Security, Data Routing & GDPR
This section describes how the Bytek Prediction Platform (BPP) protects customer data: the
architecture, the data routing from BigQuery to downstream platforms, the security control
set, data residency, and the GDPR framework. ByTek S.r.l. (Datrix Group) operates the
platform.
Principles
- Warehouse-centric processing. Source data is read from the customer's own BigQuery
project and enriched results are written back into that same warehouse. BPP does not
build a parallel data lake of raw customer data.
- Minimal, pseudonymized activation. Only SHA-256-hashed identifiers and predictive
values (scores, pLTV, segment labels) are sent to downstream platforms (Google Ads, Meta,
custom APIs). Raw behavioral and transactional records are never sent to advertising
platforms.
- Customer stays the Data Controller. ByTek acts strictly as a Data Processor under
Art. 28 GDPR, processing only on the customer's documented instructions, with no secondary
use.
- EU-only, enterprise-grade controls. All infrastructure is hosted within the EU/EEA,
governed by an Information Security Management System (ISMS) aligned to ISO/IEC 27001:2022
and the NIST CSF, with continuous control monitoring via Drata.
Infrastructure at a glance
| Component | Technology | Hosting |
|---|
| Core API (control plane) | Django REST Framework (Python) | Google Cloud Run — GCP europe-west1 (Belgium) |
| Frontend | React + Vite + TypeScript | Google Cloud Run — GCP europe-west1 |
| Export / ETL / AI jobs | Python | ByTek EU infrastructure (GCP + Hetzner Cloud, Germany) |
| Central config DB / per-customer reconciliation DB | PostgreSQL | Cloud SQL — GCP EU |
| Data warehouse | Google BigQuery | Customer's own GCP project |
| Secret management | Google Secret Manager (apps) + Zoho Vault (privileged) | GCP EU |
| CI/CD | Bitbucket Pipelines + Google Cloud Build | GCP EU |
| Identity provider | Google Workspace (enforces MFA) | EU |
All ByTek-operated infrastructure runs within the EU/EEA.
In this section
- Data Architecture & Routing — where data lives and how it flows from BigQuery to other platforms.
- Security Controls — access, encryption, application security, vulnerability management, logging, personnel.
- Data Residency — EU-only hosting and international transfers.
- GDPR & Data Protection — controller/processor roles, governance, data subject rights, retention, exit.
- Sub-processors — the parties involved in processing and their safeguards.
- Business Continuity & Incident Response — backups, disaster recovery, incident handling.
Compliance posture
| Framework | Status |
|---|
| ISO/IEC 27001:2022 | ISMS established with a defined certification scope; certification in progress. |
| NIST CSF | Controls mapped to the framework. |
| GDPR | Processor obligations met (DPA, ROPA, external DPO, policy set). |
| Google Cloud (sub-processor) | ISO 27001:2022 certified and SOC 2 Type II. |
Continuous compliance is monitored via Drata across Google Workspace, GCP, and Bitbucket.
Shared responsibility model
| Area | Customer (Controller) | ByTek (Processor) |
|---|
| Raw customer data | Owns, stores, governs in own BigQuery project | Reads in place; writes results back; no data lake |
| Lawful basis & consent | Establishes (e.g. via a consent platform) | Honors PII flags & suppression |
| Data residency choice | Decides warehouse region | Hosts ByTek components EU-only |
| Identifiers for activation | Provides | Normalizes and SHA-256-hashes before sending |
| BPP UI access | Manages its own users | Enforces MFA & RBAC |
| Erasure requests | Initiates | Executes end-to-end across reconciliation DB and BigQuery |
| Activation platform terms | Holds Google Ads / Meta accounts | Sends only hashed IDs and values |
Quick reference
| Topic | Answer |
|---|
| Data residency | EU/EEA only (GCP Belgium + Hetzner Germany) |
| Encryption at rest / in transit | AES-256 / TLS 1.2+ |
| Key rotation | ≤12 months |
| MFA | Mandatory (production, cloud, admin) |
| Access review | Quarterly |
| Patch SLAs | Critical 24h / High 72h / Medium 7d / Low 30d |
| SAST / DAST | Yes (CI/CD gate) / Yes (staging) |
| Penetration test | Annual, independent |
| SIEM / log retention | Yes / ≥12 months |
| Backups | Daily, multi-region EU, AES-256, quarterly restore test |
| DR test cadence | Semi-annual |
| Breach notification | Authority and controller within 72h |
| Secure deletion | Crypto-shredding / secure media destruction |
| DPO | External (SAPG Legal Tech S.r.l.) |
| Sub-processors | GCP, Hetzner (EU) |