Cloudflare GDPR compliance

Hey there,

I have a question regarding Cloudflare Pages and GDPR compliance for users in the EU. Since Cloudflare Pages distributes content from servers worldwide, including some countries that may not meet the required standards, it’s crucial for me to ensure compliance with the General Data Protection Regulation (GDPR). According to Article 28, paragraph 3 of the GDPR, a Data Processing Agreement is necessary.

Typically, I sign a contract with the hosting provider to fulfill this requirement. My question is whether cloudflare offers an option for such an agreement. If not, I may need to consider other options to ensure GDPR compliance.

I appreciate any information or guidance on this matter.

Thank you!

Cloudflare does offer data localization, but you need to be on enterprise for that.
Have you checked out their GDPR page?

1 Like

Hi @Cyb3r-Jak3

This GDPR page does not provide any option for users to be GDPR compliant while using Cloudflare services exception is for “enterprise users”. So basically unless I pay 200$ per month using cloud-flare pages and workers etc I risk GDPR fines.

According to the GDPR Article 28, paragraph 3 of the GDPR, a Data Processing Agreement is necessary.

Yes I have check the page it provides no option for regular users to sign a data processing agreement or provide any alternative for GDPR compliance. So basically hosting on cloudflare free means risking GDPR compliance fines.


It doesn’t?

8. How can Customers who do not have an Enterprise agreement make sure the Standard Contractual Clauses are in place with Cloudflare?

Our [Self-Serve Subscription Agreement]( our [standard DPA]( by reference. And to the extent the personal data we process on behalf of a self-serve customer is governed by the GDPR, then our DPA incorporates the EU standard contractual clauses for this data. Therefore, no action is required to ensure that the standard contractual clauses are in place. Our DPA also incorporates the additional safeguards described above.

While the DPA is incorporated by reference, we have also made our standard DPA available in the customer dashboard. When you are in your Dashboard, please go to the Configurations tab, and then Preferences to view and accept the DPA

$200 a month is a business plan subscription rate and has nothing to do with workers or pages billing. If you want an Enterprise plan for workers or pages I imagine it is well north of that.

But if you’ve chosen to read the requirements as you have and interpreted Cloudflare’s response as insufficient another provider does seem like a wise choice.

1 Like

Hi @cscharff

You seems to be misinformed on how GDPR works. Please read the GDPR Article 28, paragraph 3 (A)

processes the personal data only on documented instructions from the controller,

The SSC from your side doesn’t work it cannot be just 1 document for all

So unless a data controller (cloudflare client) sign a contract with documented instruction the general SCC you refers to is invalid. If you prefer I can challenge this in DPA to prove you that it is not GDPR compliant.

Seems to me @cloudflare is intentionally misleading users to non-compliance fines by providing wrong info.

Please let me know if there is an actual option to sign a contract with cloudflare for data processing?


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.