Dfence Privacy Policy

At Dfence, protecting personal data and ensuring transparency in our processing practices is central to our mission of building a more privacy-aligned Internet. This Privacy Policy outlines how Dfence ("Dfence", "we", "us", or "our") collects, processes, and protects personal information in connection with our services.

1. Scope of this Policy

This policy applies to the processing of personal information in the following contexts:

• Customers and Administrative Users: Individuals and organizations who use Dfence's Edge Component Platform and manage services or projects via the Dfence dashboard.
• Website Visitors: Individuals who visit our public-facing websites (e.g. edgee.cloud).
• End Users: Individuals who interact with our customers' websites or applications where Dfence is deployed.

This policy does not apply to our customers' websites, applications, APIs, or networks—even when Dfence's infrastructure intermediates the delivery of their content. Customers are solely responsible for implementing their own privacy policies and ensuring compliance with applicable laws when using Dfence's services in connection with their end users.

Dfence's platform and services are not intended for, nor directed toward, individuals under the age of eighteen. We do not knowingly collect or process personal data from minors. If we become aware that such information has been collected, we will delete it without delay.

2. What Information We Process

We distinguish between data Dfence processes on behalf of customers (as a processor) and data processed for our own operational purposes (as a controller).

2.1. Data Processed on Behalf of Our Customers

Dfence processes End Users' interactions with Customer's websites, APIs, applications, and other digital services where Dfence is deployed. The data processed can include:

• Network and event data (e.g., pageviews, interactions, TCP/IP and HTTP(S) request metadata)
• User identifiers (e.g., session hashes, cookie-based IDs)
• IP addresses (with optional truncation based on customer-configured anonymization settings)
• Device/browser metadata (e.g., language, user-agent, screen size)

2.2. Data Processed for Our Own Operations

We may process the following limited personal data:

• Account registration data (e.g., name, email, company)
• Service usage logs (for support, billing, and security)
• Communication data (e.g., email correspondence)

3. Legal Basis for Processing

Our processing of personal information is based on the following legal grounds:

• Consent – when required, such as for the placement of optional cookies or forwarding data to third-party analytics providers, based on end user choices.
• Legitimate interest – for purposes like anonymized audience measurement, fraud prevention, and ensuring platform security, provided such interests are not overridden by data subject rights.
• Contractual necessity – when processing is required to fulfill our obligations under a contract, such as account provisioning, billing, and platform access.

When Dfence processes data on its own behalf (as a data controller), we determine and document the applicable legal basis for each processing activity.

However, when Dfence processes data on behalf of its customers (as a data processor)—especially in relation to end users—the customer is the data controller. This means our customers are solely responsible for selecting a valid legal basis for processing end user data (e.g., contractual necessity);

Dfence provides privacy-preserving technical options, but does not make legal determinations on behalf of customers. Improper use or misconfiguration may result in processing that does not meet regulatory requirements.

4. How We Use the Information

We use personal data for specific, clearly defined purposes, depending on whether we are acting as a controller or a processor.

When Dfence Acts as a Processor (on behalf of Customers):

We process end user data exclusively for the purposes defined and controlled by our customers, such as:

• Routing and transforming analytics traffic securely on their behalf
• Enforcing consent signals and user privacy preferences
• Supporting functionality tied to audience measurement and service optimization

We never use end user data for our own purposes beyond service provision.

When Dfence Acts as a Controller (for its own operations):

We process data in order to:

• Provide, maintain, and optimize Dfence services
• Monitor platform performance and usage
• Prevent fraud, abuse, and ensure service security
• Provide support, communicate with customers, and administer accounts

Dfence does not:

• Use personal data for advertising, behavioral profiling, or commercial monetization
• Sell or rent personal data to third parties

All processing activities are limited to what is necessary, proportionate, and aligned with applicable data protection regulations.

5. Data Sharing

We may share data with:

• Sub-processors strictly required to operate the platform (e.g., infrastructure providers)

Dfence currently engages the following subprocessors to help deliver its services:

• Fastly – Edge network infrastructure and content delivery
• AWS (Amazon Web Services) – Infrastructure hosting and computing
• Clickhouse – Analytics and event storage
• Vercel – Front-end hosting and deployment platform

We ensure each subprocessor is subject to strict data protection obligations through appropriate contractual safeguards. For updates or detailed documentation, please visit our Trust Center.

6. International Data Transfers

All personal data processed by Dfence is hosted within the European Union by default. Where international transfers are necessary—for example, when a subprocessor operates outside the EU—we rely on:

• Standard Contractual Clauses (SCCs): Contractual provisions approved by the European Commission that ensure adequate data protection safeguards. These SCCs are available to our customers and their data protection officers upon request.
• Adequacy decisions: Where the European Commission has determined that a non-EU country ensures an adequate level of data protection (e.g., the UK, Switzerland), we may rely on that status to facilitate compliant transfers.
• Organizational and technical safeguards: These include end-to-end encryption of personal data in transit, strict access controls, processing confined to isolated edge environments, and robust auditing policies. These measures help minimize exposure risks and protect transferred data from unauthorized access or misuse. For a more detailed overview of our security measures, please refer to our Trust Center.

7. Data Retention

We retain personal data only as long as necessary:

• Logs: retained for up to 25 months
• End user events (processed on behalf of customers): retained for up to 25 months
• Account and billing records: for the duration of the customer relationship, plus legal retention obligations

8. Your Rights

Depending on your location, you may have the right to:

• Access, rectify, or erase your data
• Object to processing or request restriction
• Data portability
• Lodge a complaint with a data protection authority

Requests can be submitted to: privacy@edgee.cloud

If you are an end user of a website using Dfence, please contact the site owner directly. Dfence acts as a data processor for the website operator and does not determine the purposes or means of processing your data. However, if you submit a rights request to Dfence and we can reasonably identify the associated customer, we will forward your request to the relevant data controller, where appropriate. In all cases, the primary responsibility for handling data subject rights rests with the site owner or Dfence customer.

9. Security Measures

Dfence employs a comprehensive set of security controls to ensure the confidentiality, integrity, and availability of personal data processed through our platform. Our security program is aligned with industry best practices and independently audited.

• Encryption: All identifiers and traffic are encrypted in transit using TLS 1.2 or higher. Sensitive identifiers are also encrypted at rest.
• Edge isolation: All processing of end user data takes place within isolated edge nodes, minimizing lateral risk and exposure.
• Access controls: All system access is role-based, logged, and tightly scoped to least privilege.
• Auditing and monitoring: We maintain audit trails and use automated monitoring to detect unauthorized access or misuse.

For a detailed breakdown of our technical and organizational measures, please refer to our Trust Center.

10. Customer Responsibility

Dfence provides tools and configurations to support compliance, but our customers are responsible for:

• Managing consent and transparency toward end users
• Determining the applicable legal basis for Dfencedata processing

11. Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. When we make material changes, we will communicate them prominently on our website. In addition, customers will be required to review and accept the updated Privacy Policy upon their next login to the Dfence dashboard in order to continue using our services.

12. Contact