Cloudflare's commitment to GDPR compliance
At Cloudflare, our company mission is to help build a better internet. We believe that the protection of our customers' and their end users' data is fundamental to this mission.
The General Data Protection Regulation (GDPR) is a sweeping new European Union (EU) privacy law that came into effect on May 25, 2018. The GDPR harmonizes data privacy laws across the EU and mandates how companies collect, store, delete, modify and otherwise process personal data of EU citizens. It applies to any company that processes personal data of EU citizens, regardless of whether such company has any physical presence in the EU, or even whether it has any EU customers.
Our Data Processing Addendum: We offer our customers a Data Processing Addendum (DPA) if they believe one is required under the GDPR. On October 29, 2019, we updated our customer DPA to take account of the changes in applicable law in light of Brexit and the California Consumer Privacy Act (CCPA) that takes effect January 1, 2020. We also have updated the description of personal data that we process pursuant to the DPA to make it clearer that we process the personal data of any natural persons who use our customers’ Internet properties, applications, networks, along with any software, software development kits, and application programming interfaces made available in connection with the Cloudflare Services as defined in our Enterprise Service Agreement. You can view a redline of the changes to the DPA here.
Our Commitment
The team at Cloudflare is confident that we have taken the steps necessary to ensure our policies, processes, and procedures meet GDPR requirements. We understand that compliance with a new set of privacy laws can be challenging, and we are here to help with your GDPR compliance initiative by providing you with state of the art, GDPR-ready services.
Our legal and policy experts have closely analyzed GDPR requirements and we’ve taken steps such as updating our Privacy Policy to more transparently disclose our information handling processes and to more comprehensively identify data subject access rights; taking numerous internal-facing steps including but not limited to documenting our data flows and records of processing activity; and ensuring we have in place data processing addendums with any vendors who process personal information on our behalf. Relatedly, we remain certified under the EU-US and Swiss-US Privacy Shield frameworks for onward transfers of EU data to the United States. (See https://www.cloudflare.com/privacyshield/)
We view compliance with the GDPR as an ongoing journey. We will continue to focus on ongoing GDPR requirements, such as evaluating the privacy impact of new products and services on our users’ personal data and training employees about protecting the privacy of personal information. In addition, we’ll continue to monitor new guidance on best practices for implementing the requirements of the GDPR. We are also dedicated to helping you, our customer, succeed in complying with the GDPR.
What Can You Do?
We have put together a number of resources that you can access here:
DATA PROCESSING ADDENDUM
If you have determined that you qualify as a data controller under the GDPR, and need a data processing addendum (DPA) in place with your qualifying vendors, we want to help make things easy for you.
Our GDPR compliant DPA is available for your acceptance within the preferences page of your Cloudflare account. All you need to do is follow these instructions.
GDPR RESOURCES
You can find more detailed information about the GDPR from the European Commission website and on our blog here.
GDPR FAQ
We have prepared some FAQs on the GDPR that are available for your review below.
FAQs
- What is GDPR?
The General Data Protection Regulation (GDPR) is a sweeping new EU law that went into effect in all EU Member States on May 25, 2018. It mandates how companies can collect, store, delete, modify and otherwise process personal data of EU citizens. It applies to any company that processes personal data of EU citizens, regardless of whether it has any physical presence in the EU, or even whether it has any EU customers. Companies are also required to pass these obligations down to all of their vendors and suppliers who may also handle personal data of EU citizens anywhere in the world. Despite Brexit, the UK is committed to stay compliant with the GDPR.
- What should I do to get started with the GDPR compliance process?
Inform: review your vendor list and get comfortable with how data flows across your business, what type of personal data you collect and who has access. If Cloudflare is one of your vendors, and you have determined that you need a DPA in place with Cloudflare, our GDPR compliant DPA is available for download and signature at the link above.
Assess: undertake a risk assessment within your business and identify any gaps that need to be filled in order to meet GDPR requirements.
Plan: get in touch with us to understand how our products can help meet your compliance needs, and develop an action plan.
Act: implement your GDPR compliance program and make GDPR compliance an ongoing discipline.
- What is the definition of “personal data” under GDPR?
The first and most important thing to realize is that the EU concept of “personal data” is much, much broader than the U.S. concept of “PII”. Under EU law, personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. It doesn't have to be confidential or sensitive to qualify as personal data.
- Do I Count as a Data Controller or Data Processor?
Cloudflare customers will typically act as the data controller for any personal data made available to Cloudflare in connection with their use of Cloudflare’s web optimization and security services. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller. Cloudflare, as the data processor, will process personal data on behalf of our customers in connection with providing the services to our customers.
- What Types of Data does Cloudflare Process?
We are generally just a conduit for information controlled by others; it’s our customers and their users who control the content transmitted, routed, switched and cached across our network (e.g. images, written content, graphics etc.). Additionally, we may gather certain information regarding use of our customers’ websites, and process data submitted by our customers or which we are instructed to process on their behalf. While it’s not up to us which data we receive, it typically includes items such as contact information, IP addresses, security fingerprints, DNS log data, and website performance data derived from browser activity. We will process such data in order to provide the service to our customers and in accordance with applicable laws, including the GDPR.
