Data Flow

This document explains how data moves through the Qpoint system, with special attention to data privacy and security considerations.

Types of Data

Qpoint handles two distinct types of data:

Events

• Anonymized information about connections

• Timestamps and durations

• Bandwidth usage statistics

• Basic request/response metadata (status codes, paths)

• No sensitive data or payload content

• IP addresses and domains (already publicly available via DNS)

Objects

• Actual request and response content

• Headers and bodies

• Contains potentially sensitive information

• Never leaves your environment

• Stored exclusively in your storage infrastructure

Data Flow Paths

Event Metadata Flow

1. Generation: Qtap agent creates anonymized connection metadata

2. Processing: Data processed locally on the host where connections occur

3. Storage: Events sent directly to Pulse endpoint for ingestion into Clickhouse database

4. Access: Retrieved through Pulse API for dashboard visualization

Object Data Flow

1. Capture: Qtap agent captures connection data on your servers

2. Processing: Data processed locally on the host where connections occur

3. Storage: Payloads sent directly to your S3-compatible storage in your environment

4. Access: Your team accesses payloads through the Qpoint UI, which loads data directly from your storage

Storage Configuration

Event Storage Options

1. Managed Option

   • Use Qpoint's hosted Pulse service

   • Contains only anonymized connection data

   • No sensitive information

2. Self-Hosted Option (Coming Soon!)

   • Run Pulse service in your environment

   • Maintain complete data sovereignty

   • Full control over all data types

Object Store Configuration

Your object store configuration requires several key parameters:

• Endpoint: The URL or IP address and port for your S3-compatible storage service

• Bucket: A dedicated storage bucket for Qpoint objects

• Region: The geographic region for your storage service

• Access Credentials:

  • Access Key: Configured via environment variable (e.g., S3_ACCESS_KEY)

  • Secret Key: Configured via environment variable (e.g., S3_SECRET_KEY)

• SSL Settings: Option to enable/disable SSL for the connection

Key Privacy Considerations

1. Data Residency

   • Sensitive data never leaves your environment

   • You maintain full control over storage locations

   • Direct access paths avoid unnecessary data transmission

2. Access Control

   • You control access to payload storage

   • Credentials managed within your environment

   • Browser-based direct access to your storage

3. Data Isolation

   • Clear separation between metadata and payload data

   • Different storage and access patterns for each data type

   • Granular control over data retention and access

Summary

• Your sensitive data never leaves your environment

• Qpoint team never has access to payload data

• All processing occurs where connections originate

• You maintain full control over data storage and access

• Direct browser-to-storage access ensures data privacy