Speed Kit and Data Compliance: An Overview of GDPR, Security, and Consent

‍

Key Takeaways

• Privacy-Centric by Design: Speed Kit is engineered for full GDPR compliance, from its core architecture to its privacy-preserving AI models for predictive preloading, all governed by a default Data Processing Addendum (DPA).
• Simplified Consent Management: Speed Kit's core functions and associated cookies are classified as "technically necessary" under the German TDDDG (§ 25) and GDPR, meaning they typically do not require explicit user consent via a cookie banner.
• Independently Verified Security: Our comprehensive security posture is validated through regular external audits, including a review of our Technical and Organizational Measures (TOMs) and continuous penetration testing, giving you documented assurance.

Introduction

In today's e-commerce landscape, data protection isn't just a legal requirement—it's a cornerstone of customer trust. For business and technical leaders, ensuring that every tool in your stack meets rigorous standards like the GDPR is paramount. Speed Kit was built from the ground up with a security-first and privacy-by-design philosophy. Our platform is engineered to deliver maximum website performance while upholding the strictest data protection principles.

This document provides a comprehensive overview of our approach to data security, GDPR compliance, and cookie consent. We detail our legal framework, technical safeguards, and the practical steps for integrating Speed Kit into your privacy strategy. Our commitment to transparency and security is trusted by leading enterprises with stringent data protection requirements, including OBI, O2/Telefónica, and BMW.

Our Commitment to GDPR and Data Protection

We provide a clear, robust, and transparent legal framework to ensure our partnership is built on a foundation of trust and compliance.

The Data Processing Addendum (DPA)

The central document governing our data processing relationship is the Speed Kit Data Processing Addendum (DPA).

• Standardized and Compliant: Our DPA is based on the EU Commission's standard contractual clauses (SCCs) for processors (Implementing Decision 2021/915), ensuring it meets the requirements of Art. 28 GDPR without needing extensive legal review.
• Integrated by Default: The DPA is automatically incorporated into every service agreement via our General Terms and Conditions (T&Cs), ensuring this critical legal safeguard is always in place.
• Easily Accessible: For your records, a pre-signed version of the DPA is always available for download from our legal page at www.speedkit.com/legal.

Data Processing and Storage

We believe in data minimization and transparency. Here’s a clear breakdown of what data we process, why, and where it is stored.

Data Flow Overview

Speed Kit processes a minimal amount of data required to accelerate your website and monitor performance. The data flow is designed for security and efficiency:

1. Browser: A user's browser sends requests for your site's content. The Speed Kit Service Worker intercepts these requests, acting as a client-side proxy. It instantly delivers the cached page from the Speed Kit infrastructure while simultaneously fetching live, dynamic data from your origin server to merge in the browser.
2. Network (CDN): Cached, static content is delivered instantly from Fastly's globally distributed Content Delivery Network (CDN).
3. Backend (Speed Kit Service): The Speed Kit backend, hosted on AWS in Frankfurt, Germany, anonymizes data, fetches content from your origin, and manages the caches.
4. Analytics & Storage: Anonymized performance data is processed and stored in our AWS infrastructure for analysis.

What We Process

• Data Subjects: Visitors to the customer's website.
• Categories of Data:
  
  • IP Addresses: Anonymized immediately upon receipt. For storage, IP addresses are both truncated (the last 8 bits for IPv4 and the last 80 bits for IPv6 are removed) and stored as an HMAC hash with a daily rotating key to prevent re-identification.
  • Anonymous Identifiers: Randomly generated user and session IDs for performance analysis and bot detection. These IDs contain no personal information.
  • Website Interactions: Performance metrics (e.g., page load times) and accessed URLs (without personal components) are collected to ensure service quality.
• Purpose of Processing: To accelerate website delivery, ensure system security (e.g., bot and DDoS protection), and analyze performance for continuous improvement. No personal profiles are created, and no data is used for marketing or retargeting.

Sub-processors and Data Locations

We partner with leading infrastructure providers to deliver our service. All sub-processors are vetted for their security and compliance standards.

