Last Updated July 30, 2020
The following Supplemental Terms (“Terms”), unless otherwise specified, are provided to supplement Cloudflare’s Enterprise Subscription Terms of Service, Self-Serve Subscription Agreement, and any other agreement, Order Form, or Insertion Order that explicitly incorporates these Terms by reference (collectively, the “General Terms”). Unless defined below, all capitalized terms will have the definitions given to such terms in the General Terms. For Enterprise customers, all references to “you” and “your” in the Terms below refer to the Customer named in in the applicable Order Form or Insertion Order.
Please click on any of the following links to navigate to the Supplemental Terms applicable to your Cloudflare Services.
The following definitions apply to quantities referenced in orders and invoices for Cloudflare Services. Unless explicitly stated otherwise in the applicable Order Form or Insertion Order(s), the defined terms below have the same meaning regardless of whether such terms are capitalized or uncapitalized.
“Business domain” is any domain entitled to a Business subscription level of protection, products, and support (as defined at cloudflare.com/plans/), exclusive of any add-on or usage-based features for which you may be charged separately.
“Concurrent connections” is the maximum number of clients concurrently connected to Cloudflare’s servers at any one time.
“Custom hostname” is any hostname that you send to Cloudflare’s custom hostname endpoint. A custom hostname can be a domain at any level (including but not limited to second- and third-level domains). For billing purposes, foo.com, foo.co.uk, www.foo.com, x.foo.com would be considered four separate custom hostnames. Cloudflare will invoice you for any custom hostname that has been active during the billing month, regardless of the duration of the activity during such month.
“Custom SSL certificate” is an SSL certificate that is provided by you for use with the Service. Unless otherwise mutually agreed to in writing, you may only use SNI certificates.
“Dedicated SSL certificate” is an SSL certificate that is provided and managed by Cloudflare on your behalf for use with the Service.
“Domain” is a publicly registrable domain (e.g., example.com) along with its child subdomains (e.g., help.example.com that is configured individually in the Cloudflare dashboard and assigned its own unique zone ID through the Cloudflare Service dashboard. If you require a subdomain to be managed separately from its parent domain, such subdomain must have its own zone ID and will be counted as a separate domain.
“Enterprise primary domain” is any domain receiving Cloudflare’s Enterprise Services that utilizes more than 50 Gigabytes (GB) of data transfer per month.
“Enterprise secondary domain” is any domain receiving Enterprise Services that utilizes less than 50 GB of data transfer per month, including all DNS-only domains.
“Origin” is any server that communicates with Cloudflare’s edge, and that hosts any content or data, or that runs one or more programs to intercept and process incoming internet requests.
“Pro domain” is a domain entitled to a Pro subscription level of protection, products, and support (as defined at cloudflare.com/plans/), exclusive of any add-on or usage-based features for which you may be charged separately.
“Read/Write/List/Delete” are defined as follows for the purposes of Cloudflare Workers KV: a “Read” is a Request where a single value for a given key is read; a “Write” is a Request where a single key/value pair is written; a “List” is a Request where a list of keys within a given namespace is returned; and a “Delete” is a Request where a single key/value pair is removed.
"Request" is a single HTTP/S request that is received by Cloudflare’s edge. For Cloudflare Workers, a Request is a single HTTP/S request that is received by Cloudflare’s edge and hits a Worker script.
“Seat” means an employee, agent, contractor, or other third party, or a device, in each case, authorized by you to use a Cloudflare Service, as applicable.
“Uncached Image” is an image that is not cached on any Cloudflare server.
“Workers KV Storage” is defined for billing purposes as the average hourly amount of data stored in gigabytes (GB) during a single monthly billing period.
“Zone” is an instance configured in the Cloudflare Services dashboard which has a unique zone id assigned to it. In general, a zone would be associated with a single registrable domain and would include all of that domain’s child subdomains unless one or more of the child subdomains requires a different performance or security setting, in which case each child subdomain could either be assigned its own zone id or be grouped together with other child subdomains that share the same performance or security settings under a single zone id.
Customer will not be billed for any requests that Cloudflare reasonably determines were generated by bad bots (e.g., requests with a low cf.bot_management.score that are not included in Cloudflare’s or Customer’s list of allowed bots).
