Data Privacy
Taloflow's architecture embeds data privacy at every layer, from initial design through implementation. This section documents Taloflow's privacy posture for data controllers, DPOs, and security reviewers.
Core Privacy Principles
Taloflow implements seven privacy principles that govern how personal data is handled across the platform.
1
Data minimization
Only collect what is necessary. Credentials are never stored by Taloflow — delegated entirely to Auth0.
2
Deny-by-default authorization
No user or service can access any resource unless an explicit policy grants access.
3
Encryption at every layer
Application-level encryption before storage, TLS in transit, encrypted backups.
4
Pseudonymization
UUIDs (member_id) are used as internal identifiers. PII mapping is limited to a single service.
5
Key sovereignty
Taloflow controls all encryption keys. Keys are not delegated to the cloud provider.
6
Full lifecycle control
Collection, processing, storage, access, retention, and deletion are all documented with controls.
7
Enforcement in code
Privacy controls are implemented as middleware and shared libraries, not left to developer convention.
What Is in This Section
What personal data we collect
Personal Data Inventory
GDPR rights and how to exercise them
Data Subject Rights
What data we do not collect
Data Minimization Policy
How data flows through the system
Data Flow Diagrams
Third-party processors we use
Third-Party Subprocessors
Our compliance maintenance schedule
Compliance Maintenance Calendar
For technical controls covering encryption, access management, and audit logging, see the Security & Compliance section.
Was this helpful?