Data Processing Agreement (DPA) | Flowtriq
Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
1-Second Detection
Know the instant traffic spikes. PPS checked every second.
Attack Classification
Identifies 8 attack types with protocol-level confidence scores.
Node Firewall Rules
Per-server iptables, null-routes, CDN rules & scripts.
Cloud Scrubbing
Auto-divert to Cloudflare, OVH, or Hetzner on attack detection.
BGP Mitigation
Auto-deploy FlowSpec, RTBH blackhole & rate-limiting via BGP.
Multi-Channel Alerts
Discord, Slack, PagerDuty, OpsGenie, SMS, email, webhooks.
PCAP Capture
Full packet capture with AI-powered forensic analysis.
Layer 7 Detection
HTTP flood, credential stuffing, API abuse & bot detection.
Automated Runbooks
Chain mitigation steps into automated incident response playbooks.
Analytics Baselines Threat Intel & IOC Multi-Node Status Pages Correlation Audit Log Attack Profiles Flow Collection
Learn
Documentation Quick Start API Reference Agent Setup DDoS Protection Landscape State of DDoS 2026 REPORT Free Certifications NEW
Research & Guides
Mirai Botnet Kill Switch Research memcached Amplification Dynamic Baselines PCAP Forensics PagerDuty Setup
Company
About Us Partners Whitelabel / Reseller Affiliate Program Pay with Crypto System Status
Legal & Support
Contact Us Terms Privacy SLA
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

Talk to Us →
Infrastructure
Hosting Providers ISPs MSPs/MSSPs Small Operators Routers Edge Node Defense
Gaming
Game Server Hosting Game Studios
Business
SaaS Platforms E-Commerce Financial Services Compliance NEW
Legal & Compliance

Data Processing Agreement

Effective: March 18, 2026  ยท  Questions? [email protected]

Terms of Service Privacy Policy Data Processing Agreement Service Level Agreement
Summary: This Data Processing Agreement governs how Flowtriq processes personal data on your behalf as a data processor under GDPR, UK GDPR, and equivalent data protection regulations. You can request access to, correction of, or deletion of your data at any time by emailing [email protected].

1. Definitions

"Controller" means the Flowtriq customer who determines the purposes and means of processing personal data. "Processor" means Flowtriq, which processes personal data on behalf of the Controller. "Personal Data" means any information relating to an identified or identifiable natural person submitted to, or collected by, the Service. "Data Subject" means the individual to whom the Personal Data relates. "Sub-processor" means a third party engaged by the Processor to process Personal Data. "Applicable Data Protection Law" means the EU General Data Protection Regulation (2016/679), UK GDPR, the California Consumer Privacy Act (CCPA), and any other applicable data protection legislation.

2. Scope and Purpose of Processing

Flowtriq processes Personal Data solely to provide the DDoS detection and network security monitoring services described in the Terms of Service. Processing activities include:

  • Ingesting and analysing network telemetry data (PPS, BPS, protocol ratios, connection metadata) submitted by the ftagent software.
  • Storing and processing PCAP (packet capture) files when capture is enabled by the Controller.
  • Generating incident reports, threat intelligence feeds, and analytics.
  • Sending incident alerts, service notifications, and onboarding communications.
  • Processing billing through Stripe (Flowtriq does not store payment card data).
  • Maintaining account records (name, email, workspace membership, audit logs).

Flowtriq will not process Personal Data for any purpose other than delivering the Service, and will not sell, rent, or share Personal Data with third parties for their own commercial purposes.

3. Lawful Basis for Processing

Flowtriq processes Personal Data under the following lawful bases as defined by GDPR Article 6:

  • Performance of a contract (Art. 6(1)(b)): Processing account data and network telemetry is necessary to deliver the Service.
  • Legitimate interests (Art. 6(1)(f)): Maintaining security logs, detecting abuse, and improving detection accuracy.
  • Consent (Art. 6(1)(a)): Marketing communications and newsletter subscriptions (opt-in only, revocable at any time).
  • Legal obligation (Art. 6(1)(c)): Retaining billing records and complying with law enforcement requests where required.

4. Categories of Personal Data

The following categories of Personal Data may be processed:

  • Account data: Name, email address, hashed password, workspace name, role.
  • Network telemetry: Source/destination IP addresses, port numbers, protocol types, packet counts, bandwidth measurements, and connection metadata. IP addresses may constitute Personal Data.
  • PCAP data: Raw packet captures which may contain IP addresses and payload data.
  • Billing data: Stripe customer ID, subscription status, billing interval. Card details are held by Stripe, not Flowtriq.
  • Usage data: Dashboard activity, API call logs, login timestamps, IP addresses used to access the Service.
  • Communication data: Emails sent via the Service (incident alerts, team invites, password resets).

