Legal & privacy

Data protection at Arbiter Networks

What data Arbiter Networks processes, on what legal basis, for how long, and how to exercise your rights. We publish this page because the DPC's guidance asks organisations to be transparent, not because we were forced to but because transparency is part of good security practice.

Our role

We are both a controller and a processor

The distinction matters for how your rights apply and who you should contact.

Where we are the controller

Arbiter Networks determines the purpose and means of processing for data relating to its own business: people who contact us, visitors to this website, customers who manage subscriptions and billing through our portal and anyone who corresponds with us by email. For this data, Arbiter Networks is the data controller and the obligations under GDPR Articles 12–22 run directly to us.

Where we are the processor

When a customer deploys Arbiter on their network, two categories of network metadata flow through the platform. We are the processor for both; the customer is the controller. They have determined that this monitoring is happening, for their own documented purposes. We process it only on their documented instructions.

RADIUS authentication and accounting: device MAC addresses, the User-Name attribute (often an email or certificate subject for 802.1X, the MAC for MAB), NAS device identifiers, session timestamps, VLAN assignments and standard accounting attributes (Acct-Session-Id, octets in and out, session duration).

DHCP discovery, when the customer chooses to forward it: device MAC, DHCP Option 12 (hostname), DHCP Option 55 (parameter-request-list, a vendor fingerprint), DHCP Option 60 (vendor class identifier), DHCP Option 61 (client identifier), DHCP Option 82 (relay agent information, when present) and the relay IP. DHCP forwarding is configured by the customer at their switches or DHCP relay agent. If the customer does not configure forwarding, Arbiter never sees DHCP packets.

Option 12 (hostname) deserves a specific call-out. DHCP hostnames are user- or device-chosen strings and often contain personal identifiers ("Sarahs-iPhone", "John-Doe-Laptop"). They are personal data under GDPR. We store them in the device profile so that customers can use them in policy matching and operator dashboards (the customer's documented purpose). They are never shared with sub-processors. If a customer prefers to disable hostname capture entirely, contact us; a per-tenant opt-out is on the roadmap and can be set manually today.

If you are an end-user on a network where Arbiter is deployed (a visitor, employee or student, for example), your rights under GDPR Articles 15–22 should be directed first to the organisation that operates that network. We will co-operate with any customer-forwarded DSAR and can provide an account of our processing on request.

MAC addresses, usernames, DHCP hostnames and session metadata constitute personal data under GDPR. We don't claim otherwise.

Lawful basis

Why we process each category of data

GDPR Article 6 requires a documented lawful basis for every processing activity. Our register is maintained internally; a summary is published here.

Processing activityLawful basisNotes
Customer account data (portal users, billing contacts)Article 6(1)(b): performance of a contractNecessary to deliver and support the service.
RADIUS / accounting metadata processed on customer networksProcessor: customer's lawful basis appliesProcessed solely on documented customer instructions. The customer, as controller, determines the applicable lawful basis under Article 6 GDPR.
Sales and marketing communications (B2B prospects)Article 6(1)(f): legitimate interestsBusiness-to-business contact where there is a reasonable expectation of commercial contact. Opt-out honoured immediately.
Website analyticsArticle 6(1)(a): consentWhere non-essential analytics cookies are used, consent is collected through our cookie mechanism.
Legal obligations (tax, accounting, regulatory correspondence)Article 6(1)(c): legal obligationRetained for the period required by applicable law.
Retention

How long we keep data

Retention periods are set by reference to the purpose for which data was collected. Where we act as processor, the customer can configure retention within the bounds above. All data is deleted or anonymised at end of the applicable period unless a legal hold applies.

Data categoryRetention
RADIUS authentication logs (processor role)Default 90 days; configurable per tenant down to 30 days or up to 12 months
RADIUS accounting / session records (processor role)Default 90 days; configurable per tenant
Customer portal account dataDuration of subscription plus 90 days after termination; deleted on request
Billing and contract records7 years (Irish Companies Act / Revenue requirements)
Support and correspondence3 years from last interaction
Website analytics (where collected)Rolling 13 months
Audit logs (platform security)12 months rolling
Sub-processors

Who we share data with

We do not sell personal data. We share it only with the sub-processors listed below, and only to the extent necessary to deliver the service. Customers are notified before any new sub-processor is added and have the right to object under their Data Processing Agreement.

Sub-processorPurposeLocationNotes
Cloud / hosting providerInfrastructure hosting for the Arbiter platformEU (EEA)To be confirmed on incorporation
Fingerbank (Inverse Inc.)Device fingerprinting (vendor + OS / device-class lookup)Canada / USAn anonymised MAC (the first four bytes of the hardware address, with the device-unique suffix replaced by a fixed value of 00:01), the DHCP Option 55 parameter-request-list string and the DHCP Option 60 vendor class identifier. No full MAC addresses, IP addresses, hostnames (DHCP Option 12) or user identifiers. The Option 12 hostname is deliberately not transmitted because it is the field most likely to contain personal data. SCCs or equivalent transfer mechanism in place.
Microsoft 365 (Microsoft Ireland Operations Ltd)Transactional email: sign-in codes (passwordless OTP and magic-link), portal notifications, billing receiptsEU (Ireland)Outbound SMTP relay from a service mailbox (tokens@arbiter.ie) for system-generated email only. Recipient address and message body transit Microsoft 365; data processing agreement and Microsoft EU Data Boundary apply. No personal data leaves the EU.
Payment processorSubscription billingEU or adequacy decision countryPayment card data is handled entirely by the processor; Arbiter Networks does not store card numbers

Where any sub-processor is based outside the EEA, we rely on Standard Contractual Clauses (SCCs) under Article 46(2)(c) or an applicable adequacy decision under Article 45, and we carry out a Transfer Impact Assessment for each transfer.

