Speed Kit and Data Compliance: An Overview of GDPR, Security, and Consent

‍

Key Takeaways

• GDPR-Compliant by Design: Speed Kit is engineered for full compliance with GDPR, with primary data processing hosted in Germany, global content delivery via a secure CDN, and a robust Data Processing Addendum (DPA) that is part of every contract by default.
• Simplified Consent Management: Speed Kit's core functions and associated cookies are classified as "technically necessary" under the German TDDDG (§ 25) and GDPR, meaning they typically do not require explicit user consent via a cookie banner.
• Independently Verified Security: Our comprehensive security posture is validated through regular external audits, including a review of our Technical and Organizational Measures (TOMs) and continuous penetration testing, giving you documented assurance.

Introduction

In today's e-commerce landscape, data protection isn't just a legal requirement—it's a cornerstone of customer trust. For business and technical leaders, ensuring that every tool in your stack meets rigorous standards like the GDPR is paramount. Speed Kit was built from the ground up with a security-first and privacy-by-design philosophy. Our platform is engineered to deliver maximum website performance while upholding the strictest data protection principles.

This document provides a comprehensive overview of our approach to data security, GDPR compliance, and cookie consent. We detail our legal framework, technical safeguards, and the practical steps for integrating Speed Kit into your privacy strategy. Our commitment to transparency and security is trusted by leading enterprises with stringent data protection requirements, including OBI, O2/Telefónica, and BMW.

Our Commitment to GDPR and Data Protection

We provide a clear, robust, and transparent legal framework to ensure our partnership is built on a foundation of trust and compliance.

The Data Processing Addendum (DPA)

The central document governing our data processing relationship is the Speed Kit Data Processing Addendum (DPA).

• Standardized and Compliant: Our DPA is based on the EU Commission's standard contractual clauses (SCCs) for processors (Implementing Decision 2021/915), ensuring it meets the requirements of Art. 28 GDPR without needing extensive legal review.
• Integrated by Default: The DPA is automatically incorporated into every service agreement via our General Terms and Conditions (T&Cs), ensuring this critical legal safeguard is always in place.
• Easily Accessible: For your records, a pre-signed version of the DPA is always available for download from our legal page at www.speedkit.com/legal.

Data Processing and Storage

We believe in data minimization and transparency. Here’s a clear breakdown of what data we process, why, and where it is stored.

Data Flow Overview

Speed Kit processes a minimal amount of data required to accelerate your website and monitor performance. The data flow is designed for security and efficiency:

1. Browser: A user's browser sends requests for your site's content. The Speed Kit Service Worker intercepts these requests, acting as a client-side proxy. It instantly delivers the cached page from the Speed Kit infrastructure while simultaneously fetching live, dynamic data from your origin server to merge in the browser.
2. Network (CDN): Cached, static content is delivered instantly from Fastly's globally distributed Content Delivery Network (CDN).
3. Backend (Speed Kit Service): The Speed Kit backend, hosted on AWS in Frankfurt, Germany, anonymizes data, fetches content from your origin, and manages the caches.
4. Analytics & Storage: Anonymized performance data is processed and stored in our AWS infrastructure for analysis.

What We Process

• Data Subjects: Visitors to the customer's website.
• Categories of Data:
  
  • IP Addresses: Anonymized immediately upon receipt. For storage, IP addresses are both truncated (the last 8 bits for IPv4 and the last 80 bits for IPv6 are removed) and stored as an HMAC hash with a daily rotating key to prevent re-identification.
  • Anonymous Identifiers: Randomly generated user and session IDs for performance analysis and bot detection. These IDs contain no personal information.
  • Website Interactions: Performance metrics (e.g., page load times) and accessed URLs (without personal components) are collected to ensure service quality.
• Purpose of Processing: To accelerate website delivery, ensure system security (e.g., bot and DDoS protection), and analyze performance for continuous improvement. No personal profiles are created, and no data is used for marketing or retargeting.

Sub-processors and Data Locations

We partner with leading infrastructure providers to deliver our service. All sub-processors are vetted for their security and compliance standards.

• Primary Backend Location: Our core application servers and primary data storage are located within the European Union at Amazon Web Services (AWS) data centers in Frankfurt, Germany.
• Content Delivery Network (CDN): Fastly, Inc. provides a globally distributed CDN to deliver cached content from the edge server closest to the user. Data transfer is protected by Standard Contractual Clauses and Fastly's certification under the EU-U.S. Data Privacy Framework. Customers can optionally limit data transfer to Fastly's EU infrastructure.
• Data Analytics: Hex Technologies, Inc. provides a platform for data science and analysis, hosted in AWS EU data centers. Access from the USA for support is safeguarded by SCCs and Hex's DPF certification.

Cookies, Consent, and Real User Monitoring (RUM)

Speed Kit's use of cookies is limited, purposeful, and designed to comply with privacy regulations, simplifying your consent management obligations.

How Speed Kit Uses Cookies

Speed Kit uses two first-party cookies, which are entries in localStorage, to ensure the reliability and security of our service.