By adding Cloudflare’s China Service to its subscription, Customer acknowledges and agrees that: (A)(i) it will be solely responsible to obtain and maintain a valid Internet Content Provider (ICP) license (the “ICP License”) throughout the Term, as required by the Chinese Ministry of Industry and Information Technology, (ii) Cloudflare will not be liable for Customer’s inability to obtain or maintain such an ICP License, and (iii) in the absence of such an ICP License, Cloudflare may refuse to provide the Service to Customer in China without liability; (B) notwithstanding any provision of the Enterprise Subscription Agreement to the contrary, the Service is provided to Customer in China “AS-IS”, with all faults, and without warranty, obligation, or service level of any kind; and (C) Cloudflare reserves the right to terminate or suspend Customer’s right to use or access the Service in China, at any time and without liability, in response to Chinese law, rule, regulation, or court order; provided, that (i) Cloudflare provides notice to Customer of such termination or suspension as soon as reasonably practicable, and (ii) Cloudflare works to promptly route Customer’s traffic to the next nearest data center(s) outside of China. Termination or suspension of the Service in China will have no effect upon the remainder of the Agreement, which will remain in full force and effect. Customer further acknowledges that Cloudflare’s China Service is operated by Cloudflare partners located in the People’s Republic of China.
Customer may substitute an existing Access user with a new user, in the event of the existing user's termination or re-assignment to another job function, without incurring an additional Fee.
Cloudflare Gateway is a security and content filtering Service that helps protect your team from threats on the Internet.
2. Cloudflare Gateway Content
By accessing or using the Service you may receive access to Cloudflare-provided threat intelligence and domain categorization data (“Cloudflare Gateway Content”). You may only use the Cloudflare Gateway Content in connection with the Service. You agree not to provide the Cloudflare Gateway Content to any third parties. If you feel that a website has been incorrectly categorized, you may submit a report here.
Cloudflare Gateway is licensed based on the quantity of Users. A “User” is one of your employees, agents, contractors, or other third party, who is authorized by you to use the Cloudflare Gateway Service. You shall not resell or use the Cloudflare Gateway Service for the benefit of any third parties (e.g., in an ASP, managed security services, outsourcing, time-sharing or service bureau relationship) unless expressly permitted by Cloudflare in writing.
4. Average Monthly DNS Queries
Cloudflare Gateway is subject to an Average Monthly DNS Queries limit of 5,000 DNS queries per User per day. “Average Monthly DNS Queries” means the number of DNS queries by your Users in a month divided by the number of days in such a month and further divided by the number of licensed Users. For example, if you purchased licenses for 1,000 Users and your Users submitted a total of 30,000,000 DNS queries in the prior 30-day calendar month, your Average Monthly DNS Queries would be 1,000 (calculated as follows: (30,000,000 / 30) / 1,000 = 1,000).
Cloudflare will continuously monitor your usage of Cloudflare Gateway on a monthly basis to determine your Average Monthly DNS Queries. If Cloudflare determines that your Average Monthly DNS Queries has exceeded 5,000 DNS queries per User per day, Cloudflare reserves the right to require you to purchase additional licenses as required. In the event you purchase the Service in the middle of a month, the Average Monthly DNS Queries calculation for that month shall be based on the number of days that you were subscribed for the Service in that month.
5. Telemetric Data
Cloudflare processes telemetry data to deliver, enhance, improve, customize, support, and/or analyze Cloudflare Gateway and may otherwise freely use telemetry data that does not identify you or any of your Users. You may have the ability to configure Cloudflare Gateway to limit the telemetry data collected, but in some cases, you can only opt out of the telemetry data collection by uninstalling or disabling Cloudflare Gateway. Telemetry data includes data that Cloudflare Gateway generates in connection with your use of Cloudflare Gateway, such as, threat intelligence data, URLs, metadata; origin and nature of malware; information about the devices connected to a network and the types of software or applications installed on a network or an endpoint (e.g., client-type, operating system).
