DDoS protection and GDPR compliance might seem like they pull in opposite directions. Effective attack mitigation requires logging IP addresses, inspecting request patterns, and retaining data for forensic analysis. Under the GDPR, IP addresses are personal data. So how do you stay secure and compliant?
The Legal Basis for Processing
Processing IP addresses for DDoS mitigation falls under Article 6(1)(f) of the GDPR — legitimate interests. The European Data Protection Board has consistently affirmed that network security is a valid legitimate interest, provided processing is limited to what is necessary for the security purpose.
- Collect only what you need: source IPs, timestamps, and request signatures — not full payload content.
- Define and document retention periods: Akarguard's default is 30 days for mitigation logs.
- Pseudonymise where practical: hash IPs in long-term analytics datasets.
- Maintain a Record of Processing Activities (ROPA) entry for DDoS mitigation.
Data Processing Agreement
When you route traffic through Akarguard, we act as a data processor under Article 28. We provide a standard Data Processing Agreement (DPA) that covers sub-processors, transfer mechanisms for non-EEA PoPs (Standard Contractual Clauses), and your right to audit. Your legal team can request the DPA directly from our compliance team.
Privacy by Design
Akarguard's scrubbing pipeline is architected so that payload content is never stored — only metadata needed for attack detection. This is Privacy by Design in practice, not just on paper.
CCPA Considerations
For customers serving California residents, the same principles apply under the CCPA: IP addresses are personal information, processing for security is a permitted purpose, and service providers must process data only as directed. Our DPA includes CCPA-compliant addenda.