Trust Center
GDPR Compliance
EU General Data Protection Regulation (2016/679) · Flowtriq · April 2026
About This Document
This document describes how Flowtriq (a brand of traztech, a Canadian company) addresses obligations under the EU General Data Protection Regulation (GDPR, Regulation 2016/679) when providing its DDoS detection and alerting platform to customers in the European Economic Area (EEA) and United Kingdom.
Flowtriq acts as a data processor for its customers when processing metrics and incident data from monitored servers, and as a data controller for account, billing, and marketing data. A Data Processing Agreement (DPA) is available at flowtriq.com/legal.
Roles: Controller and Processor
| Data Category | Role | Lawful Basis (GDPR Art. 6) |
|---|---|---|
| Account registration & authentication data (email, name, password hash) | Controller | Art. 6(1)(b) — performance of a contract with the user |
| Billing information (Stripe customer and subscription identifiers) | Controller | Art. 6(1)(b) — contract performance; Art. 6(1)(c) — legal obligation (financial records) |
| Audit log entries (IP addresses, user actions, timestamps) | Controller / Joint controller with customer | Art. 6(1)(f) — legitimate interests in security and fraud prevention |
| Network metrics and incident data from monitored servers | Processor (on behalf of customer) | Governed by DPA; customer is controller |
| PCAP packet captures | Processor (on behalf of customer) | Governed by DPA; customer is controller. PCAPs may contain IP addresses of end users on customer networks. |
| Marketing communications (newsletter, product updates) | Controller | Art. 6(1)(a) — consent; unsubscribe honoured in all communications |
| Website analytics and advertising tracking | Controller | Art. 6(1)(a) — consent. |
Data Subject Rights (Chapter III)
Flowtriq supports all GDPR data subject rights. Requests are handled within 30 days. Submit requests to [email protected].
| Right | Article | How We Handle It |
|---|---|---|
| Right of access | Art. 15 | Users can export account data via the dashboard. Complete data inventory available on request to [email protected] within 30 days. |
| Right to rectification | Art. 16 | Account information (name, email) can be updated directly in dashboard settings. Additional corrections via [email protected]. |
| Right to erasure ("right to be forgotten") | Art. 17 | Account deletion removes personal identifiers. Note: audit logs retain pseudonymised records for integrity. Some data may be retained for legal obligations (billing records, fraud prevention). |
| Right to data portability | Art. 20 | Incident data, node configurations, and audit logs are exportable as JSON or CSV from the dashboard. Full data export available on request. |
| Right to object | Art. 21 | Where processing is based on legitimate interests, users may object. Marketing communications include an unsubscribe link. |
| Right to restriction of processing | Art. 18 | Accounts can be deactivated, pausing data collection. Full restriction requests handled via [email protected]. |
Security of Processing (Art. 32)
Flowtriq implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk:
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS enforced on all connections. HSTS with one-year max-age. Dashboard, API, and agent communication all encrypted. |
| Encryption at rest | Passwords stored as bcrypt hashes with per-password salts. API keys stored as one-way hashes. PCAP data and database backups protected at the infrastructure level. |
| Access control | Role-based access control (Owner, Admin, Analyst, Readonly). API key authentication with per-key scoping. Sessions use HttpOnly, SameSite, and Secure flags. |
| Multi-factor authentication | TOTP-based authenticator app and email-based 2FA available for all accounts. |
| Audit logging | Tamper-evident SHA-256 hash-chained audit log records all user actions, configuration changes, and mitigation events. Chain integrity verifiable offline. |
| Network security | Cloudflare DDoS protection, WAF, and bot detection (Turnstile) in front of all public endpoints. |
| Vulnerability management | CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy security headers deployed. |
Breach Notification (Art. 33–34)
In the event of a personal data breach, Flowtriq will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of a breach likely to result in risk to individuals
- Notify affected data subjects without undue delay where the breach is likely to result in high risk
- Notify enterprise customers acting as data controllers within 48 hours per the DPA (SLA terms may apply)
- Maintain an internal breach register documenting all incidents, their effects, and remediation measures
To report a potential security issue: [email protected]
International Data Transfers (Chapter V)
Flowtriq uses certain third-party services based outside the EEA. The following table documents each transfer and the applicable legal mechanism.
