Privacy Policy

1. Introduction

NVH Shield is a DDoS protection service operated by NVHCloud SAS, a French company registered under SIRET number 932 966 187 00019. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our DDoS protection services.

We are committed to protecting your privacy and ensuring compliance with the General Data Protection Regulation (GDPR) and French data protection laws.

2. Data Controller Information

3. Information We Collect

3.1 Personal Information

When you register for our services, we collect:

• Name and contact information (email, phone number)
• Company information and billing address
• Payment information (processed by our secure payment providers)
• Technical contact details

3.2 Technical Data

To provide DDoS protection services, we automatically collect:

• Network traffic metadata (IP addresses, packet headers, traffic patterns)
• Security logs and threat intelligence data
• Performance metrics and uptime statistics
• Configuration data for your protected services

3.3 Infrastructure Data

Our XDP-based protection system processes traffic data through our partner networks:

• RoyaleHosting: Primary transit provider with 4.5+ Tbps capacity
• HolyCloud: Secondary transit provider with 2+ Tbps capacity
• NVH Direct: Our own 500+ Gbps filtering infrastructure

4. How We Use Your Information

4.1 Service Provision

• Providing DDoS protection and security services
• Monitoring and analyzing network traffic for threats
• Configuring and maintaining protection rules
• Generating security reports and alerts

4.2 Communication

• Sending service notifications and security alerts
• Providing technical support
• Billing and account management
• Important service updates

4.3 Legal Compliance

• Complying with legal obligations under French and EU law
• Responding to lawful requests from authorities
• Preventing fraud and abuse

5. Legal Basis for Processing

Under GDPR, we process your data based on:

• Contract Performance: Providing the DDoS protection services you've requested
• Legitimate Interest: Network security, fraud prevention, and service improvement
• Legal Obligation: Compliance with French cybersecurity and data retention laws
• Consent: Marketing communications (where explicitly provided)

6. Data Sharing and Third Parties

6.1 Service Partners

We share technical data with our infrastructure partners to provide protection:

• RoyaleHosting and HolyCloud: Traffic routing and filtering
• Payment Processors: Stripe, PayPal (for billing)
• Cloud Providers: For service infrastructure

6.2 Legal Requirements

We may disclose information when required by:

• French law enforcement agencies
• ANSSI (Agence nationale de la sécurité des systèmes d'information)
• Court orders or legal processes
• Emergency situations involving threats to public safety

7. Data Retention

We retain different types of data for varying periods:

• Account Information: Duration of service + 3 years
• Traffic Logs: 30 days (for security analysis)
• Security Incidents: 1 year (for threat intelligence)
• Billing Records: 10 years (French legal requirement)

8. Your Rights Under GDPR

As a data subject, you have the following rights:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate personal data
• Erasure: Request deletion of your data (subject to legal obligations)
• Portability: Receive your data in a structured format
• Restriction: Limit how we process your data
• Objection: Object to processing based on legitimate interests

9. Data Security

We implement comprehensive security measures:

• XDP Kernel Bypass: Hardware-level traffic filtering
• Encryption: AES-256 for data at rest, TLS 1.3 for transmission
• Access Controls: Role-based access with MFA
• Infrastructure Security: SOC 2 Type II compliant data centers
• Network Isolation: Segregated customer environments

10. International Transfers

Our services operate primarily within the European Union. When data is transferred outside the EU, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions by the European Commission
• Binding Corporate Rules where applicable

11. Cookies and Tracking

Our website uses essential cookies for:

• Session management and authentication
• Security and fraud prevention
• Technical functionality

We do not use tracking cookies for advertising purposes. Analytics cookies are used only with your consent.

12. Children's Privacy

Our services are not intended for individuals under 16 years of age. We do not knowingly collect personal information from children under 16.

13. Changes to This Policy

We may update this Privacy Policy periodically. Significant changes will be communicated via:

• Email notification to account holders
• Notice in your customer dashboard
• Updated posting on our website