AES-256-GCM per-site encryption, dual-hash PII strategy, 90-day auto-scrubbing, per-tenant-encrypted Parquet exports on request, and GDPR/CCPA privacy controls by design.
Data sovereignty is not a feature; it is an architectural decision that must be made at the foundation of any analytics platform. ClickStream's data architecture ensures that personally identifiable information (PII) is encrypted at rest with AES-256-GCM using per-site encryption keys, hashed with a dual-hash strategy (SHA-256 for internal identity resolution, MD5 for ad-tech compatibility), automatically scrubbed after a configurable 90-day TTL, and exported on request in per-tenant-encrypted Parquet format from ClickStream-managed Cloudflare R2 infrastructure (Scale plans and above). This whitepaper details every layer of the privacy architecture, from the encryption envelope to GDPR Article 17 (right to erasure) compliance, CCPA opt-out mechanics, and Schrems II positioning for EU-US data transfers.
Most analytics platforms operate on a trust model where the customer sends their visitor data to a vendor-controlled infrastructure, hopes the vendor handles it properly, and has no meaningful audit capability. This model has failed repeatedly: data breaches at third-party analytics providers, unauthorized data sharing with advertising networks, and regulatory penalties for customers who delegated data processing to non-compliant vendors.
ClickStream's data sovereignty architecture addresses four threat categories:
Every customer site in ClickStream receives a unique 256-bit AES encryption key. PII is neutralized at the edge before storage: analytics storage holds hashed identifiers only (HMAC-SHA-256 and MD5 email hashes, hashed phone, SHA-256 IP hash — never raw values), while raw contact fields are AES-256-GCM encrypted with per-site keys and gated behind an audited, password-protected reveal workflow.
| Aspect | Implementation |
|---|---|
| Key generation | 256-bit random key generated at site onboarding |
| Key storage | Cloudflare Workers KV, encrypted at rest by Cloudflare |
| Key access | Encryption keys are scoped per site |
| Key deletion | Key destruction can be requested through support, rendering the encrypted PII envelope undecryptable |
| Algorithm | AES-256-GCM with 96-bit IV and 128-bit authentication tag |
Not all data requires encryption. ClickStream classifies fields into three categories:
| Category | Examples | Treatment |
|---|---|---|
| PII (encrypted) | Email, phone, IP address | AES-256-GCM encrypted before storage |
| Pseudonymous (hashed) | Visitor ID, session ID, device signature | Already pseudonymous; stored as-is |
| Behavioral (plaintext) | Scroll depth, click count, page URL, scores | Non-identifying; stored in plaintext for analytics |
The encryption boundary is the critical design decision: encrypt everything that could identify a natural person, hash everything that serves as an identity linkage, and leave behavioral data unencrypted for analytics performance.
When a visitor provides an email address (through form submission, login, or checkout), ClickStream generates two irreversible hashes:
The SHA-256 hash is used exclusively within ClickStream's identity graph. It links visitor sessions, resolves cross-device identities, and powers the behavioral profile. SHA-256 is cryptographically secure and computationally infeasible to reverse.
The MD5 hash exists solely for compatibility with ad-tech platforms. Most demand-side platforms expect MD5-hashed email addresses as their identity key. While MD5 is not cryptographically secure (collision attacks exist), it is an industry standard for this specific use case and does not expose raw PII.
| Attribute | SHA-256 (Internal) | MD5 (Ad-Tech) |
|---|---|---|
| Purpose | Identity graph resolution | Ad platform audience matching |
| Security level | Cryptographically secure | Industry-standard (not collision-resistant) |
| Stored where | D1 identity graph | Stored as a hash in analytics storage; sent to the enrichment vendor only when enrichment is enabled (opt-in, default OFF) |
| Reversible | No | Theoretically via rainbow tables |
| Shared externally | Never | Only to configured ad-tech partners |
The raw email address is encrypted with AES-256-GCM and stored in the PII envelope. The hashes exist independently. Even if the encryption key is lost, the hashes remain functional for identity resolution.
All behavioral event data has a default time-to-live (TTL) of 90 days. After 90 days, event-level data is automatically and irreversibly deleted from both the Analytics Engine and D1.
| Data Type | TTL | After Expiry |
|---|---|---|
| Raw event data (page views, clicks, etc.) | 90 days | Permanently deleted from Analytics Engine |
| Behavioral scores per session | 90 days | Expire from the scores Analytics Engine dataset; aggregated scores retained |
| IP addresses (encrypted) | 90 days | Deleted; IP-based geo already resolved at write time |
| Identity graph edges (probabilistic) | 7–90 days by signal type | Edges decay automatically; a 90-day PII scrub cron and graph-wide erasure remove personal data |
| Aggregated analytics | No TTL | Retained indefinitely (non-identifying) |
| Parquet exports | 90 days | Export files in ClickStream's R2 are automatically deleted 90 days after creation |
Auto-scrubbing is implemented as Cloudflare Cron Triggers: an hourly retention purge (with stricter windows for GDPR-strict and HIPAA compliance profiles) plus a nightly export-cleanup job:
ClickStream's export pipeline writes analytics data to ClickStream-managed Cloudflare R2 in Apache Parquet format — Snappy-compressed, Hive-partitioned, and encrypted per tenant with a key derived from your own site key. Raw-event Parquet exports are available on request on Scale and above today; campaign CSV exports are self-serve on Growth and above.
