Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
1-Second Detection
Know the instant traffic spikes. PPS checked every second.
Attack Classification
Identifies 7 attack families with protocol-level confidence scores.
Node Firewall Rules
Per-server iptables, null-routes, CDN rules & scripts.
Cloud Scrubbing
Auto-divert to Cloudflare, OVH, or Hetzner on attack detection.
BGP Mitigation
Auto-deploy FlowSpec, RTBH blackhole & rate-limiting via BGP.
Multi-Channel Alerts
Discord, Slack, PagerDuty, OpsGenie, SMS, email, webhooks.
PCAP Capture
Full packet capture with AI-powered forensic analysis.
Layer 7 Detection
HTTP flood, credential stuffing, API abuse & bot detection.
Automated Runbooks
Chain mitigation steps into automated incident response playbooks.
Analytics Baselines Threat Intel & IOC Multi-Node Status Pages Correlation Audit Log Attack Profiles Flow Collection Mirror / SPAN Mode
Learn
Documentation Quick Start API Reference Agent Setup DDoS Protection Landscape State of DDoS 2026 REPORT Free Certifications Hackathon Sponsorships
Research & Guides
Server Nerd Comic NEW Mirai Botnet Kill Switch Research memcached Amplification Dynamic Baselines PCAP Forensics PagerDuty Setup
Company
About Us Partners Managed Protection Whitelabel / Reseller Affiliate Program Pay with Crypto System Status
Legal & Support
Contact Us Security Trust Center Terms Privacy SLA
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

All Use Cases → Talk to Us →
Infrastructure
Hosting Providers ISPs MSPs/MSSPs Small Operators Routers Edge Node Defense Proxy Providers VPN Providers
Gaming & Entertainment
Game Server Hosting Game Studios Esports Platforms iGaming & Sportsbooks
Business & Emerging
SaaS Platforms E-Commerce Financial Services Compliance VoIP & Cloud Calling GPU & AI Cloud
Legal & Compliance

Data Processing Agreement

Effective: June 20, 2026  ยท  Questions? [email protected]

Terms of Service Privacy Policy Data Processing Agreement Service Level Agreement
Summary: This Data Processing Agreement governs how Flowtriq processes personal data on your behalf as a data processor under GDPR, UK GDPR, and equivalent data protection regulations. You can request access to, correction of, or deletion of your data at any time by emailing [email protected].

1. Definitions

"Controller" means the Flowtriq customer who determines the purposes and means of processing personal data. "Processor" means Flowtriq Networks Inc., which processes personal data on behalf of the Controller. "Personal Data" means any information relating to an identified or identifiable natural person submitted to, or collected by, the Service. "Data Subject" means the individual to whom the Personal Data relates. "Sub-processor" means a third party engaged by the Processor to process Personal Data. "Applicable Data Protection Law" means the EU General Data Protection Regulation (2016/679), UK GDPR, the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the Personal Information Protection and Electronic Documents Act (PIPEDA), the Australian Privacy Act 1988, and any other applicable data protection legislation.

2. Scope and Purpose of Processing

Flowtriq Networks Inc. processes Personal Data solely to provide the DDoS detection and network security monitoring services described in the Terms of Service. Processing activities include:

  • Ingesting and analysing network telemetry data (PPS, BPS, protocol ratios, connection metadata) submitted by the ftagent software.
  • Storing and processing PCAP (packet capture) files when capture is enabled by the Controller.
  • Generating incident reports, threat intelligence feeds, and analytics.
  • Sending incident alerts, service notifications, and onboarding communications.
  • Processing billing through Stripe (Flowtriq does not store payment card data).
  • Maintaining account records (name, email, workspace membership, audit logs).

Flowtriq Networks Inc. will not process Personal Data for any purpose other than delivering the Service, and will not sell, rent, or share Personal Data with third parties for their own commercial purposes.

3. Lawful Basis for Processing

Flowtriq Networks Inc. processes Personal Data under the following lawful bases as defined by GDPR Article 6:

  • Performance of a contract (Art. 6(1)(b)): Processing account data and network telemetry is necessary to deliver the Service.
  • Legitimate interests (Art. 6(1)(f)): Maintaining security logs, detecting abuse, and improving detection accuracy.
  • Consent (Art. 6(1)(a)): Marketing communications and newsletter subscriptions (opt-in only, revocable at any time).
  • Legal obligation (Art. 6(1)(c)): Retaining billing records and complying with law enforcement requests where required.

4. Categories of Personal Data

The following categories of Personal Data may be processed:

  • Account data: Name, email address, hashed password, workspace name, role.
  • Network telemetry: Source/destination IP addresses, port numbers, protocol types, packet counts, bandwidth measurements, and connection metadata. IP addresses may constitute Personal Data.
  • PCAP data: Raw packet captures which may contain IP addresses and payload data.
  • Billing data: Stripe customer ID, subscription status, billing interval. Card details are held by Stripe, not Flowtriq.
  • Usage data: Dashboard activity, API call logs, login timestamps, IP addresses used to access the Service.
  • Communication data: Emails sent via the Service (incident alerts, team invites, password resets).

