Cloudflare and IT Act compliance

Cloudflare is a security, performance, and reliability company headquartered in the United States (U.S) with global operations, including an office in India, that delivers a broad range of network services to businesses of all sizes and in all geographies. We help make our customers’ websites and Internet applications more secure, enhance the performance of their business-critical applications, and eliminate the cost and complexity of managing individual network hardware. The Cloudflare global network – which is powered by edge servers in more than 310 cities around the world, as described here – serves as the foundation on which we can rapidly develop and deploy our products for our customers.

The types of personal data Cloudflare processes on behalf of a customer depend on which Cloudflare services are implemented. For our most popular application services and network services, Cloudflare does not store customer content, nor do we have any control of the data our customers choose to transmit, route, switch, and cache through our global network. In a limited number of cases, Cloudflare products can be used for storage of content. Regardless of what Cloudflare services they use, however, our customers are fully responsible for their own compliance with applicable law and their independent contractual arrangements in connection with the data they choose to transmit, route, switch, cache, or store through the Cloudflare global network.

For our application and network services, the vast majority of data that transits Cloudflare’s network stays on our edge servers, while metadata about this activity is processed on behalf of our customers in our data centers in the United States and Europe.

Cloudflare maintains log data about events on our network. Some of this log data will include information about visitors to and/or authorized users of a customer’s domains, networks, websites, application programming interfaces (“APIs”), or applications, including the Cloudflare product Cloudflare Zero Trust as may be applicable. This metadata contains extremely limited personal data, most often in the form of IP addresses. We process this type of information on behalf of our customers in our data centers in the US and Europe for a limited period of time.

Cloudflare views security as a critical element of ensuring data privacy. Since Cloudflare launched in 2010, we have released a number of state-of-the-art, privacy-enhancing technologies, typically ahead of the rest of the industry. Among other things, these tools allow our customers to easily encrypt the content of communications through universal SSL; encrypt or otherwise protect the metadata in communications using new protocols like DNS-over-HTTPS, DNS-over-TLS, and Oblivious HTTP; and control where their SSL keys are held or where their traffic is inspected.

Cloudflare maintains a security program in accordance with industry-leading standards. Our security program includes maintaining formal security policies and procedures, establishing proper logical and physical access controls, and implementing technical safeguards in corporate and production environments, including establishing secure configurations, establishing secure transmission and connections, logging, monitoring, and having adequate encryption technologies for personal data.

All Cloudflare employees are subject to privacy and information security onboarding training and afterwards to annual retraining.

We currently maintain the following validations: ISO 27001, ISO 27701, SOC 2 Type II, and PCI DSS Level 1 compliance. We are also certified to the European Cloud Code of Conduct and Germany’s C5 2020 standard. You can learn more about our certifications here.

To view the security measures Cloudflare offers for the protection of personal data, including personal data transferred from India to the US please see Annex 2 of our standard DPA.

Cloudflare builds into our products and services data processing principles that are consistent with the DPDP: only collect the personal data you need to provide the service you are offering; do not sell personal information; give people the ability to access, correct, or delete their personal information; and, consistent with our role as a data processor, give our customers control over the information that, for example, is cached on our content delivery network (CDN), stored in Workers Key Value Store, or captured by our web application firewall (WAF). In addition, our Data Processing Addendum (DPA) – which covers our obligations for processing personal data on behalf of our customers and is incorporated by reference into our Enterprise Service Agreement and our Self-Serve Subscription Agreement – offers a number of additional safeguards for data we process on behalf of our customers that are consistent with, and in many cases go beyond, the DPDP’s protections. As a result, India personal data transferred to the US has comparable protection to that provided by the DPDP.

Cloudflare has a strong commitment to transparency and accountability regarding processing of personal data, and our DPA makes many of these commitments contractually binding. When we issued our very first transparency report in 2014 for legal process received in 2013, we pledged that we would require legal process before providing any government entity with any customer data outside of an emergency and that we would provide our customers with notice of any legal process requesting their customer or billing information before disclosure of that information unless legally prohibited. We publicly stated that we have never turned over encryption keys to any government, provided any government a feed of content transiting our network, or deployed law enforcement equipment on our network. We also committed that if we were asked to do any of those things, we would “exhaust all legal remedies in order to protect our customers from what we believe are illegal or unconstitutional requests.” Since those days early in our history, we have restated those commitments twice a year, and even expanded on them, in our Transparency Reports.

We have also demonstrated our belief in transparency and our commitment to protecting our customers by filing litigation when necessary. In 2013, with the help of the Electronic Frontier Foundation, we legally challenged an administratively issued US. national security letter (“NSL”) to protect our customer’s rights because of provisions that allowed the government to restrict us from disclosing information about the NSL to the affected customer. Cloudflare provided no customer information in response to that request, but the non-disclosure provisions remained in effect until a court lifted the restrictions in 2016.

We have frequently stated our position that any government requests for personal data that conflict with the privacy laws of a person’s country of residence should be legally challenged. (See, for example, our Transparency Report and our white paper, Cloudflare’s policies around data privacy and law enforcement requests, on government requests for data.) Consistent with existing US case law and statutory frameworks, Cloudflare may ask US courts to quash a request from US authorities for personal data based on such a conflict of law.

Our standard DPA for our customers incorporates the above-described supplementary measures and safeguards as contractual commitments. You can view these contractual commitments in section 7 of our DPA.

Executive Order 14086 (“EO14086”). In October 2022, US President Biden signed EO14086, which introduced new safeguards for US signals intelligence activities, including those conducted pursuant to FISA section 702, described below. The EO14086 protections applicable to transfers from India to the U.S. include safeguards to ensure that privacy and civil liberties are integral considerations such that (i) signals intelligence activities shall be conducted only where “necessary” to advance a validated intelligence priority, and (ii) be conducted only to the extent and in a manner that is “proportionate” to the validated intelligence priority.

