'/%3e%3cpath%20class='cls-2'%20d='M49.15,149.69a18.38,18.38,0,1,0,25-7A18.37,18.37,0,0,0,49.15,149.69Z'%20transform='translate(-37.83%20-72.27)'/%3e%3cpath%20class='cls-2'%20d='M38.05,117.89a10.64,10.64,0,1,0,12.53-8.32A10.65,10.65,0,0,0,38.05,117.89Z'%20transform='translate(-37.83%20-72.27)'/%3e%3c/svg%3e)
Varnish Software AB (556805-6203), Wallingatan 12, 111 60 Stockholm, Sweden (“we”, “us”, “our”) respects your privacy and is committed to protecting your personal data. This Privacy Notice explains how we collect, use, store, and share personal data when you visit our website, create an account, or purchase our services. We are the data controller for our services and comply with applicable data protection laws, including the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679).
1. Roles & Responsibilities (GDPR)
As Data Controller: We act as a controller for Administrative Data, such as account and billing information. We determine how and why this data is processed to manage accounts, provide support, and meet contractual and legal obligations.
As Data Processor: We act as a processor for Traffic Data on behalf of our customers in accordance with the applicable Data Processing Agreement (DPA). Traffic Data includes content delivered through our CDN and limited technical metadata, such as end-user IP addresses, that is necessary to operate and secure the service. Traffic Data is processed solely for the purpose of providing the contracted services. Where feasible, Traffic Data is processed and retained within our European infrastructure.
Data Segregation & Security: Administrative and Traffic Data are strictly separated and processed only for their defined purposes. We use encryption, access controls, and DDoS protection to safeguard data.
2. Categories of personal data, purposes, and lawful basis
2.1 Administrative Data (Controller)
| Category of Personal Data | Description | Purpose of Processing | Lawful Basis (GDPR) |
|---|---|---|---|
| Account Information | Name, email address, company name | To set up your account, verify your identity, and let you log in | Art. 6(1)(b) – Performance of a contract |
| Billing Data | Subscription plan, usage metrics, invoices, billing records, billing address, billing contact, VAT number | To manage your subscription and calculate usage (e.g., TBs of traffic) | Art. 6(1)(b) – Performance of a contract; Art. 6(1)(c) – Legal obligation |
2.2 Traffic Data (Processor)
| Category of Personal Data | Description | Purpose of Processing | Lawful Basis (GDPR) |
|---|---|---|---|
| Traffic Data | IP addresses, request headers, traffic and security logs | To route your website traffic, block malicious bots, and stop DDoS attacks | Determined by the Customer as Data Controller (Art. 6 GDPR) |
2.23 Usage and Service Operation Data
| Category of Personal Data | Description | Purpose of Processing | Lawful Basis (GDPR) |
|---|---|---|---|
| Usage Data | Access logs, device and browser information related to the management interface | To see how you use our dashboard so we can improve the experience. | Art. 6(1)(f) – Legitimate interests (service security and improvement) |
3. Data Sharing and Sub-processors
We engage a limited number of sub-processors under strict contracts to support service delivery. Sub-processors fall into two categories:
Traffic Data Sub-processors (“Sovereign Layer”) – process Traffic Data to deliver, secure, and operate services, generally within the EU/EEA.
Administrative Data Sub-processors (“Business Layer”) – support internal operations like billing, CRM, and customer support.
All sub-processors are bound by written agreements requiring them to follow strict data protection, confidentiality, and processing rules in line with GDPR and this Privacy Notice. We keep an up-to-date list of sub-processors and notify customers of significant changes.
3.1 Categories of Sub-processors
3.1.1 The Sovereign Layer /Traffic Data Sub-processors
Sub-processors involved in the processing of Traffic Data solely for the purpose of delivering, securing, and operating the Services. Such processing is limited to what is necessary to perform the contracted services and is subject to data residency and transfer restrictions as contractually agreed.These partners facilitate the content delivery, security, and routing of your website traffic. We have selected them specifically to ensure that the processing of end-user data remains within the EU/EEA to the fullest extent possible.
| Subprocessor | Purpose of Processing | Location of Processing | Legal Safeguard (if outside EU/EEA) |
|---|---|---|---|
| DataPacket | Physical hosting, server infrastructure, and network routing | European Union (EU-based Data Centers) | N/A (Inside EU/EEA) |
| Scaleway | Hosting of the Control Plane, API, and dashboard infrastructure | France | N/A (Inside EU/EEA) |
| DataDome* | Advanced Bot Protection and threat mitigation | France | N/A (EU/Inside EEA) |
| Atomicorp* | Provider of WAF security rulesets. Rules are downloaded and executed locally on our own infrastructure. | European Union (Rules applied locally on EU nodes) | N/A (No data transferred to vendor) |
*Note: While WAF rules are applied locally on our European infrastructure, Atomicorp is a US-based entity. DataDome may analyze traffic on their infrastructure located in the EU, although DataDome is a US-based entity.
3.1.1 The Sovereign Layer /Traffic Data Sub-processors
These Sub-processors that support internal business functions, such as billing, accounting, customer support, and communications, and that process Administrative Data only. Data processed here is limited to your business contact details and account information, not your website’s traffic or content.
| Subprocessor | Purpose of Processing | Location of Processing |
|---|---|---|
| Salesforce | Customer Relationship Management (CRM) and sales pipeline | EU (Hyperforce EU OZ Instance) |
| HubSpot | Marketing automation, lead generation, and website analytics | USA |
| Slack | Internal team messaging and ChatOps | USA |
| Zendesk | Customer support ticketing system | USA |
| Google Workspace | Internal team communication (Email, Calendar) | USA |
| Website usage analytics and performance monitoring Delivery of typography for our website and dashboard | USA | |
| Deltek Maconomy | Enterprise Resource Planning (ERP) and accounting | USA |
| Mollie | Payment processing (Independent Controller) For details about how they process personal data, please refer to their privacy policy | Netherlands (European Union) |
4. Your rights as a data subject in line with GDPR
Depending on where you are based, you may have a number of rights set out in applicable laws. You can make a request for any and all of the following:
- To access and obtain a copy of your personal data;
- To have updated any incorrect or incomplete personal data;
- To delete / erase your personal data;
- To restrict the processing of your personal data (in certain circumstances);
- To request your personal data in a portable format;
- To object to the processing of your personal data; and
- To withdraw your consent (where the legal basis of processing personal data was based on consent).
To make such a request, please send an email to compliance@varnish-software.com. You may also have the right to lodge a complaint with your local or national data protection regulatory or supervisory authority.
5. Cookies
We use cookies to make our dashboard work (like keeping you logged in) and to keep it secure. We also use HubSpot cookies to understand how people find our website. You can turn off non-essential cookies in your browser or via our cookie banner.
6. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Specifically, personal data is retained for:
- Providing and operating the Services
- Compliance with legal obligations, including tax, accounting, and regulatory requirements
- Resolving disputes and enforcing agreements
Retention periods for key categories of data are as follows:
- Account Data: Retained for the duration of the customer relationship.
- Billing and Payment Records: We retain billing and payment records for the period required to comply with applicable local laws and tax regulations, which may vary depending on the country of operation. For example, in Sweden, accounting and tax records are typically retained for 7 years.
- Traffic Data / Logs: Retained for 12 months for security auditing and operational purposes, after which they are permanently deleted.
7. Changes to this Privacy Notice
We may update this Privacy Notice from time to time. The latest version will always be available on our website.
8. Contact us
You may contact us at compliance@varnish-software.com