6. Customer Responsibilities
You acknowledge and agree that (i) you are responsible for all activity of your Users and for your Users’ compliance with this Agreement; (ii) you shall: (a) have sole responsibility for providing clear and conspicuous notice to all end users that you may monitor their Internet activities through the Cloudflare Gateway Service; (b) prevent unauthorized access to, or use of, the Service, and notify Cloudflare promptly of any such unauthorized access or use; and (c) comply with all applicable laws and/or regulations in using the Service; (iii) you are responsible for forwarding your Users’ DNS queries, web traffic and/or internal traffic, as applicable, to Cloudflare via valid forwarding mechanisms that allow for automatic failover (i.e. PAC, IPSEC, GRE tunnels); and (iv) you will not intentionally disrupt the Service or use the Service to facilitate any type of attack, including a denial of service attack.
CLOUDFLARE DOES NOT REPRESENT OR WARRANT THAT CLOUDFLARE GATEWAY WILL GUARANTEE ABSOLUTE SECURITY DUE TO THE CONTINUAL DEVELOPMENT OF NEW TECHNIQUES FOR INTRUDING UPON AND ATTACKING FILES, NETWORKS AND ENDPOINTS. CLOUDFLARE DOES NOT REPRESENT OR WARRANT THAT CLOUDFLARE GATEWAY WILL PROTECT ALL YOUR AND YOUR USERS’ FILES, DEVICES, NETWORK, OR ENDPOINTS FROM ALL MALWARE, VIRUSES, OR THIRD PARTY MALICIOUS ATTACKS.
8. Special Terms for Enterprise Customers
Cloudflare Gateway is part of the Cloudflare for Team’s suite of Services. Unlike other Cloudflare Services where Cloudflare is protecting and accelerating Customers’ Internet Properties, Cloudflare Gateway helps to protect and secure Customers’ teams from malicious threats on the Internet. As a result we have updated certain defined terms to reflect your use of Cloudflare Gateway to protect your Users irrespective of whether you have any Internet Properties utilizing any of Cloudflare’s other Services.
With respect to Cloudflare Gateway, any use of the terms below in the Enterprise Subscription Agreement, or other written agreement between you and Cloudflare, as applicable, shall be deemed to have the following meanings: (A) “End User” shall include Users (as defined above); (B) “End User Log Files” shall include the raw logs of End User interactions with Cloudflare Gateway that Cloudflare processes on behalf of Customer Parties during the course of providing the Service; and (C) “Service” shall be deemed to mean Cloudflare’s cloud-based solutions and software made available to you.
Any limits on data transfer related to non-HTTP/S products (e.g., Cloudflare Spectrum) will be separate from and in addition to any other data transfer caps related to HTTP/S traffic that Customer has under the Agreement. Cloudflare will determine Customer’s Spectrum traffic for the billing period by calculating the sum of both the ingress and egress traffic to and from Customer's internet clients as measured by Cloudflare during each billing period.
Cloudflare is not required to retain and may delete, without notice to you, any of your videos in Cloudflare Stream following the expiration or termination of your Cloudflare Stream trial or subscription.
Cloudflare Workers is a Service that permits developers to deploy and run encapsulated versions of their proprietary software source code (each a “Workers Script”) on Cloudflare’s edge servers. You may use Cloudflare Workers (whether in conjunction with Cloudflare Workers KV or not) to serve HTML content as well as non-HTML content (e.g., image files, audio files) other than video files.
By adding a Workers Script to the Service, you are granting Cloudflare a limited, revocable, worldwide, non-exclusive, royalty-free, sub-licenseable right to use your Workers Script as is necessary to provide you the Service (“License”). You retain all copyright and any other proprietary rights that you may hold in the Workers Script(s) that you provide to Cloudflare.
Cloudflare may with or without notice to you and without liability of any kind, temporarily limit the number of requests your Workers Scripts can make if processing such requests would put an undue burden on the Cloudflare network, or otherwise threaten the integrity of Cloudflare’s networks.
You acknowledge that you are solely responsible for your Workers Script(s), including (i) the Workers Script’s performance and functioning with the Service and any reference libraries that Cloudflare may provide from time to time; and (ii) maintaining licenses and adhering to the license terms of any third party software that may be incorporated into your Workers Script.
