeSync operates out of the Hetzner Online AG facility in Falkenstein/Frankfurt (DE-CIX). Every byte — from npm registry mirrors to PyPI cache — never leaves German soil.
Our infrastructure at Falkenstein-1 (ASN 24940) processes over 2.3 million package requests daily for engineering teams across DACH. All access logs, audit trails, and user metadata are persisted on encrypted NVMe arrays within the same rack. No warm standby in the US, no backup replication to Ireland. If you need a data processing agreement (AVV) with a single jurisdiction, this is it.
Single Jurisdiction
All data resides under German law (BDSG n.F.) and EU Regulation 2016/679. No Schrems II complications, no Standard Contractual Clauses needed.
Encrypted at Rest & in Transit
AES-256 encryption on all storage volumes. TLS 1.3 enforced on every endpoint. Certificate rotation handled by Let's Encrypt via Certbot, renewed every 60 days.
Zero Third-Party Telemetry
No analytics pixels, no Mixpanel, no Datadog RUM. We use Grafana with Loki — both hosted on-prem, logs retained for 90 days then cryptographically shredded.
Rack-Level Isolation
Dedicated rack in Falkenstein-1 with physical access control via biometric readers and guard station. Only three CodeSync engineers hold keycard access.
Legal Benefits
Built for Your DPO's Peace of Mind
CodeSync eliminates the most common GDPR friction points in package management: unclear data residency, undocumented subprocessors, and uncontrolled log retention.
Our data processing agreement (AVV) is available as a signed PDF or DocuSign link. It covers the full scope — package mirroring, authentication tokens, IP-based access logs, and CDN cache headers. Our DPO, Dr. Lena Hoffmann (certified CIPM by IAPP), reviews every infrastructure change against the BDSG n.F. and the EU Data Protection Act.
Ready-to-Sign AVV
Download our standardized data processing agreement. It references the exact Hetzner facility (Falkenstein-1, DE), lists all technical and organizational measures, and defines 30-day deletion SLAs after contract termination.
Documented Subprocessor Chain
Only one subprocessor: Hetzner Online AG (hosting). No cloud providers, no managed Kubernetes, no SaaS CI/CD tools with data access. Full chain documented in our transparency report, updated quarterly.
90-Day Log Retention
Access logs and authentication events are retained for exactly 90 days, then overwritten via secure erase (ATA Secure Erase). No indefinite "for legal purposes" clauses in our ToS.
DSGVA-Ready Audit Trail
Every admin action — user creation, token revocation, mirror sync trigger — is logged to an append-only journal. Exportable as CSV for your compliance audits or ISO 27001 surveillance reviews.