Privacy Policy

Controller: Star Dot Hosting Inc., operating as Atomic Edge (“Atomic Edge”, “we”, “us”)
Registered address: 203A-116 Geary Ave., Toronto, Ontario, Canada, M6H 4H1
Contact (privacy): privacy@atomicedge.io
Data Protection Officer (DPO): Suzanne Thompson — privacy@atomicedge.io
Effective date: April 2, 2025
Status page: https://status.atomicedge.io

This Privacy Policy explains how we collect, use, disclose, and safeguard personal information in connection with the Atomic Edge web application firewall and reverse‑proxy services, dashboards, APIs, and support (the Service). It is designed to comply with PIPEDA (Canada), GDPR/UK GDPR (EU/UK), CCPA/CPRA (California), ePrivacy rules for cookies/consent, and comparable laws. Capitalized terms not defined here have the meanings in our Terms of Service or Data Processing Addendum.

1. Scope & Roles

  • Who we are: For most processing of account and billing data, Atomic Edge acts as a Controller. For traffic metadata and security logs passing through our network for your domains, we act as your Processor (or Service Provider/Processor under CPRA/GDPR), processing on your documented instructions (see DPA at /legal/dpa).

  • Who you are: You (the customer) are generally the Controller of visitor/end‑user data associated with your domains protected by the Service.

2. Categories of Personal Information We Process

We process the following categories (which may vary by your configuration and use):

  1. Account & Profile: name, business email, role/title, company name, billing contact, authentication data (hashes), MFA status.

  2. Billing & Transactions: billing address, VAT/HST/GST/tax IDs, payment tokens and last‑4 (processed by Stripe), plan, invoices, credit notes, and service credits.

  3. Service & Security Logs (Processor context): IP address, port, timestamps, HTTP(S) headers, user‑agent, country/geo IP, request URLs/path patterns, response metadata, rule matches (WAF IDs, actions), allow/deny/rate‑limit decisions, TLS negotiation metadata, and event identifiers.

  4. Diagnostics & Telemetry: performance metrics, error traces, request IDs, latency, throughput, cache status (if enabled), and dashboard/API usage.

  5. Support & Communications: tickets, email threads, attachments, chat transcripts, and call notes or recordings where lawful.

  6. Cookie/Device Data: strictly‑necessary cookies for auth and load balancing; with consent, analytics cookies (see Cookie Policy at /legal/cookies).

  7. Marketing Preferences (opt‑in): newsletter/updates preferences and related engagement (opens/clicks) where allowed by law.

Sensitive data: We do not seek to collect special categories (e.g., health, biometrics). Do not send such data through the Service unless strictly necessary and appropriately safeguarded by you as Controller.

3. Sources of Personal Information

  • Directly from you (account creation, orders, support).

  • Automatically from Service use (traffic flows, logs, telemetry).

  • From vendors acting on our behalf (e.g., payments, analytics).

  • From publicly available or commercial sources for fraud prevention (limited).

4. Purposes & Legal Bases

4.1 Purposes of Processing

  • Provide & operate the Service (traffic proxying, WAF decisions, rule updates, dashboards, APIs).

  • Secure & maintain the Service (threat detection, abuse prevention, incident response, auditing).

  • Billing & account administration (invoicing, collections, tax compliance).

  • Analytics & product improvement (de‑identified/aggregated where possible).

  • Communications (transactional emails, service updates, incident notices).

  • Legal compliance (export/sanctions, recordkeeping, responding to lawful requests).

4.2 Legal Bases (GDPR/UK GDPR)

  • Contract (Art. 6(1)(b)) for providing the Service to you.

  • Legitimate interests (Art. 6(1)(f)) for securing the Service, preventing fraud/abuse, and improving features (balanced against your rights).

  • Consent (Art. 6(1)(a)) where required for cookies/marketing.

  • Legal obligation (Art. 6(1)(c)) for tax, accounting, and compliance.

4.3 CPRA (California)

We act as a Service Provider for customer traffic/logs. We do not sell personal information and do not share it for cross‑context behavioral advertising. We honor deletion/correction/know requests as applicable.

5. Cookies & Tracking

  • Strictly necessary: auth/session, load balancing, security state.

  • Functional/Analytics (consent‑based in EU/UK): site usage measurement to improve the dashboard/UX.
    Manage preferences via our cookie banner and your browser. See /legal/cookies for details and cookie list.