Section 702. Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) is an authority that allows the US government to request the communications of non-US persons located outside of the United States for foreign intelligence purposes. The US government uses section 702 to collect the content of communications through specifical “selectors”, such as email addresses, that are associated with specific foreign intelligence targets. Because the authority is typically used to collect the content of communications, the “electronic communications service providers” asked to comply with section 702 are typically email providers or other providers with access to the content of communications.

As noted in our Transparency Report, Cloudflare does not have access to this type of traditional customer content for our core services In addition, Cloudflare has had a public commitment for many years that we have never provided any government a feed of our customers' content transiting our network and that we would exhaust all legal remedies if we were asked to do so in order to protect our customers from what we believe are illegal or unconstitutional requests.

Executive Order 12333. Executive Order 12333 governs US intelligence agencies' foreign intelligence collection targeting non-US persons outside the United States. Executive Order 12333 does not have provisions to compel the assistance of US companies.

Cloudflare has a longstanding commitment to require legal process before providing any government entity with access to any customer data outside of an emergency. We therefore would not comply with voluntary requests for data under Executive Order 12333. In addition, Cloudflare has been a leader in encouraging additional security for data in transit, for both content and metadata, to prevent personal data from any type of prying eyes. In 2014, for example, we launched Universal SSL, making encryption — something that had been expensive and difficult — free for all Cloudflare customers. The week we launched it, we doubled the size of the encrypted web. Because of an increasing number of laws attempting to target encryption, we have even committed that we have never weakened, compromised, or subverted any of our encryption at the request of a government or other third party.

CLOUD Act. The Clarifying Lawful Overseas Use of Data (CLOUD) Act does not expand US investigative authority. Tough requirements for law enforcement to obtain a valid warrant remain unchanged. The CLOUD Act also applies to access to content, which we generally do not store, as described above. It is important to note that law enforcement would typically seek to obtain data from the entity that has effective control of the data (i.e., our customers) rather than cloud providers.

The CLOUD Act provides mechanisms for a provider to petition a court to quash or modify a legal request that poses such a conflict of law. That process also allows a provider to disclose the existence of the request to a foreign government whose citizen is affected, if that government has signed a CLOUD Act agreement with the United States. Cloudflare has committed to legally challenge any orders that pose such a conflict of law. To date, we have received no orders that we have identified as posing such a conflict.

Finally, bear in mind that our DPA commits that unless legally prohibited, we will notify customers if we are able to identify that third-party legal process requesting personal data we process on behalf of that customer raises a conflict of law. Customers notified of a pending legal request for their personal data can seek to intervene to prevent the disclosure of personal data.

The Reserve Bank of India (“RBI”) guidelines require payment systems providers and their service providers, intermediaries, third party vendors and other entities in the payment ecosystem to ensure that all data relating to payment systems operated by them are stored in India. Payment systems data includes end-to-end transaction details and information pertaining to payment or settlement transaction that is gathered / transmitted / processed as part of a payment message / instruction. This may involve Customer data (Name, Mobile Number, email, Aadhaar Number, PAN number, etc. as applicable); Payment sensitive data (customer and beneficiary account details); Payment Credentials (OTP, PIN, Passwords, etc.); and Transaction data (originating & destination system information, transaction reference, timestamp, amount, etc.).

For customers who use Cloudflare’s most popular Application Layer services, including our Content Delivery Network (CDN), Cloudflare does not store customer content. Cloudflare only stores log data, which includes metadata about the interaction between the end user, Cloudflare and the origin. Typically, this data would include info regarding the time of the request, browser type, response time, and client and server IP addresses. As a result, we believe customers can use Cloudflare’s services in compliance with the RBI Guidelines. We recognize, however, that some customers believe the RBI Guidelines require data localization. Our Data Localization Suite, described below, can help with this.

DPDP allows for cross-border data transfers if certain conditions are met. We believe that our network complies with the DPDP without localizing data because our systems are DPDP compliant due to the security measures we have in place and due to the data processing commitments we make in our Data Processing Addendum (DPA), which is incorporated by reference into our contractual agreements with all customers.

With this in mind, we recognize that some of our customers in India would need certain types of regulated data to remain in India and not be transferred to the US for processing. To that end, we have developed the Data Localization Suite, which helps businesses get the performance and security benefits of our global network, while making it easy to set rules and controls at the edge about where their data is stored and protected.

The Data Localization Suite bundles some existing offerings with some new features:

• Regional Services. Cloudflare has data centers in over 310 cities across 100+ countries. Regional Services together with our Geo Key Manager solution allows customers to pick the data center locations where SSL keys are stored and SSL termination takes place. Traffic is ingested globally, applying L3/L4 DDoS mitigations, while security, performance, and reliability functions (such as, WAF, CDN, DDoS mitigation, etc.) are serviced at designated Cloudflare data centers only.

• Keyless SSL. Keyless SSL allows a customer to store and manage their own SSL private keys for use with Cloudflare. Customers can use a variety of systems for their keystore, including hardware security modules (“HSMs”), virtual servers, and hardware running Unix/Linux and Windows that is housed in environments under customers’ control.

• Geo Key Manager. Cloudflare has a truly international customer base and we have learned that customers around the world have different regulatory and statutory requirements, and different risk profiles, concerning the placement of their private keys. With that philosophy in mind, we set out to design a very flexible system for deciding where keys can be kept. Geo Key Manager lets customers limit the exposure of their private keys to certain locations. It is similar to Keyless SSL, but instead of having to run a key server inside your infrastructure, Cloudflare hosts key servers in the locations of your choosing.