Data residency

Where your data is stored

Customer data is hosted within the European Economic Area unless otherwise agreed contractually. Arbiter Networks does not intentionally transfer customer data outside the EEA except where necessary for approved sub-processors that are subject to Standard Contractual Clauses or an applicable adequacy decision.

Our infrastructure is hosted in Ireland. RADIUS authentication metadata, accounting records and tenant configuration data do not leave the EEA as part of normal platform operation.

If you have specific data residency requirements (for example, a contractual or regulatory requirement to keep all data within a named member state), please raise this during procurement. We will confirm in writing what is and is not possible within our current architecture.

Your rights

Rights under GDPR Articles 15–22

You can exercise any of the following rights by emailing privacy@arbiter.ie. We respond within one month as required under GDPR, unless an extension is permitted for complex requests. We do not normally charge a fee unless a request is manifestly unfounded or excessive.

Access (Art. 15)

Request a copy of the personal data we hold about you and information about how we process it.

Rectification (Art. 16)

Ask us to correct inaccurate or incomplete data.

Erasure (Art. 17)

Ask us to delete your data where there is no overriding legitimate reason to keep it. Sometimes called the 'right to be forgotten.'

Restriction (Art. 18)

Ask us to pause processing while a dispute about accuracy or lawfulness is resolved.

Portability (Art. 20)

Receive your data in a structured, machine-readable format where processing is based on consent or contract.

Objection (Art. 21)

Object to processing based on legitimate interests, including direct marketing. We will stop unless we can demonstrate compelling grounds.

If you are an end-user on a customer-operated network, please direct your request first to that organisation. We will co-operate fully with any customer-forwarded DSAR.

Breach notification

What happens if something goes wrong

Our obligation as processor

GDPR Article 33 requires controllers to notify the Data Protection Commission within 72 hours of becoming aware of a personal data breach. As a processor, our obligation is to notify the relevant customer (controller) without undue delay. In any case we notify within 24 hours of becoming aware of a confirmed breach affecting their data, so that customers have maximum time to meet their own 72-hour obligation to the DPC.

This commitment is written into every customer Data Processing Agreement and is backed by an internal incident-response procedure reviewed at least annually.

Our obligation as controller

Where a breach involves personal data for which Arbiter Networks is the controller (portal users, billing contacts), we notify the DPC within 72 hours and, where the breach is likely to result in a high risk to individuals, we notify affected data subjects directly without undue delay.

Our 24-hour processor notification SLA to customers is a contractual commitment, not aspirational. It is the most useful thing a processor can do to protect their customers' regulatory position.

Security

Technical and organisational measures (Article 32)

GDPR Article 32 requires us to implement appropriate technical and organisational measures proportionate to the risk. Below is a summary of what we have in place. Customers may request the full Technical and Organisational Measures (TOMs) document as part of their DPA review.

  • Encryption in transit (TLS 1.2 minimum, TLS 1.3 preferred) for all external-facing services
  • Encryption at rest for all persistent data stores
  • Multi-factor authentication required on all internal admin systems
  • Tenant isolation: platform architecture is designed to prevent cross-tenant data access; tenant-scoped access controls are enforced throughout
  • Role-based access control on the management portal; least-privilege principle applied to internal systems
  • Audit logging of administrative actions retained for 12 months
  • Regular vulnerability assessments; critical findings are prioritised for urgent remediation under internal SLAs
  • No payload capture: RADIUS accounting records session metadata only. We do not capture or store network packet contents.
  • Change control and peer review for all production deployments

We are building towards SOC 2 Type II attestation. Current status: see our compliance page.

Data protection contact

Who to contact

Based on our current processing activities, we do not believe Article 37 requires appointment of a statutory Data Protection Officer. We have appointed a Data Protection Contact instead, who handles all GDPR-related queries, DSARs, and regulator liaison.

Data Protection Contact: Anthony Malone, Arbiter Networks
Email: privacy@arbiter.ie

Supervisory authority: Data Protection Commission (DPC), Ireland. If you are unsatisfied with our response to a privacy concern, you have the right to lodge a complaint with the DPC at dataprotection.ie.

Registered office: [Address to be confirmed on incorporation. See Companies Registration Office once Arbiter Networks Limited is registered.]

Honest limits

What we haven't done yet

We hold ourselves to the same standard of directness on privacy that we apply elsewhere on this site. Here is what is still in progress as of our launch:

  • SOC 2 Type II: We are building towards it. The controls are in place; the audit clock has not started. If you need a current SOC 2 Type II report today, we are not your vendor yet.
  • ISO 27001: Not certified. On the roadmap after SOC 2.
  • Sub-processor details: The table above includes placeholder entries for providers not yet contracted. We will update this page before launch and version-control it thereafter.
  • Registered office: Pending incorporation of Arbiter Networks Limited in Ireland.

We update this page when anything changes. If something here contradicts your understanding of our practices, please tell us at privacy@arbiter.ie.

Version and updates

This page is version controlled internally and reviewed periodically.

Last updated May 2026. For questions about this page, contact privacy@arbiter.ie.

Questions about how Arbiter handles your data?

Email our data protection contact directly. We aim to respond within one month, usually much faster.