GDPR Compliance - ArtaDNS

Our Role Under GDPR

ArtaDNS operates as a Data Controller for the following data:

Your account information (email, username, organization)
Encrypted Cloudflare API tokens
Token metadata and usage statistics
Dashboard access logs

We act as an API intermediary for:

DNS record operations performed on your Cloudflare account
Analytics data fetched from Cloudflare

Note: Your DNS records remain under Cloudflare's control. We do not store DNS data, only provide a management interface.

Data Processing Agreement

We provide a Data Processing Agreement (DPA) to all customers that outlines our obligations as a data controller. This agreement covers the nature and purpose of processing, types of personal data, security measures, and your rights.

Contact [email protected] to request a copy of our DPA.

GDPR-Compliant Features

AES-256-GCM Token Encryption

All Cloudflare API tokens are encrypted using military-grade encryption before storage.

Multi-Token Management

Add, enable, disable, or delete tokens at any time with full control over access.

Token Verification

Automatic verification against Cloudflare API ensures tokens are valid and permissions are correct.

Data Minimization

We only store encrypted tokens and metadata - no DNS records are stored in our database.

Real-Time Operations

All DNS operations are performed in real-time via Cloudflare API - no data caching.

Secure Access

TLS 1.3 encryption for all data in transit, bcrypt password hashing, row-level security.

Access Control

Granular role-based access control for organization members.

Audit Logs

Complete audit trail of token usage and operations.

Data Portability

Export your account data at any time.

Right to Erasure

Delete your account and all encrypted tokens permanently.

Data Storage Location

All data is stored on servers located in the European Union. Encrypted tokens, account information, and usage logs never leave the EU. We do not transfer personal data outside the EU/EEA without appropriate safeguards as required by GDPR.

Primary data storage: OVH Frankfurt, Germany (PostgreSQL database)
Infrastructure: Kubernetes cluster hosted on OVH Frankfurt
Cloudflare API: User-controlled domains (DNS data remains on Cloudflare)

Sub-processors

We use the following sub-processors to provide our service:

Service	Purpose	Location
OVH	Database hosting (PostgreSQL), Infrastructure (Kubernetes)	Frankfurt, Germany
Cloudflare Proxy	Reverse proxy for ArtaDNS application, DDoS protection, WAF, CDN	Global (EU edge locations)
Cloudflare API	DNS management, Analytics (user-controlled data on your domains)	Global (your domains)
Artatol Account SSO	Authentication	EU

Data Subject Rights

Under GDPR, you have the following rights regarding your personal data:

Right of Access (Art. 15) - Request a copy of all your personal data
Right to Rectification (Art. 16) - Update or correct your account information
Right to Erasure (Art. 17) - Request deletion of your account and all encrypted tokens
Right to Restrict Processing (Art. 18) - Limit how we use your data
Right to Data Portability (Art. 20) - Receive your data in a machine-readable format
Right to Object (Art. 21) - Object to certain types of processing
Right to Withdraw Consent - Withdraw consent at any time by deleting tokens
Right to Lodge a Complaint - File a complaint with your data protection authority

To exercise these rights, please contact us at [email protected].

Token Management and Consent

By adding a Cloudflare API token to ArtaDNS, you consent to:

Encrypted storage of your API token
Use of the token to access Cloudflare API on your behalf
Fetching DNS records and analytics data from your Cloudflare account
Tracking token usage statistics

You can withdraw consent at any time by:

Disabling the token in Token Management settings
Deleting the token from ArtaDNS
Revoking the token in your Cloudflare account
Deleting your ArtaDNS account entirely

Data Retention

We retain your data according to the following schedule:

Account data: Retained while account is active
Encrypted tokens: Retained until manually deleted or account closed
Usage logs: Retained for 90 days for security and troubleshooting
Deleted accounts: All data anonymized or permanently deleted within 30 days

Important: Deleting your ArtaDNS account does NOT delete your Cloudflare account or DNS records. It only removes the encrypted tokens from our system.

Security Measures (Article 32)

We implement state-of-the-art technical and organizational measures:

Token Encryption: AES-256-GCM with secure key management
Password Security: Bcrypt hashing (one-way, not reversible)
Data in Transit: TLS 1.3 for all connections
Data at Rest: AES-256 database encryption
Database Security: Row-level security (RLS) on PostgreSQL
Token Verification: Automatic validation against Cloudflare API
Access Logging: Complete audit trail of all operations
Regular Audits: Security audits and penetration testing
Session Management: Automatic expiration and refresh token rotation

Breach Notification (Article 33)

In the event of a personal data breach that poses a risk to your rights and freedoms (e.g., compromise of encrypted tokens), we will notify you without undue delay and no later than 72 hours after becoming aware of the breach. We will provide:

Nature of the breach and affected data categories
Likely consequences of the breach
Measures taken to address the breach
Recommended actions (e.g., revoking compromised tokens in Cloudflare)
Contact information for further inquiries

International Data Transfers

Your data is primarily stored and processed in the European Union (AWS eu-west-1). When you use ArtaDNS to access Cloudflare services:

API requests are made to Cloudflare's global network (user-controlled domains)
Cloudflare processes your DNS data according to their own privacy policy and GDPR compliance
We ensure appropriate safeguards through Standard Contractual Clauses (SCCs)

Your Responsibilities

When using ArtaDNS, you are responsible for:

Token Security: Keeping your Cloudflare API tokens secure and not sharing them
Token Permissions: Granting only necessary permissions when creating Cloudflare tokens
Token Revocation: Revoking tokens in Cloudflare if compromised
DNS Data: Ensuring your DNS records comply with applicable laws
Account Security: Using strong passwords and enabling 2FA in Artatol Account

Contact Our DPO

For any GDPR-related inquiries, DPA requests, or to report a data breach, contact our Data Protection Officer:

Data Protection Officer

Email: [email protected]

Mailing address: Artatol, Prague, Czech Republic

We will respond to your request within 30 days as required by GDPR.

Compliance Status

✅ GDPR compliant (Regulation (EU) 2016/679)
✅ AES-256-GCM token encryption
✅ Data stored in EU (AWS eu-west-1)
✅ TLS 1.3 encryption in transit
✅ Regular security audits
✅ Data Protection Agreement available