Yes. Under CCPA, a “service provider” is a company like ours that “processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract," subject to additional contractual requirements specified by the CCPA. This service provider relationship is explicitly in Cloudflare's Data Processing Addendum (DPA), which in turn is incorporated into both our Enterprise Service Agreement (ESA) and Self-Serve Subscription Agreement (SSA). In addition, to the extent Cloudflare processes personal data on behalf of our customer within the scope of the CCPA, we commit in our DPA that we will not retain, use, or disclose such personal data for any purposes other than the purposes set out in the ESA or SSA, together with the DPA, and as permitted under the CCPA, including under any “sale” exemption. Cloudflare will not “sell” or “share” the data we process on behalf of our customers, as those terms are defined in the CCPA.
No. Cloudflare does not sell, rent, or share personal information we process on behalf of our customers as a service provider or processor, including as the terms "sell" or "share" are defined in the CCPA.
Please note that Cloudflare has no direct relationship with the individuals who access or use our customers’ domains, networks, websites, application programming interfaces, and applications or the customer employees who use Cloudflare's services, such as Zero Trust ("End Users"). Even where “Cloudflare” may be indicated as the authoritative name server for a domain, unless Cloudflare is the owner of that domain, we have no control over a domain’s content. We rely upon our customers to comply with the underlying legal requirements for Rights Requests in accordance with their obligations under applicable data protection laws. If an End User requests that we fulfill a Rights Request, we will direct that End User to contact the customer website(s) with which they interacted directly. Our customers are solely responsible for ensuring compliance with all applicable laws and regulations with respect to their website users.
Cloudflare supports many businesses with rigorous data security requirements, including a number of healthcare organizations.
Although the U.S. Department of Health and Human Services (HHS) does not recognize a certification for HIPAA compliance, Cloudflare's network, management infrastructure, and associated processes and procedures are consistent with the security requirements specified by HIPAA and related regulations. However, Cloudflare will only enter into business associate agreements (BAAs) with its enterprise customers.