5. Data Retention Schedule

Flowtriq Networks Inc. retains Personal Data only for as long as necessary to fulfil the purposes for which it was collected. The following retention periods apply:

  • Network telemetry (raw PPS/BPS metrics): 25 hours in raw form. Aggregated metrics are retained for up to 90 days.
  • PCAP files: 7 days (standard plans) or up to 365 days (enterprise plans), then permanently deleted from storage.
  • Incident records: Retained for the lifetime of the account for historical reporting.
  • Audit logs: 1 year from the date of the event.
  • Account data: Retained while your account is active. Deleted immediately upon confirmed account deletion request.
  • Billing records: Retained for 7 years after the last transaction to comply with financial reporting obligations.
  • Login and access logs: 90 days.
  • Newsletter subscriptions: Retained until the subscriber opts out.
  • Contact form submissions: 1 year.

When a retention period expires, data is permanently deleted or irreversibly anonymised. You may request early deletion at any time (see Section 7).

6. Sub-processors

Flowtriq Networks Inc. engages the following sub-processors to deliver the Service:

  • Stripe, Inc. (United States): Payment processing and subscription management.
  • SendGrid (Twilio Inc.) (United States): Transactional email delivery (incident alerts, verification, password resets).
  • Google LLC (United States): Website analytics (Google Analytics) and advertising conversion tracking (Google Ads).
  • Microsoft Corporation (United States): Session replay and usage analytics (Microsoft Clarity).
  • Meta Platforms, Inc. (United States): Advertising conversion tracking (Meta Pixel).
  • LinkedIn Corporation (United States): Advertising conversion tracking and aggregate demographic analytics (LinkedIn Insight Tag).
  • Reddit, Inc. (United States): Advertising conversion tracking (Reddit Pixel).
  • Contentsquare (France): User experience analytics, session replay, and interaction mapping.
  • Apollo.io, Inc. (United States): B2B visitor identification and sales intelligence.
  • Infrastructure hosting provider: Server hosting, storage, and compute.

Each sub-processor is bound by a data processing agreement with security obligations equivalent to those in this DPA. The current sub-processor list is maintained publicly at flowtriq.com/compliance/sub-processors.

7. Data Subject Rights

Under Applicable Data Protection Law, Data Subjects have the following rights. You may exercise any of these rights at any time by emailing [email protected]. We will respond within 30 days.

  • Right of access (Art. 15): You may request a copy of all Personal Data we hold about you. We will provide it in a structured, commonly used, and machine-readable format (JSON or CSV).
  • Right to rectification (Art. 16): You may request correction of inaccurate or incomplete Personal Data. Account details can also be updated directly in the dashboard Settings page.
  • Right to erasure (Art. 17): You may request deletion of your Personal Data. Upon receiving a valid erasure request, we will permanently delete your data within 30 days, except where retention is required by law (e.g. billing records).
  • Right to restrict processing (Art. 18): You may request that we limit how your data is processed while a dispute or inquiry is resolved.
  • Right to data portability (Art. 20): You may request an export of your Personal Data in a portable format so that you can transfer it to another service.
  • Right to object (Art. 21): You may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent (e.g. newsletter), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
  • Right to lodge a complaint: You have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK, CNIL in France, or the relevant EU supervisory authority).

If you are a Controller and receive a data subject request relating to data processed by Flowtriq, we will assist you in responding to the extent technically feasible within the constraints of the Service.

8. Security Measures

Flowtriq Networks Inc. implements appropriate technical and organisational measures to protect Personal Data, including:

  • TLS 1.2+ encryption for all data in transit.
  • AES-256 encryption at rest for PCAP data and database backups.
  • API keys stored using one-way cryptographic hashes.
  • Passwords stored using bcrypt with per-user salts.
  • Role-based access controls with workspace-level isolation.
  • Comprehensive audit logging of all administrative and security-relevant actions.
  • PCAP files stored outside the web root with restricted filesystem permissions.
  • CSRF protection on all state-changing operations.
  • Regular security reviews and dependency updates.

9. Data Breach Notification

In the event of a Personal Data breach, Flowtriq Networks Inc. will:

  • Notify the Controller by email within 72 hours of becoming aware of the breach.
  • Provide details of the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to mitigate the breach.
  • Cooperate with the Controller in notifying the relevant supervisory authority and affected Data Subjects where required under Applicable Data Protection Law.
  • Document all breaches, including those not requiring notification, in an internal breach register.

Per-Jurisdiction Notification Timelines

The following table summarises the breach notification requirements that apply depending on the location of affected Data Subjects. Where multiple jurisdictions apply, Flowtriq Networks Inc. will comply with the shortest applicable timeline.