5. Data Retention Schedule

Flowtriq retains Personal Data only for as long as necessary to fulfil the purposes for which it was collected. The following retention periods apply:

  • Network telemetry (raw PPS/BPS metrics): 25 hours in raw form. Aggregated metrics are retained for up to 90 days.
  • PCAP files: 90 days from capture, then permanently deleted from storage.
  • Incident records: Retained for the lifetime of the account for historical reporting.
  • Audit logs: 1 year from the date of the event.
  • Account data: Retained while your account is active. After account deletion or termination, account data is permanently deleted within 30 days.
  • Billing records: Retained for 7 years after the last transaction to comply with financial reporting obligations.
  • Login and access logs: 90 days.
  • Newsletter subscriptions: Retained until the subscriber opts out.
  • Contact form submissions: 1 year.

When a retention period expires, data is permanently deleted or irreversibly anonymised. You may request early deletion at any time (see Section 7).

6. Sub-processors

Flowtriq engages the following sub-processors to deliver the Service:

  • Stripe, Inc. (United States): Payment processing and subscription management.
  • SendGrid (Twilio Inc.) (United States): Transactional email delivery (incident alerts, verification, password resets).
  • Infrastructure hosting provider: Server hosting, storage, and compute.

Each sub-processor is bound by a data processing agreement with security obligations equivalent to those in this DPA. We will notify you by email at least 30 days before adding or replacing a sub-processor. If you object, you may terminate your account before the change takes effect.

7. Data Subject Rights

Under Applicable Data Protection Law, Data Subjects have the following rights. You may exercise any of these rights at any time by emailing [email protected]. We will respond within 30 days.

  • Right of access (Art. 15): You may request a copy of all Personal Data we hold about you. We will provide it in a structured, commonly used, and machine-readable format (JSON or CSV).
  • Right to rectification (Art. 16): You may request correction of inaccurate or incomplete Personal Data. Account details can also be updated directly in the dashboard Settings page.
  • Right to erasure (Art. 17): You may request deletion of your Personal Data. Upon receiving a valid erasure request, we will permanently delete your data within 30 days, except where retention is required by law (e.g. billing records).
  • Right to restrict processing (Art. 18): You may request that we limit how your data is processed while a dispute or inquiry is resolved.
  • Right to data portability (Art. 20): You may request an export of your Personal Data in a portable format so that you can transfer it to another service.
  • Right to object (Art. 21): You may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent (e.g. newsletter), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
  • Right to lodge a complaint: You have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK, CNIL in France, or the relevant EU supervisory authority).

If you are a Controller and receive a data subject request relating to data processed by Flowtriq, we will assist you in responding to the extent technically feasible within the constraints of the Service.

8. Security Measures

Flowtriq implements appropriate technical and organisational measures to protect Personal Data, including:

  • TLS 1.2+ encryption for all data in transit.
  • AES-256 encryption at rest for PCAP data and database backups.
  • API keys stored using one-way cryptographic hashes.
  • Passwords stored using bcrypt with per-user salts.
  • Role-based access controls with workspace-level isolation.
  • Comprehensive audit logging of all administrative and security-relevant actions.
  • PCAP files stored outside the web root with restricted filesystem permissions.
  • CSRF protection on all state-changing operations.
  • Regular security reviews and dependency updates.

9. Data Breach Notification

In the event of a Personal Data breach, Flowtriq will:

  • Notify the Controller by email within 72 hours of becoming aware of the breach.
  • Provide details of the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to mitigate the breach.
  • Cooperate with the Controller in notifying the relevant supervisory authority and affected Data Subjects where required under Applicable Data Protection Law.
  • Document all breaches, including those not requiring notification, in an internal breach register.

10. International Data Transfers

Personal Data is processed and stored on infrastructure located in the region associated with the Controller's account. Where data is transferred outside the European Economic Area (EEA) or the United Kingdom, Flowtriq ensures appropriate safeguards are in place, including:

  • EU Standard Contractual Clauses (SCCs) as adopted by the European Commission.
  • UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs where applicable.
  • Verification that the sub-processor maintains adequate data protection practices.

11. Confidentiality

Flowtriq ensures that all personnel authorised to process Personal Data are subject to binding confidentiality obligations. Access to Personal Data is limited to employees and contractors who require it to perform their duties.

12. Audit Rights

The Controller may request information regarding Flowtriq's compliance with this DPA. Upon reasonable written request (no more than once per year), Flowtriq will provide a summary of its security practices, recent audit findings, or relevant compliance certifications. On-site audits may be arranged with 30 days advance notice at the Controller's expense.

13. Data Protection Impact Assessments

Flowtriq will provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities, where required by Applicable Data Protection Law.

14. Deletion and Return of Data

Upon termination or expiry of the Service agreement, Flowtriq will:

  • Upon request, provide the Controller with an export of their Personal Data in a machine-readable format (JSON or CSV).
  • Permanently delete or irreversibly anonymise all Personal Data within 30 days of account termination.
  • Confirm deletion in writing upon request.

Retention beyond 30 days applies only where required by law (e.g. billing records retained for 7 years for financial compliance).

15. Duration and Termination

This DPA takes effect when you create a Flowtriq account or begin using the Service, and remains in effect for the duration of the Service agreement. Obligations relating to data deletion, confidentiality, and breach notification survive termination.

16. Contact

For all data protection inquiries, data subject requests, or questions about this DPA:

We aim to respond to all inquiries within 30 days. For urgent matters relating to data breaches, please include "URGENT" in the subject line.