Data Privacy

Taloflow's architecture embeds data privacy at every layer, from initial design through implementation. This section documents Taloflow's privacy posture for data controllers, DPOs, and security reviewers.


Core Privacy Principles

Taloflow implements seven privacy principles that govern how personal data is handled across the platform.

#
Principle
Description

1

Data minimization

Only collect what is necessary. Credentials are never stored by Taloflow — delegated entirely to Auth0.

2

Deny-by-default authorization

No user or service can access any resource unless an explicit policy grants access.

3

Encryption at every layer

Application-level encryption before storage, TLS in transit, encrypted backups.

4

Pseudonymization

UUIDs (member_id) are used as internal identifiers. PII mapping is limited to a single service.

5

Key sovereignty

Taloflow controls all encryption keys. Keys are not delegated to the cloud provider.

6

Full lifecycle control

Collection, processing, storage, access, retention, and deletion are all documented with controls.

7

Enforcement in code

Privacy controls are implemented as middleware and shared libraries, not left to developer convention.


What Is in This Section

Topic
Page

What personal data we collect

Personal Data Inventory

GDPR rights and how to exercise them

Data Subject Rights

What data we do not collect

Data Minimization Policy

How data flows through the system

Data Flow Diagrams

Third-party processors we use

Third-Party Subprocessors

Our compliance maintenance schedule

Compliance Maintenance Calendar

circle-info

For technical controls covering encryption, access management, and audit logging, see the Security & Compliance section.

Was this helpful?