Jurisdiction Law Notification Timeline Notify To
EU / EEAGDPR Art. 3372 hoursSupervisory authority + data subjects (if high risk)
United KingdomUK GDPR Art. 3372 hoursICO + data subjects (if high risk)
CanadaPIPEDA s. 10.1As soon as feasiblePrivacy Commissioner + affected individuals (if real risk of significant harm)
CaliforniaCCPA / Cal. Civ. Code 1798.82Most expedient time possible, no unreasonable delayAffected residents + CA Attorney General (if 500+ residents)
AustraliaPrivacy Act 1988, NDB scheme30 days (assessment) then as soon as practicableOAIC + affected individuals (if likely serious harm)
EU (NIS2)NIS2 Directive Art. 2324 hours (early warning), 72 hours (full notification)National CSIRT or competent authority
Other US statesState breach notification lawsVaries (30-60 days typical)State AG + affected residents

10. International Data Transfers

Personal Data is processed and stored on infrastructure located in the region associated with the Controller's account. Where data is transferred outside the European Economic Area (EEA) or the United Kingdom, Flowtriq Networks Inc. ensures appropriate safeguards are in place, including:

  • EU Standard Contractual Clauses (SCCs) as adopted by the European Commission.
  • UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs where applicable.
  • Verification that the sub-processor maintains adequate data protection practices.

11. Confidentiality

Flowtriq Networks Inc. ensures that all personnel authorised to process Personal Data are subject to binding confidentiality obligations. Access to Personal Data is limited to employees and contractors who require it to perform their duties.

12. Audit Rights

The Controller may request information regarding Flowtriq's compliance with this DPA. Upon reasonable written request (no more than once per year), Flowtriq Networks Inc. will provide a summary of its security practices, recent audit findings, or relevant compliance certifications. On-site audits may be arranged with 30 days advance notice at the Controller's expense.

13. Data Protection Impact Assessments

Flowtriq Networks Inc. will provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities, where required by Applicable Data Protection Law.

14. Deletion and Return of Data

Upon termination or expiry of the Service agreement, Flowtriq Networks Inc. will:

  • Upon request, provide the Controller with an export of their Personal Data in a machine-readable format (JSON or CSV).
  • Permanently delete all Personal Data immediately upon confirmed account deletion request.
  • Confirm deletion in writing upon request.

Retention beyond 30 days applies only where required by law (e.g. billing records retained for 7 years for financial compliance).

15. CCPA/CPRA Addendum

This section applies where the Controller is a "business" as defined under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), and Flowtriq Networks Inc. processes Personal Information (as defined under CCPA/CPRA) on the Controller's behalf.

In such circumstances, Flowtriq Networks Inc. acts as a "service provider" under CCPA/CPRA and agrees to the following:

  • Flowtriq will not sell, share, or disclose Personal Information received from the Controller for any purpose other than performing the Service as described in these Terms and this DPA.
  • Flowtriq will not retain, use, or disclose Personal Information for any commercial purpose other than providing the Service.
  • Flowtriq will not combine Personal Information received from the Controller with Personal Information received from other sources or collected from its own interactions with Data Subjects, except as permitted by CCPA/CPRA to perform the Service.
  • Flowtriq will comply with all applicable provisions of CCPA/CPRA and will assist the Controller in responding to verifiable consumer requests to know, delete, or correct Personal Information.
  • Flowtriq will notify the Controller if it determines that it can no longer meet its obligations under CCPA/CPRA.
  • The Controller has the right to take reasonable and appropriate steps to ensure that Flowtriq uses Personal Information in a manner consistent with the Controller's obligations under CCPA/CPRA.

16. PIPEDA Compliance

This section applies where the Controller is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) or substantially similar provincial privacy legislation in Canada.

Flowtriq Networks Inc. complies with PIPEDA Principle 4.7 (Safeguards) by implementing security safeguards appropriate to the sensitivity of the Personal Data being processed, as described in Section 8 of this DPA. These safeguards include physical, organisational, and technological measures designed to protect Personal Data against loss, theft, unauthorised access, disclosure, copying, use, or modification.

Flowtriq Networks Inc. acknowledges the right of Data Subjects to:

  • Access their personal information held by Flowtriq.
  • Challenge the accuracy and completeness of their personal information and have it amended as appropriate.
  • Complain about Flowtriq's handling of their personal information.

Complaints may be directed to [email protected]. If a complaint is not resolved to the Data Subject's satisfaction, they may file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.

17. Duration and Termination

This DPA takes effect when you create a Flowtriq account or begin using the Service, and remains in effect for the duration of the Service agreement. Obligations relating to data deletion, confidentiality, and breach notification survive termination.

18. Contact

For all data protection inquiries, data subject requests, or questions about this DPA:

We aim to respond to all inquiries within 30 days. For urgent matters relating to data breaches, please include "URGENT" in the subject line.