As between you and Cloudflare, you will provide all support of any type requested by Cloudflare or your end users related to the Workers Script and be responsible for any warranty, liability or obligation to any end user or any third party that arises in connection with their use of your Workers Script.
You represent and warrant that (i) you have and will retain all necessary rights to grant the License; (ii) your Workers Scripts are free from and do not disseminate any viruses, adware, spyware, worms, crypto-mining software or other malicious code; (iii) you will not use the Service to engage in any volumetric attacks or in any other activities to intentionally harm another party’s rights; and (iv) you will use the Service in accordance with the Cloudflare Workers developer documentation.
You agree to indemnify and hold Cloudflare, and its officers, directors, employees, consultants, affiliates, subsidiaries and agents, harmless from any claim or demand, including reasonable attorneys’ fees, arising out of or related to your violation of any third-party right, including without limitation any intellectual property right, or your breach of any of the foregoing representations and warranties.
You understand and agree that Cloudflare is constantly enhancing its Service and we may enhance our Service in a way that is competitive with your Workers Script or other products, services, or ideas that you have, regardless of whether you have shared them with us. Although Cloudflare affirms that you retain intellectual property rights in the source code to your Workers Script, you acknowledge that Cloudflare has the right to make, use, develop, acquire, license, market, promote or distribute products, software or technologies that perform the same or similar functions as, or otherwise compete with, any of your Workers Scripts as well as other products, software or technologies that you may develop, produce, market, or distribute now or in the future.
The creation of Cloudflare Workers using subdomains that include deceptive or offensive terms or names of other businesses, organizations or individuals is prohibited. If Cloudflare determines that you are engaging in this activity it may suspend or terminate your account immediately. The use of the Service for phishing schemes is prohibited.
Cloudflare may change Cloudflare Workers subdomain names for any or no reason. Cloudflare will attempt to provide you with at least one week prior notice for such change, unless the change is due to your violation of the terms governing your use of Cloudflare Workers.
1. Acknowledgement of Relevant Legal Requirements
In connection with your obligation to comply with all laws and regulations applicable to your use of Cloudflare Services as set out in the General Terms, you acknowledge that the content of the data you identify using the CSAM Scanning Tool may be subject to specific legal requirements which may include, but are not limited to, laws requiring the reporting of any facts or circumstances from which you obtain actual knowledge of an apparent violation of child pornography laws to the National Center for Missing and Exploited Children (NCMEC) and/or a government agency in your jurisdiction. Any information that Cloudflare provides to you regarding the use of the CSAM Scanning Tool is not intended as legal advice and is not a substitute for the advice of your own legal counsel.
2. Purpose limitation, Your instructions to Audit and report to NCMEC
The purpose of the CSAM Scanning Tool is to prevent the spread of child sexual abuse content, and to support investigations targeted to stopping the distribution and possession of child sexual abuse content (“Purpose”). You may use the CSAM Scanning Tool solely for the Purpose, and you must not use it for any other purposes. To achieve the Purpose, it is important for you and Cloudflare to work together to maintain the integrity of the service.
(a) You hereby authorize Cloudflare to take steps to monitor and audit your usage of the CSAM Scanning Tool to help ensure that the service is used solely for the Purpose, and otherwise in accordance with these terms.
(b) You hereby authorize Cloudflare to provide reports to NCMEC on the images you upload on the CSAM Scanning Tool that match the signatures of known child pornography images. You hereby instruct Cloudflare to identify you in these reports and to include the email address you have specified for the CSAM Scanning Tool in such reports. You understand that such reports do not relieve you of any legal requirements that might arise from your use of the CSAM Scanning Tool, including, but not limited to, any obligation you have to file NCMEC reports.
(c) You hereby authorize Cloudflare to block images that match signatures of known child pornography images.
3. Details for the CSAM Scanning Tool
This applicable service details are as follows:
(a) The CSAM Scanning Tool is provided free of charge. Accordingly, Cloudflare will have no liability for any harm or damage arising out of or in connection with your use of the CSAM Scanning Tool.
(b) Cloudflare reserves the right to modify or discontinue offering the CSAM Scanning Tool at any time (including, without limitation, by limiting or discontinuing certain features of the CSAM Scanning Tool) without notice to you.
