Security

1. Architectural Overview

The proposed architecture is built on a "Privacy-by-Design" approach. It establishes a European security gateway between the user's terminal and destination platforms (GA4, Meta, etc.).

Logical Data Flow Diagram

[ USER / BROWSER ]
          |
          | (1) HTTPS Flow (First-Party)
          |     Domain: metrics.your-site.com
          v
+-------------------------------------------------------------+
| SECURITY BUFFER ZONE (Bunny.net)                            |
| ----------------------------------------------------------- |
| [ CDN / EDGE ]  <-- SSL Termination & Optimization          |
| [ WAF ]         <-- Filtering (Anti-DDoS, Bad Bots)         |
|                                                             |
| * Config: Global (Performance) OR Tier-1 EU (Sovereignty)   |
+-------------------------------------------------------------+
          |
          | (2) Secured Flow (Encrypted Tunnel)
          |     Protected Origin (Masked IP)
          v
+-------------------------------------------------------------+
| PROCESSING INFRASTRUCTURE (GTM Server-Side)                 |
| ----------------------------------------------------------- |
| Host: SCALEWAY / HETZNER                                    |
| Location: EUROPE (France / Germany)                         |
|                                                             |
| [ GTM LOGIC ]                                               |
| -> Request Reception                                        |
| -> Cleaning / Pseudonymization (IP, User Agent)             |
| -> Enrichment (if required)                                 |
+-------------------------------------------------------------+
          |
          | (3) Server-to-Server API Egress
          |     Controlled & Pseudonymized Data
          +-----------------------+-----------------------+
          |                       |                       |
          v                       v                       v
 [ GOOGLE GA4 ]          [ META CAPI ]          [ OTHER THIRD PARTIES ]
 (United States)         (United States)        (By Vendor)

2. Detailed Flow Analysis

Flow (1): Browser ↔ Bunny.net (Ingress)

Protocol: Encrypted HTTPS.
Context: "First-party" collection. The browser communicates directly with metrics.your-site.com, ensuring the flow is treated as internal by the browser and WAF.
Security: Bunny.net acts as a shield (Reverse Proxy). It absorbs traffic and blocks common threats (injections, botnets) via its WAF before they reach the processing server.

Flow (2): Bunny.net ↔ GTM Servers (Internal)

Infrastructure: GTM containers are hosted on dedicated instances at Scaleway and Hetzner, which are exclusively European providers.
Encryption: Data transport is encrypted end-to-end.
Role: Real-time data processing; no long-term data storage is performed on these servers.

Flow (3): GTM Servers ↔ Partners (Egress)

Governance: Unlike traditional client-side tracking, your GTM server decides exactly what data is sent based on your specific tag configurations.
Pseudonymization: Before transmission to GA4 (USA), we remove the real IP address and clean URL parameters (PII) to protect the user's direct identity.

3. Data Sovereignty Strategy (Bunny.net)

To meet DPO requirements regarding data localization, we utilize a hybrid strategy:

Performance Mode: Global CDN configuration for maximum speed.
Strict Compliance: On-demand activation of the "Tier-1 EU Providers Only" option.
Impact: Traffic is routed exclusively through nodes located within the European Union, ensuring immediate compliance without service interruption.

4. Technical Prerequisites & Impacts

The integration is designed to be "Zero-Trust" compatible and lightweight for IT teams:

DNS: NS delegation or a simple CNAME record for the sub-domain.
SSL Certificates: Automated management (provisioning and renewal) handled by Sirdata.
Firewall / Network: * Update your Content Security Policy (CSP) to whitelist the new sub-domain metrics.your-site.com.
- No complex port openings required; all traffic uses standard web protocols (Port 443).

PrécédentBypass Ad-Blockers SuivantCancellation

Mis à jour il y a 2 heures

hashtag1. Architectural Overview

hashtagLogical Data Flow Diagram

hashtag2. Detailed Flow Analysis

hashtagFlow (1): Browser ↔ Bunny.net (Ingress)

hashtagFlow (2): Bunny.net ↔ GTM Servers (Internal)

hashtagFlow (3): GTM Servers ↔ Partners (Egress)

hashtag3. Data Sovereignty Strategy (Bunny.net)

hashtag4. Technical Prerequisites & Impacts