| Processor | Country | Purpose | Transfer Mechanism |
|---|---|---|---|
| Stripe, Inc. | US | Payment processing. Card data never touches Flowtriq servers. | EU-U.S. DPF |
| Twilio SendGrid | US | Transactional email delivery (account confirmations, alerts, billing). | Contractual safeguards |
| Cloudflare, Inc. | US / Global CDN | CDN, DDoS protection, bot detection (Turnstile). All traffic proxied through Cloudflare. | EU-U.S. DPF |
| TextBelt | US | Optional SMS alert delivery for customers with SMS notification channels configured. | Contractual safeguards |
| Google LLC | US | Google Analytics 4 (website analytics), Google Ads conversion tracking. | EU-U.S. DPF |
| LinkedIn Corporation | US | LinkedIn Insight Tag — advertising attribution and audience analytics. | EU-U.S. DPF |
| ContentSquare SAS | France (EU) | User experience analytics — session heatmaps and journey analytics. | EU-based |
| Tawk.to, Inc. | US | Live chat widget. Handles IP address, pages visited, and chat messages if initiated by visitor. | Contractual safeguards |
| Apollo.io, Inc. | US | Website visitor intelligence for sales pipeline. Identifies company-level visitors via IP. | Contractual safeguards |
EU-U.S. Data Privacy Framework (DPF): The European Commission issued an adequacy decision for the EU-U.S. DPF on 10 July 2023. Stripe, Cloudflare, Google, and LinkedIn are certified participants. All sub-processors have contractual data protection obligations covering the security and appropriate use of personal data transferred to them.
Data Retention
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data (email, name, role) | Active account; deleted immediately upon confirmed account deletion request | Contract performance. Billing records retained separately for 7 years. |
| Billing records (Stripe identifiers, invoice history) | 7 years from last transaction | Legal obligation (financial record-keeping under applicable tax law) |
| Network traffic metrics (PPS/BPS time-series) | Per subscription plan (30–365 days) | Service delivery; reduced on request |
| DDoS incident records | Retained for the lifetime of the account; deleted with account on closure | Service delivery; forensic and audit purposes |
| PCAP packet captures | 7 days (standard); up to 365 days (enterprise); deleted on request | Forensic analysis; deleted earlier on customer request |
| Audit log entries | 90 days (standard plans); 1 year (enterprise plans) | Security monitoring, compliance evidence, fraud detection. Entries are pseudonymised on account deletion to preserve chain integrity. |
| Authentication sessions | 30 days idle timeout; revoked on logout or password change | Security; access control |
| Email newsletter subscribers | Until unsubscribed + 30-day grace | Consent; immediately removed on unsubscribe |
Data Protection by Design (Art. 25)
Flowtriq implements data protection by design and by default across its platform:
- Minimisation: The ftagent collects only network-layer metrics (PPS, BPS, protocol ratios) and attack indicators. It does not collect application-layer content, user credentials, or business data from monitored servers.
- Pseudonymisation: Deleted accounts are pseudonymised in audit logs rather than fully erased, preserving integrity chain validity.
- Default privacy: New workspaces default to minimum data retention. PCAP capture is opt-in at the node level.
- Access minimisation: The Readonly and Analyst roles cannot access billing, notification credentials, or API keys.
- Maintenance windows: Scheduled maintenance windows suppress alerting to reduce unnecessary contact with notification systems.
DPA and legal inquiries: For DPA execution, Data Subject Access Requests, or EU representative inquiries, contact [email protected]. For all privacy requests: [email protected]. Response within 30 days as required by GDPR Art. 12.