• Primary Backend Location: Our core application servers and primary data storage are located within the European Union at Amazon Web Services (AWS) data centers in Frankfurt, Germany.
• Content Delivery Network (CDN): Fastly, Inc. provides a globally distributed CDN to deliver cached content from the edge server closest to the user. Data transfer is protected by Standard Contractual Clauses and Fastly's certification under the EU-U.S. Data Privacy Framework. Customers can optionally limit data transfer to Fastly's EU infrastructure.
• Data Analytics: Hex Technologies, Inc. provides a platform for data science and analysis, hosted in AWS EU data centers. Access from the USA for support is safeguarded by SCCs and Hex's DPF certification.

Cookies, Consent, and Real User Monitoring (RUM)

Speed Kit's use of cookies is limited, purposeful, and designed to comply with privacy regulations, simplifying your consent management obligations.

How Speed Kit Uses Cookies

Speed Kit uses two first-party cookies, which are entries in localStorage, to ensure the reliability and security of our service.

• baqend-speedkit-config: This stores configuration parameters (e.g., { "group": "A", "testId": "10vs100" }) to manage phased rollouts and A/B tests. This ensures that any changes are deployed safely without impacting all users at once.
• baqend-speedkit-user-id: This stores a randomly generated, anonymous visitor ID (e.g., R2fUvr6CsPpO0Hm4RDelAnYEj). It is used to correlate performance data across multiple page views to identify returning user issues, detect anomalous bot behavior, and analyze performance trends.

Consent Management: Why Speed Kit is "Technically Necessary"

A key advantage of Speed Kit is that its use generally does not require prior consent in a cookie banner.

• Legal Basis (ePrivacy): Under Germany's TDDDG (§ 25), which implements the ePrivacy Directive, storing information on a user's device is exempt from consent if it is "absolutely necessary" to provide a service "expressly requested" by the user.
• Our Justification:
  
  1. Speed Kit provides core functionalities for website security, stability, and speed, which are considered part of the basic service requested by a visitor.
  2. The cookies we set are absolutely necessary for these functions, such as preventing errors during rollouts and detecting security threats like bots.
  3. Therefore, setting these cookies falls under the "technically necessary" exemption.
• Legal Basis (GDPR): The subsequent processing of the (anonymized) data is based on Legitimate Interest (Art. 6(1)(f) GDPR). Our legitimate interest is ensuring the secure, stable, and high-performance operation of our customers' websites.

This classification means that Speed Kit's acceleration and RUM tracking can be active by default, ensuring maximum performance gains and data coverage even if a user rejects optional cookies.

Integrating Speed Kit with Your Consent Tools and Policies

For full transparency with your users, you should account for Speed Kit in your consent management platform (CMP) and your website's main privacy policy.

For Your Cookie Banner / CMP

The following information can be used as a template to describe Speed Kit within your cookie consent tool. As Speed Kit is classified as "technically necessary," it should be listed under this category and enabled by default.

Description and purpose of data processing

The use of Speed Kit serves to accelerate the delivery and display of our website. It is technically necessary to transmit the accessed URL and the visitor's IP address to the Speed Kit provider. IP addresses are immediately anonymized. Speed Kit uses cookies for security purposes (e.g., bot detection) and to analyze performance and detect misconfigurations. No personal profiles are created. As part of this process, Speed Kit uses Fastly, a Content Delivery Network (CDN), to deliver content from a server geographically close to the user.

Processor

Baqend GmbH, Stresemannstraße 23, 22769 Hamburg, Germany, acts as a processor based on a Data Processing Addendum (Art. 28 GDPR).

Categories of personal data processed

IP address (anonymized), Requested URL, User Agent, Anonymous user & session ID.

Legal basis

Art. 6(1)(f) GDPR (Legitimate interests in a secure and performant website); § 25(2) No. 2 TDDDG (Technically necessary).

Place of processing

European Union; worldwide for the Content Delivery Network.

Storage period

The storage period for cookies is 6 months.

For Your Privacy Policy

If you need example text for describing Speed Kit's function in your main data privacy policy, we recommend adapting the text from our own policy, which is always kept up-to-date.

To ensure your policy remains accurate, we advise against copying a static version of the text. Instead, we recommend you refer to the live version on our website as a reference.

Reference Text: You can refer to section 3.2 ("Speed Kit") of the Baqend privacy policy https://www.speedkit.com/privacy#speedkit.

Data Processing and AI for Predictive Preloading

Our Predictive Preloading feature uses AI models to anticipate a user's next navigation, enabling pages to be loaded before they are even clicked. This section clarifies the data processing involved in training and operating these models, ensuring full transparency.