6. Subprocessors & Disclosures

We engage vendors under written contracts that require appropriate security and confidentiality. Current categories (see /legal/subprocessors for a live list and updates):

  • Cloud Infrastructure: AWS, OVH, Linode, Servers.com

  • Email/Workspace: Google Workspace

  • Monitoring/Logging: Sentry, Vector

  • Analytics: PostHog

  • Support/CRM/Billing: HubSpot, Stripe

We may disclose personal information: (a) to comply with law or legal process; (b) to protect rights/safety; (c) in corporate transactions (subject to safeguards); or (d) per your instructions as Controller.

We require 30 days’ prior notice for new subprocessors with a right to object on reasonable, documented data‑protection grounds.

7. International Transfers

We are headquartered in Canada. Where personal data is transferred internationally (e.g., to the U.S.), we use appropriate safeguards:

  • EU/EEA/UK → outside EEA/UK: Standard Contractual Clauses (Module 2) and the UK Addendum as applicable, plus supplementary measures.

  • PIPEDA: Cross‑border transfers occur with contractual protections and proportionate safeguards.

  • We currently do not offer EU‑only log storage by default. Contact us if you require regional log routing.

8. Retention

We retain personal information only as long as necessary for the purposes above or as required by law:

  • Security logs: 90 days by default (configurable on paid plans)

  • Account/billing records: up to 7 years for tax/audit

  • Support tickets: 24 months (unless you request earlier deletion where feasible)

  • Backups: rolling cycles (typically 30–45 days) then purged

Upon termination, we delete Customer Personal Data we process as your Processor within 90 days, unless retention is legally required.

9. Security Measures

We maintain technical and organizational measures appropriate to risk, including:

  • Encryption in transit (TLS); encryption at rest where applicable

  • Logical segregation and least‑privilege access; role‑based permissions

  • MFA for staff and secure key management

  • Vulnerability management, code review, and change control

  • Network security: WAF rulesets, rate limiting, DDoS/abuse controls

  • Security awareness and background checks as permitted by law

  • Incident response with 24×7 escalation; post‑incident review

Breach Notification: We will notify affected customers without undue delay after becoming aware of a personal data breach and provide updates as more information becomes available.

10. Your Rights & Choices

Depending on your location, you may have rights to access, rectification, deletion, restriction, portability, objection, and CPRA rights to know, correct, delete, and opt‑out of sale/sharing. Submit requests to privacy@atomicedge.io. We may verify your identity and ask for details to locate data. If we process your data on behalf of a customer, we will forward your request to the relevant Controller.

EU/UK residents may lodge complaints with their supervisory authority; Canadians may contact the Office of the Privacy Commissioner of Canada; Californians may contact the California Privacy Protection Agency.

11. Children

The Service is not directed to children under 16. Do not create accounts for or route child‑directed properties through the Service without written authorization and appropriate safeguards.

12. Your Responsibilities as Controller

You are responsible for: (a) establishing a lawful basis for processing; (b) informing individuals about processing via your own privacy notice; (c) configuring the Service consistent with law (e.g., IP/country blocking, logging levels, retention); and (d) honoring data subject rights applicable to your properties. Our DPA describes how we assist you.

13. Government & Law‑Enforcement Requests

Our approach is described in /legal/law-enforcement. We require valid legal process, review requests for scope and legality, and notify customers unless prohibited by law or risk of harm.

14. Changes

We may update this Policy from time to time. We will post the updated version with the Effective date. For material changes, we will provide 30 days’ prior notice (e.g., email or dashboard banner).

15. Contact

Questions or requests: privacy@atomicedge.io
Data Protection Officer: Suzanne Thompson — privacy@atomicedge.io

Annex A — Processing Overview (Processor Context)

Subject‑matter & nature: Processing traffic metadata/logs for WAF/rate limiting and security analytics.
Duration: Term of the Service + deletion within 90 days post‑termination.
Types of personal data: Network identifiers (IP, UA, headers), request paths, event IDs, rule matches, allow/deny decisions.
Data subjects: Visitors/end users of Customer domains; Customer personnel.
Subprocessors: See /legal/subprocessors.

Annex B — Data Map (Illustrative)

  • Ingress: Anycast edge endpoints (AWS/OVH/Linode/Servers.com).

  • Processing: WAF engine, rate‑limit decisions, logging pipelines (Vector → Sentry/PostHog as configured).

  • Storage: Log stores with 90‑day default retention (configurable on paid plans).

  • Access: Limited to authorized personnel under least‑privilege; audited.

Annex C — Retention Schedule (Summary)

  • Security events/logs: 90 days default

  • Billing/financial: 7 years

  • Support tickets: 24 months

  • Backups: 30–45 days rolling