Vupt Docs

Signed audit logs are a Business feature

Ed25519-signed audit logs with SIEM export require the Business tier — ANPD-ready and SOC 2 mapping.

Upgrade →
Compliance

LGPD

How Vupt handles personal data under Brazil's LGPD (Lei Geral de Proteção de Dados) — controller obligations, subject rights, ANPD-ready logs.

LGPD compliance

Vupt is designed to satisfy controller obligations under Brazil's LGPD (Lei Geral de Proteção de Dados, Law 13.709/2018) for organizations processing personal data of Brazilian residents. This page summarizes the posture; the full DPA template lives in your account portal.

Roles

When a customer uses Vupt to process personal data:

  • Customer (Controller): decides what data is processed and why
  • Vupt (Processor): processes data only on the customer's documented instructions

Vupt's Subprocessors (Cloudflare R2, Hetzner-hosted Postgres, Resend, PostHog when enabled) are listed and updated at vupt.dev/legal/subprocessors.

Subject rights

Vupt implements the LGPD Article 18 rights via the API and the user-facing Privacy Center:

RightEndpoint / UI
AccessGET /v1/me/data-export (returns a signed download URL)
RectificationSelf-serve in the Privacy Center
Anonymization / deletionDELETE /v1/me/account (30-day grace period; immediate revocation of access)
PortabilityThe export bundle is JSON Lines + the source MDX/Markdown
Information about subprocessorsvupt.dev/legal/subprocessors (versioned, RSS feed of changes)

The desktop application defaults to opt-in for telemetry per AGENTS.md §8. The marketing site uses an LGPD-conservative consent banner that defaults all non-essential cookies off until explicit consent is granted (the lib that does this is shared with the GDPR-conservative banner — same code, different default copy).

Data residency (BR cluster)

Customers requiring BR data residency can deploy:

  • Self-hosted on infrastructure inside Brazil (recommended for ANPD-sensitive deployments)
  • Vupt SaaS on the BR cluster (added when the first BR enterprise customer requires it)

Both options are part of the Business and Enterprise contracts.

Audit log

Every data access event is recorded to a tamper-evident audit log signed with Ed25519 (Business tier — see Signed audit log). The log is exportable to your SIEM in real time via the Cloud API.

DPA

A counsel-reviewed Data Processing Agreement template is available in your account portal in PT-BR and English. Custom DPAs are supported on the Enterprise tier.

Edit on GitHub

API overview

REST API at /v1/ for cloud sync, multi-device replication, and team collaboration. OpenAPI 3.1 spec at /v1/openapi.json.

Signed audit logs

Tamper-evident audit log signed with Ed25519. Per-event signatures, hash-chained entries, and SIEM export. Business tier feature.

Vupt — Run parallel AI coding agents