| Attribute | Value |
|---|---|
| Format | Apache Parquet (columnar) |
| Compression | Snappy |
| Partitioning | Hive-style (year=/month=/day=/hour=) |
| Schema | Mirrors Analytics Engine blob/double mapping |
| PII handling | Exports carry hashed identifiers only; files are AES-256-GCM encrypted with a per-tenant key; GDPR-erased visitors are excluded |
| Storage location | ClickStream-managed R2 infrastructure |
| Retention | 90 days; export files in ClickStream's R2 are automatically deleted 90 days after creation |
Parquet is an open columnar format readable by DuckDB, Apache Spark, Pandas, Polars, Amazon Athena, and any Parquet-aware SQL engine — so exported data is never locked to ClickStream's tooling. Raw-event exports are fulfilled on request for Scale+ plans today; campaign CSV exports are self-serve on Growth+.
ClickStream classifies all data into four tiers with progressively stricter handling requirements:
| Tier | Classification | Examples | Encryption | TTL | Export |
|---|---|---|---|---|---|
| Tier 1 | Direct PII | Email, phone, name | AES-256-GCM | 90 days (or custom) | Encrypted in export |
| Tier 2 | Indirect PII | IP address, precise geolocation | AES-256-GCM | 90 days | Encrypted or omitted |
| Tier 3 | Pseudonymous | Visitor ID, session ID, hashes | None (already pseudonymous) | Cookie lifetime up to 400 days | Included |
| Tier 4 | Behavioral / Aggregate | Scores, page URLs, timestamps | None | 90 days (events) / indefinite (aggregates) | Included |
ClickStream's architecture addresses GDPR requirements structurally, not through policy alone:
| GDPR Article | Requirement | ClickStream Implementation |
|---|---|---|
| Art. 5(1)(e) | Storage limitation | 90-day TTL with automated scrubbing |
| Art. 5(1)(f) | Integrity and confidentiality | AES-256-GCM encryption at rest |
| Art. 6 | Lawful basis | Consent gates with a consent-receipt audit trail |
| Art. 7 | Conditions for consent | SDK checks consent before setting cookies |
| Art. 15 | Right of access | Erasure API today; access requests handled via support |
| Art. 17 | Right to erasure | Cascade delete across all data stores |
| Art. 20 | Data portability | CSV exports self-serve (Growth+); Parquet raw-event exports in open format on request (Scale+) |
| Art. 25 | Data protection by design | Encryption, hashing, TTL, and minimization are architectural defaults |
| Art. 28 | Processor obligations | DPA available for Enterprise agreements; core sub-processor: Cloudflare (plus the enrichment vendor only for sites that opt in to the enrichment add-on) |
| Art. 32 | Security of processing | AES-256-GCM + TLS in transit + isolated worker environments |
| Art. 33 | Breach notification | 72-hour breach notification commitment in the DPA (available for Enterprise agreements) |
| Art. 35 | Data protection impact assessment | DPIA template provided to customers |
California's CCPA and its successor CPRA impose specific requirements for opt-out mechanics and data selling prohibitions:
The Schrems II ruling invalidated the EU-US Privacy Shield, creating uncertainty around transatlantic data transfers. ClickStream's architecture is designed to minimize transfer risk:
Cloudflare's edge network processes requests at the nearest edge location to the visitor. For EU visitors, that typically means EU edge locations such as Frankfurt, Amsterdam, Paris, or Dublin.
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS for all connections |
| Encryption at rest | AES-256-GCM with per-site keys |
| Pseudonymization | SHA-256 hashing of PII at ingestion |
| Data minimization | Only necessary fields collected; 90-day TTL |
| Access control | Encrypted PII is revealed only through an audited, password-gated decrypt workflow |
| Transparency | Minimal sub-processor list (Cloudflare; enrichment vendor only if you opt in), updated with notice |
Enterprise customers can contract for EU-only (or US-only) data residency, restricting processing and storage to the selected region.
When a data subject exercises their right to erasure (GDPR Art. 17 or CCPA right to delete), ClickStream executes a cascade deletion across all data stores:
| Data Store | Deletion Time | Method |
|---|---|---|
| D1 (relational) | Immediately on processing | SQL DELETE with cascade |
| Workers KV (PII envelope) | Immediately on processing | KV delete |
| Analytics Engine (events) | Up to 90 days (TTL) | Query-time exclusion + natural expiry |
| Parquet exports | Excluded from all future exports | Deletion propagates into the export pipeline; stored exports expire within 90 days |
Data sovereignty cannot be bolted on after the fact. It must be architectural. ClickStream's approach — per-site AES-256-GCM encryption, dual-hash PII strategy, 90-day automatic scrubbing, on-request per-tenant-encrypted Parquet exports, and structural GDPR/CCPA compliance — ensures that data sovereignty is not a marketing claim but a cryptographic reality.
The key principles are simple: encrypt everything identifying, hash everything that serves as a linkage, automatically delete everything beyond the retention window, and keep exports in open formats — campaign CSV self-serve on Growth and above, raw-event Parquet on request on Scale and above. No compliance theater.
In a regulatory landscape that is tightening globally — the EU AI Act, Brazil's LGPD, India's DPDP Act, China's PIPL — organizations need analytics infrastructure that is not just compliant today but architecturally resilient to future regulation. ClickStream's privacy-first architecture provides that foundation.
Full data ownership means your visitor intelligence stays yours — not a vendor's monetization asset. Keep your competitive edge private.
Start free