• baqend-speedkit-config: This stores configuration parameters (e.g., { "group": "A", "testId": "10vs100" }) to manage phased rollouts and A/B tests. This ensures that any changes are deployed safely without impacting all users at once.
• baqend-speedkit-user-id: This stores a randomly generated, anonymous visitor ID (e.g., R2fUvr6CsPpO0Hm4RDelAnYEj). It is used to correlate performance data across multiple page views to identify returning user issues, detect anomalous bot behavior, and analyze performance trends.

Consent Management: Why Speed Kit is "Technically Necessary"

A key advantage of Speed Kit is that its use generally does not require prior consent in a cookie banner.

• Legal Basis (ePrivacy): Under Germany's TDDDG (§ 25), which implements the ePrivacy Directive, storing information on a user's device is exempt from consent if it is "absolutely necessary" to provide a service "expressly requested" by the user.
• Our Justification:
  
  1. Speed Kit provides core functionalities for website security, stability, and speed, which are considered part of the basic service requested by a visitor.
  2. The cookies we set are absolutely necessary for these functions, such as preventing errors during rollouts and detecting security threats like bots.
  3. Therefore, setting these cookies falls under the "technically necessary" exemption.
• Legal Basis (GDPR): The subsequent processing of the (anonymized) data is based on Legitimate Interest (Art. 6(1)(f) GDPR). Our legitimate interest is ensuring the secure, stable, and high-performance operation of our customers' websites.

This classification means that Speed Kit's acceleration and RUM tracking can be active by default, ensuring maximum performance gains and data coverage even if a user rejects optional cookies.

Integrating Speed Kit with Your Consent Tools and Policies

For full transparency with your users, you should account for Speed Kit in your consent management platform (CMP) and your website's main privacy policy.

For Your Cookie Banner / CMP

The following information can be used as a template to describe Speed Kit within your cookie consent tool. As Speed Kit is classified as "technically necessary," it should be listed under this category and enabled by default.

Description and purpose of data processing

The use of Speed Kit serves to accelerate the delivery and display of our website. It is technically necessary to transmit the accessed URL and the visitor's IP address to the Speed Kit provider. IP addresses are immediately anonymized. Speed Kit uses cookies for security purposes (e.g., bot detection) and to analyze performance and detect misconfigurations. No personal profiles are created. As part of this process, Speed Kit uses Fastly, a Content Delivery Network (CDN), to deliver content from a server geographically close to the user.

Processor

Baqend GmbH, Stresemannstraße 23, 22769 Hamburg, Germany, acts as a processor based on a Data Processing Addendum (Art. 28 GDPR).

Categories of personal data processed

IP address (anonymized), Requested URL, User Agent, Anonymous user & session ID.

Legal basis

Art. 6(1)(f) GDPR (Legitimate interests in a secure and performant website); § 25(2) No. 2 TDDDG (Technically necessary).

Place of processing

European Union; worldwide for the Content Delivery Network.

Storage period

The storage period for cookies is 6 months.

For Your Privacy Policy

If you need example text for describing Speed Kit's function in your main data privacy policy, we recommend adapting the text from our own policy, which is always kept up-to-date.

To ensure your policy remains accurate, we advise against copying a static version of the text. Instead, we recommend you refer to the live version on our website as a reference.

Reference Text: You can refer to section 3.2 ("Speed Kit") of the Baqend privacy policy https://www.speedkit.com/privacy#speedkit.

Verified Security & Technical Measures

Our commitment to security is not just a promise; it's a core part of our architecture, processes, and culture, validated by external experts.

Our Security-First Architecture

We build our systems on industry-recognized security principles to create a resilient, multi-layered defense.

• Zero-Trust: We operate on the assumption that no user or system should be implicitly trusted. Every interaction requires continuous validation.
• Assume-Breach: Our systems are designed to limit the blast radius of a potential breach, assuming that an adversary will eventually get in.
• Defense-in-Depth: We layer multiple defensive mechanisms across our entire technology stack—from the network edge to the application code.
• Least-Privilege & Need-to-Know: Access to data and systems is granted only with the minimum permissions necessary for a specific task and only for the required duration.

Technical and Organizational Measures (TOMs)

We have implemented robust TOMs to protect customer data, which are detailed in Annex III of our DPA. These measures are regularly audited by an expert from LUCID Compliance GmbH. The audit confirms the appropriateness and effectiveness of our controls across all key areas:

• Access Control: Preventing unauthorized access to our data centers and systems.
• Encryption: All data is encrypted in transit (TLS) and at rest (AES-256).
• Availability Control: Ensuring resilience against data loss or destruction through redundant systems and regular backups.
• Separation Control: Logically separating customer data in our multi-tenant environment.
• Input & Transfer Control: Logging all access and ensuring data is protected during any transfer.

External Security Audits

We engage third-party security firms to validate our security posture continuously.

• Company Security Assessment: Baqend underwent a comprehensive "inside-out" security assessment by the defense company CISOCON. This deep-dive review of our technology, processes, and strategy ensures our security program is robust from top to bottom.
• Continuous Penetration Testing: We use Detectify, a leading penetration testing-as-a-service platform, to conduct continuous, crowdsourced security testing on our external attack surface. This allows us to benefit from the latest research from ethical hackers to identify and remediate vulnerabilities proactively.