(c) Cloudflare may limit or throttle your CSAM Scanning Tool transactions at any time, with or without notice.
(d) Cloudflare may terminate all Cloudflare Services provided to you if we determine that you have failed to timely remove CSAM, or we suspect you are attempting to abuse the CSAM Scanning Tool.
4. Internal Use Only
You will use the CSAM Scanning Tool solely for your internal use. You may not use the CSAM Scanning Tool to provide a managed service solution.
5. No Support or SLA
The CSAM Scanning Tool is not covered by customer support and does not have an SLA.
6. Limitation of Liability
IN NO EVENT WILL CLOUDFLARE BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES ARISING OUT OF OR RELATING TO YOUR ACCESS TO OR USE OF, OR YOUR INABILITY TO ACCESS OR USE, THE CSAM SCANNING TOOL, WHETHER BASED ON WARRANTY, CONTRACT, TORT (INCLUDING NEGLIGENCE), STATUTE, OR ANY OTHER LEGAL THEORY, WHETHER OR NOT CLOUDFLARE HAS BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGE.
Unless otherwise specified in the Order Form, Customer’s geographic distribution of data usage must not exceed in any billing period (i) 25 % in China, India, South America, Middle East, Africa, and elsewhere in Asia (except for Taiwan and Korea); or (ii) 8% in Taiwan, Korea, Australia, New Zealand. Any breakout of Customer’s data usage by geographic region in the Order Form or Insertion Order is provided for Customer’s reference, and when added together for a given Service should be equal to the amount labeled “Total Data Transfer” for such Service.
Cloudflare’s Magic Transit Service (“Magic Transit”) utilizes border gateway protocol to direct traffic from Customer’s set of ingress and egress termination points, including, but not limited to, individual IP addresses, protected subnets, IP networks and border routers under Customer’s control (the “Customer Network”). Magic Transit provides layer 3 DDoS mitigation, web application firewall and traffic management solutions to the Customer Network traffic directed to the number of Customer’s IP Prefixes listed on Customer’s Order Form or Insertion Order, as provided by Customer to Cloudflare for the Customer Network.
2. Bandwidth Limits.
Magic Transit will be provided to Customer subject to the Bandwidth Limits listed on Customer’s Order Form or Insertion Order, as measured by Cloudflare at the 95th percentile in five (5) minute intervals.
To establish Customer’s bandwidth at the 95th percentile, Cloudflare will measure and record Customer’s bandwidth usage at five (5) minute intervals from 00:00 on the first day of each month until 24:00:00 on the same date of the next month (as based on the UTC+8 time zone). Customer’s bandwidth usage records (all clean bandwidth valued for all of the Customer’s Internet Properties) for the entire month will then be sorted by Cloudflare in descending order and the top 5% of the recorded bandwidth values will be discarded. The highest bandwidth value in the remaining records will be deemed the billable bandwidth for that month.
By way of example, in a month with 30 days, Cloudflare would measure Customer’s bandwidth 8,640 times (i.e. 12 x 24 x 30). After sorting all of the bandwidth measurements from highest to lowest, and discarding the top 5% of such measurements, Customer would be charged at the 433rd highest value (i.e. 8,640 x 5%).
3. Configuration Changes.
a. General. Customer shall administer Layer 3 DDoS mitigation, traffic filtering and traffic management configurations for Magic Transit directly or through Cloudflare as described in this Section 3.
b. Procedure. Configuration changes for Customer’s use of Magic Transit may be completed by Cloudflare. To initiate a configuration change, Customer will issue Cloudflare a support ticket through Cloudflare’s ticketing system indicating the requested configuration change (a “Configuration Ticket”). Cloudflare will implement the requested configuration change on behalf of Customer based on the information provided in the Configuration Ticket. Customer acknowledges and agrees that it is responsible for all such requested configuration changes. Cloudflare will have no liability for any harm or damage arising out of or in connection with any configuration change requested by Customer unless such harm or damage is the result of Cloudflare’s failure to follow Customer’s instructions provided in the Configuration Ticket.
c. Emergency Configurations. Customer pre-authorizes Cloudflare to implement emergency configuration changes without following the configuration change process set forth in Section 3(a) in order to mitigate adverse effects on the Customer Network in the event of a DDoS attack. Cloudflare will have no liability for any harm or damage arising out of or in connection with any emergency configuration changes.
