DeskFerry Logo

Data Security Policy

How DeskFerry protects Customer Data: access controls, infrastructure, encryption, and subprocessors.

Last Updated: July 9, 2026

Data Security Policy

Last Updated: July 9, 2026

This Data Security Policy describes the security measures DeskFerry (Geistwerk AI Labs Pvt Ltd) applies to protect Customer Data processed through the Service.


1 Scope

1.1 This policy forms part of the Agreements described in our Terms of Service () and may be updated from time to time in accordance with them.

1.2 In this policy: "Terms" means the DeskFerry Terms of Service; "Service" has the meaning given in the Terms; "Customer" means a user of the Service, including a purchaser of a Subscription; "Customer Data" means Content and other data submitted to or generated within the Service by or for a Customer; and "IaaS Provider" means a cloud infrastructure provider engaged by DeskFerry to host the Service.


2 Organisational Access Control

2.1 DeskFerry employees are required to comply with the company's policies and procedures. These policies include:

(a) an obligation to not disclose proprietary or confidential information (including Customer-related information) to unauthorised parties; and

(b) an obligation to report any known security incidents to the company's management for investigation and action.

2.2 DeskFerry personnel do not have direct access to Customer Data, except where necessary on a need-to-know basis to undertake:

(a) technical support;

(b) system management, maintenance, backups; and

(c) other actions authorised by the Customer in writing.

2.3 Personnel with access to Customer Data are subject to confidentiality obligations and receive security guidance appropriate to their role.


3 Cloud Infrastructure

3.1 DeskFerry engages IaaS Providers to host the Service in professionally managed data centre facilities.

3.2 DeskFerry selects IaaS Providers that maintain their own security programs and publish attestations covering, among other things:

(a) restriction of staff access to customer data and infrastructure to periods in which a legitimate business need exists;

(b) logging and auditing of physical access to data centre facilities;

(c) monitoring and preventative maintenance of electrical, mechanical, and environmental systems, including redundant power, fire detection and suppression, and climate control; and

(d) automated failover processes designed to route traffic away from affected areas in the event of a facility failure.

3.3 These measures are those described in each IaaS Provider's published security documentation and attestations; DeskFerry does not operate data centre facilities itself and does not represent an IaaS Provider's certifications as its own.


4 Technical Security Measures

4.1 DeskFerry keeps the Service reasonably up to date with security patches and relies on managed infrastructure providers for the security of the underlying platform.

4.2 DeskFerry maintains backup and recovery processes designed to support restoration of the Service in the event of a failure.

4.3 Unless otherwise agreed by DeskFerry in writing, Customers are prohibited from performing their own penetration testing on any system of DeskFerry.

4.4 Communications between users and the Service are encrypted in transit using industry-standard protocols (TLS/HTTPS). Customer Data is encrypted at rest by our infrastructure providers using industry-standard encryption.

4.5 Access to the Service is only available:

(a) through secure sessions (https); and

(b) with authenticated login credentials.

4.6 Passwords for the Service are never stored in their original form.

4.7 Access to database infrastructure is restricted through authentication and network controls, including those managed by our IaaS Providers.

4.8 DeskFerry maintains procedures for identifying, investigating, and responding to security incidents, and will notify affected Customers and applicable regulators as required by applicable law.


5 Exclusions

5.1 The Service may allow third party services interoperating with it to access, use, or otherwise process and transmit Customer Data.

5.2 This Data Security Policy does not apply to any processing, storage, or transmission of data outside the Service.

5.3 DeskFerry is not responsible for the security practices (or any acts or omissions) of any third party service providers engaged by or on behalf of a Customer.

5.4 The Data Security Policy excludes:

(a) data or information shared with DeskFerry that is not stored in the Service; and

(b) data in a Customer's virtual private network (VPN) or a third party network other than one that is under a contract with DeskFerry to assist DeskFerry in fulfilling its obligations to that Customer.

5.5 DeskFerry excludes liability for any data used, processed, stored or transmitted by a Customer or other third parties in violation of the Agreements.


6 Subprocessors

6.1 DeskFerry relies on a limited set of trusted third-party providers ("Subprocessors") to deliver the Service. Each Subprocessor is engaged under contractual data-protection obligations and processes Customer Data only as needed to provide its service.

6.2 Our principal Subprocessors are:

SubprocessorRoleNotes
ComposioIntegration and authentication layer for connecting Customer apps (OAuth / scoped API credentials).Maintains its own security program; SOC 2 Type 2 and ISO 27001 per its published attestations.
FirecrawlWeb content extraction.Used to extract data from publicly available web pages only.
Payment processorPayment processing, checkout, billing, tax, and refunds.Handles payment data; DeskFerry does not store full card details.
LLM provider(s)Large-language-model inference that powers agent reasoning and generation.Processes prompt and task content to generate outputs.
Cloud hosting / infrastructure (IaaS) providerApplication hosting and data storage (see Section 3).

6.3 We maintain the current list of Subprocessors, including their purpose and location, at , and will make commercially reasonable efforts to notify Customers of material changes. Certifications, attestations, and processing terms are those published by each Subprocessor; DeskFerry does not represent that a Subprocessor's certifications are its own.

6.4 For questions about our Subprocessors, or to request our data processing terms for business customers, contact [email protected].