What is stored
- License ID (UUID, no personal reference)
- SHA-256 hash of the email address (with a fixed salt, only for multi-device detection per user)
- SHA-256 hash of the device fingerprint (not reversible to hardware)
- Tier (Community / Professional / Enterprise) and deployment (Cloud / Self-Hosted / Air-Gap)
- Feature flags as per contract, as JSON (e.g.
max_runs_per_day,team_features) - Time of issuance, last refresh and expiry
- Client version string and country of IP address (two-letter code, e.g.
DE) - The last issued JWT, exclusively for audit
What is NOT stored
- The full IP address of the client
- The prompts the user sends to the AI
- The generated code or run content of any kind
- Personal data (name, address, phone)
- For Enterprise air-gap: nothing — the license is offline-signed, there is no server contact
Retention
- Refresh logs are kept individually for 90 days, then aggregated into anonymous monthly statistics
- License records stay as long as the license is valid, plus two years after expiry for audit purposes
- Revoked licenses stay archived so an issued JWT is recognised as "rejected" until the next refresh cycle
Where does the license server run?
- Community / Professional / Enterprise Cloud: Hetzner Cloud, data centre Falkenstein (Germany, EU data area). Reverse proxy, TLS and backups operated by softwarefabrik.io.
- Enterprise self-hosted: on the customer's infrastructure. The
license_server_urlin the issued JWT points to the internal host. - Enterprise air-gap: nowhere — no server runs, the license is a signed document without network component.
Legal basis under GDPR
- Community: Art. 6 (1) (f) GDPR — legitimate interest in misuse prevention (notably 3-device limit)
- Professional / Enterprise: Art. 6 (1) (b) GDPR — contract performance
A data processing agreement (DPA) is available on request for Enterprise operation. For self-hosted and air-gap deployments no DPA is required, as no personal data flow to softwarefabrik.io.
Signature chain and public key
All license JWTs are signed with Ed25519. The public key can be verified in two forms:
- Embedded in every client release at
app/src/main/resources/license/lease-ed25519-public.pem - Accessible via HTTPS endpoint
https://license.softwarefabrik.io/api/v1/pubkeyin JWK format (RFC 8037)
Key rotation happens via client updates, not at runtime. A potential emergency revocation of an individual license happens server-side via rejection at the next refresh; for air-gap only at the next annual certificate exchange.
Feedback welcome: If something is missing or unclear, contact me via the contact form. Transparency is explicitly a product decision — I take pointers seriously.