# Security

### 1. Architectural Overview

The proposed architecture is built on a **"Privacy-by-Design"** approach. It establishes a European security gateway between the user's terminal and destination platforms (GA4, Meta, etc.).

#### Logical Data Flow Diagram

```
[ USER / BROWSER ]
          |
          | (1) HTTPS Flow (First-Party)
          |     Domain: metrics.your-site.com
          v
+-------------------------------------------------------------+
| SECURITY BUFFER ZONE (Bunny.net)                            |
| ----------------------------------------------------------- |
| [ CDN / EDGE ]  <-- SSL Termination & Optimization          |
| [ WAF ]         <-- Filtering (Anti-DDoS, Bad Bots)         |
|                                                             |
| * Config: Global (Performance) OR Tier-1 EU (Sovereignty)   |
+-------------------------------------------------------------+
          |
          | (2) Secured Flow (Encrypted Tunnel)
          |     Protected Origin (Masked IP)
          v
+-------------------------------------------------------------+
| PROCESSING INFRASTRUCTURE (GTM Server-Side)                 |
| ----------------------------------------------------------- |
| Host: SCALEWAY / HETZNER                                    |
| Location: EUROPE (France / Germany)                         |
|                                                             |
| [ GTM LOGIC ]                                               |
| -> Request Reception                                        |
| -> Cleaning / Pseudonymization (IP, User Agent)             |
| -> Enrichment (if required)                                 |
+-------------------------------------------------------------+
          |
          | (3) Server-to-Server API Egress
          |     Controlled & Pseudonymized Data
          +-----------------------+-----------------------+
          |                       |                       |
          v                       v                       v
 [ GOOGLE GA4 ]          [ META CAPI ]          [ OTHER THIRD PARTIES ]
 (United States)         (United States)        (By Vendor)
```

### 2. Detailed Flow Analysis

#### Flow (1): Browser ↔ Bunny.net (Ingress)

* Protocol: Encrypted HTTPS.
* Context: "First-party" collection. The browser communicates directly with `metrics.your-site.com`, ensuring the flow is treated as internal by the browser and WAF.
* Security: Bunny.net acts as a shield (Reverse Proxy). It absorbs traffic and blocks common threats (injections, botnets) via its WAF before they reach the processing server.

#### Flow (2): Bunny.net ↔ GTM Servers (Internal)

* Infrastructure: GTM containers are hosted on dedicated instances at Scaleway and Hetzner, which are exclusively European providers.
* Encryption: Data transport is encrypted end-to-end.
* Role: Real-time data processing; no long-term data storage is performed on these servers.

#### Flow (3): GTM Servers ↔ Partners (Egress)

* Governance: Unlike traditional client-side tracking, your GTM server decides exactly what data is sent based on your specific tag configurations.
* Pseudonymization: Before transmission to GA4 (USA), we remove the real IP address and clean URL parameters (PII) to protect the user's direct identity.

***

### 3. Data Sovereignty Strategy (Bunny.net)

To meet DPO requirements regarding data localization, we utilize a hybrid strategy:

* Performance Mode: Global CDN configuration for maximum speed.
* Strict Compliance: On-demand activation of the "Tier-1 EU Providers Only" option.
* Impact: Traffic is routed exclusively through nodes located within the European Union, ensuring immediate compliance without service interruption.

***

### 4. Technical Prerequisites & Impacts

The integration is designed to be "Zero-Trust" compatible and lightweight for IT teams:

* DNS: NS delegation or a simple CNAME record for the sub-domain.
* SSL Certificates: Automated management (provisioning and renewal) handled by Sirdata.
* Firewall / Network: \* Update your Content Security Policy (CSP) to whitelist the new sub-domain `metrics.your-site.com`.
  * No complex port openings required; all traffic uses standard web protocols (Port 443).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://server-side.docs.sirdata.net/sirdata-server-side/english-1/f.a.q-server-side/security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.