What Data is Used for Model Training?

The prediction models are trained exclusively using anonymous, aggregated RUM signals collected from pages accelerated by Speed Kit. No personal data is ever used.

Data from Sensitive Areas is Excluded

We do not use training data for links pointing to areas excluded from Speed Kit's acceleration, such as checkout funnels or user account sections.

Anonymous Link Characteristics

The models learn from the characteristics of both clicked and non-clicked links, aggregated across all users, without any personal reference. These characteristics include:

• The size, area, and position of a link within the viewport.
• User interactions like scroll speed, scroll position, and the number of visible links.
• General device information such as screen resolution and device type.

Data Isolation and Model Training

We adhere to a strict data segregation policy to protect the integrity of your data.

• Customer-Specific Models: Your data is never used to train a generic, global model. The AI model active on your website is trained exclusively with your site's own anonymous, aggregated data.
• Algorithm Improvement: Improvements to our general prediction algorithms are derived from abstract performance observations and research. We do not use or share customer-specific datasets to enhance our core algorithms.

Model Retraining and Maintenance

Our AI models are designed to be robust and are continuously maintained to ensure high performance.

• Training Frequency: Models are retrained at a configurable interval, which is set to weekly by default. They are robust because they learn from stable navigation and link characteristics.
• Performance-Triggered Retraining: If our RUM metrics detect a significant performance regression in the prediction quality, a retraining of the model is automatically triggered to adapt to any changes.

Policy on Third-Party AI Services

We maintain full control over our AI infrastructure and do not share data with external providers.

• No Data Sharing: We do not share any data with OpenAI, Google, or any similar third-party AI service providers.
• Internal Models: We exclusively train and operate our own internal models to ensure the highest level of security and data privacy.

User Controls and Opt-Out Options

We provide clear mechanisms for both end-user and customer control over the feature.

• End-User Opt-Out: You can provide an opt-out option for your website visitors within your privacy policy. If a user opts out, no RUM signals related to predictive preloading will be collected from their session.
• Complete Feature Deactivation: As a Speed Kit customer, you can request to have the predictive preloading models completely deactivated for your site. Doing so will reduce the effectiveness of the feature, leading to lower prediction accuracy and less lead time for the browser to pre-render pages, which in turn diminishes the overall performance benefit.

Verified Security & Technical Measures

Our commitment to security is not just a promise; it's a core part of our architecture, processes, and culture, validated by external experts.

Our Security-First Architecture

We build our systems on industry-recognized security principles to create a resilient, multi-layered defense.

• Zero-Trust: We operate on the assumption that no user or system should be implicitly trusted. Every interaction requires continuous validation.
• Assume-Breach: Our systems are designed to limit the blast radius of a potential breach, assuming that an adversary will eventually get in.
• Defense-in-Depth: We layer multiple defensive mechanisms across our entire technology stack—from the network edge to the application code.
• Least-Privilege & Need-to-Know: Access to data and systems is granted only with the minimum permissions necessary for a specific task and only for the required duration.

Technical and Organizational Measures (TOMs)

We have implemented robust TOMs to protect customer data, which are detailed in Annex III of our DPA. These measures are regularly audited by an expert from LUCID Compliance GmbH. The audit confirms the appropriateness and effectiveness of our controls across all key areas:

• Access Control: Preventing unauthorized access to our data centers and systems.
• Encryption: All data is encrypted in transit (TLS) and at rest (AES-256).
• Availability Control: Ensuring resilience against data loss or destruction through redundant systems and regular backups.
• Separation Control: Logically separating customer data in our multi-tenant environment.
• Input & Transfer Control: Logging all access and ensuring data is protected during any transfer.

External Security Audits

We engage third-party security firms to validate our security posture continuously.

• Company Security Assessment: Baqend underwent a comprehensive "inside-out" security assessment by the defense company CISOCON. This deep-dive review of our technology, processes, and strategy ensures our security program is robust from top to bottom.
• Continuous Penetration Testing: We use Detectify, a leading penetration testing-as-a-service platform, to conduct continuous, crowdsourced security testing on our external attack surface. This allows us to benefit from the latest research from ethical hackers to identify and remediate vulnerabilities proactively.