4. Customer Requirements.
Customer will comply with the following requirements:
a. Registry Information. Customer will maintain accurate and up to date WHOIS and Internet routing registry information for all IP Prefixes.
b. Letter of Authorization. Customer will provide Cloudflare with a letter of authorization signed by an authorized representative of Customer sufficient to permit Cloudflare to announce the IP Prefixes.
Managed IP addresses must be used solely in connection with Customer’s domains that are receiving Cloudflare's Enterprise Services.
The Mobile SDK Service is a Service that facilitates and analyzes network calls for mobile applications. Paid and enterprise plans of the Mobile SDK Service are available that can be used to optimize how data is transferred over networks through the use of ASAP™, a UDP-based protocol that accelerates the last mile to mobile devices.
Any use of the term “website” in the General Terms or any other written agreement between you and Cloudflare, as applicable, shall be deemed to mean “website or mobile application” with respect to your use of the Mobile SDK Service.
In addition, the capitalized terms below shall have the following meanings:
“Access Key” means a confidential access key provided by Cloudflare to Customer for enabling the Mobile SDK Service in a Mobile App.
“Active User” means with respect to paid and enterprise Mobile SDK Service subscriptions, a unique user who has performed some action in a Mobile App in the applicable billing period. Each installation of the Mobile App on a device shall count as a unique user. For example, if a user installs and uninstalls a Mobile App 5 times in a day on the same device, such user will count as 5 unique users for the applicable billing period.
“Mobile App” means a discrete compiled handheld or mobile device application that integrates the Cloudflare Mobile SDK to access the Cloudflare Mobile SDK Service. Each variation of compiled code that uses the Mobile SDK Service is counted as a unique Mobile App (e.g., iOS and Android each count as unique Mobile Apps). Cloudflare will provide one (1) Access Key for each unique Mobile App.
“Platform Access Fee” means with respect to paid and enterprise Mobile SDK Service subscriptions, the Monthly Fee charged by Cloudflare for each Mobile App.
“Total Active Users” means with respect to paid and enterprise Mobile SDK Service subscriptions the sum of all Active Users in all of Customer’s Mobile Apps for the applicable billing period. For example, if Customer’s iOS Mobile App has 300,000 Active Users in a given billing period, and Customer’s Android Mobile App has 200,000 Active Users in such billing period, the Total Active Users for such billing period is 500,000 Active Users.
Subject to your compliance with the terms and conditions of the Agreement, Cloudflare hereby grants you a non-exclusive, non-transferable, license, to enable the Mobile SDK Service in your Mobile App(s), solely in accordance with the Documentation and any other restrictions or obligations mutually agreed upon by the Parties. All rights not expressly granted to you herein are reserved to Cloudflare.
You acknowledge that you are solely responsible for your Mobile Apps, including the Mobile App’s performance and functioning with the Service. As between you and Cloudflare, you will provide all support of any type requested by Cloudflare or your end users related to your Mobile App(s) and be responsible for any warranty, liability or obligation to any end user or any third party that arises in connection with their use of your Mobile App.
Each Access Key may only be used by one (1) Mobile App to access the Service. You acknowledge and agree that: (a) you will ensure that each Access Key issued to a Mobile App will be used only by the Mobile App for which it was issued; (b) you are responsible for maintaining the confidentiality of all Access Keys, and are solely responsible for all activities that occur with such Access Keys; and (c) you will notify Cloudflare promptly of any actual or suspected unauthorized use of any Access Key, or any other breach or suspected breach of the Agreement. Cloudflare reserves the right to terminate any Access Key that Cloudflare reasonably determines may have been used by an unauthorized third party, and shall provide you with immediate notice of such. For your own security, Cloudflare strongly encourages that you take all necessary security precautions in conjunction with all Access Keys.
Your access or use of the Cloudflare Registrar Services is subject to the Cloudflare Domain Registration Agreement available here.