​

The EU General Data Protection Regulation (GDPR) is a regulation designed to harmonize data processing and privacy across the EU. Transfluent respects your privacy and right to your data. Confidentiality is one of the cornerstones of our business and, therefore, we are on good terms with GDPR. Our NDA and Terms of Service exceed the minimum requirements of the GDPR. You can rest assured that your data belongs to you and we are committed to keeping it confidential.

Transfer, storage and processing of data between the EU and the United States
In order to comply with the GDPR, data processing and storage must take place inside the EU or countries that ensure an adequate level of data protection and privacy. We have concluded agreements (including The EU Model Clauses) with all companies who might process your data outside of EU that on they may only process the data in accordance with our instructions and not for its own purposes. All data is transferred securely between our EU and US data centers. The data centers we employ are operated by industry-leading service providers that comply with various standards and the industry’s best practices for secure cloud computing. Our EU data centers are located in Ireland and the Netherlands. Our US data center is operated by Amazon Web Services (hereinafter “AWS”). AWS is GDPR compliant. For data redundancy and failover purposes, all data is replicated between the EU and US data centers.

Ownership of data
Your data belongs to you. We are committed to exporting your data to you or deleting your data upon request. However, please be aware that a complete deletion of data may not always be possible, for example due to mandatory legislation regarding financial transactions. To request an export of your data or the complete deletion of your data, please contact our customer support. Data deletion requests must be authorized by the account owner. The data is exported into a sanitized JSON-formatted encrypted ZIP file. Upon data deletion, a similar export file is provided before the data is deleted, if requested. As proof of deletion, the customer will receive a time-coded log of the itemized actions for each data entity and a list of the data that is still stored (for example, due to mandatory legislation).

Transfluent will comply with your data deletion request as far as legally possible, and requests are processed within 2 weeks. Transfluent will erase the information and provide the proof of deletion within 6 weeks after user has sent the notice.

Data encryption
All confidential data is encrypted at rest, and all transfers take place over a secure connection.

Information security and risk mitigation
The risks applicable to Transfluent’s operations are constantly evaluated, and security policies and processes are accordingly revised. We ensure that our vendors follow the best security practices and procedures and train and instruct our employees to do the same.

Transfluent has active and passive intrusion detection systems in place in its production and development environments. Furthermore, there is no access from the development environments to the production environment and any production data used in the development environments is sanitized to contain a minimal amount of confidential information.

Transfluent has in place extensive logging of all actions that automatically excludes sensitive information, such as passwords. The logging system operates independently and cannot be altered in case of a system intrusion. Unexpected events and suspicious activity are automatically reported to system administrators for review. The logs are regularly audited for finding anomalies that are not automatically detected.

There are system-wide security rules in place. For example, failed logins that exceed a certain threshold automatically lock the account in question in order to prevent brute-forcing access.

Transfluent encourages independent security researchers to participate in Transfluent’s HackerOne program in order to find vulnerabilities and report them responsibly. In case of security breaches, system outages or information disclosure, Transfluent is committed to notify the authorities and disclose the incident publicly, as appropriate.

Availability and data persistence
All information is duplicated across multiple data centers, backed up or both duplicated and backed up. The stored backups are encrypted, validated frequently and erased securely after expiration. The expiration periods range from hours to several years, with the latter period applied, for example, to financial transaction data for which there is a mandatory legal retention requirement.Transfluent acknowledges that our service might be business critical to you. Consequently, we constantly work toward keeping the service always available. However, achieving 100% availability is a tremendous task and requires constant evaluation and improvement. Should any downtime or a service interruption occur, we will review the circumstances closely and plan carefully how to avoid such incidents in the future.Transfluent has a developer mailing list (developer-notifications@transfluent.com) for notifications about service interruptions, planned maintenance periods or any upcoming changes to the API or our services. To join the mailing list, please contact our developer support.

Automatically collected information

The following information is automatically collected for every request submitted to Transfluent’s platform infrastructure and logging system.

​