Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Kinsta is a premium managed WordPress, application and database hosting provider founded in 2013 and based in California. It runs entirely on Google Cloud Platform with 37 data centres worldwide, including multiple EU regions. Kinsta signs a Data Processing Addendum with customers, supports Standard Contractual Clauses and integrates Cloudflare for edge security.
Kinsta is a premium managed WordPress, application and database hosting platform founded in 2013, with headquarters in California and a globally distributed remote team. Kinsta runs exclusively on Google Cloud Platform using the C2 and C3D compute tiers, with 37 data centres worldwide including Belgium, Netherlands, Frankfurt, Finland, Italy, France, Poland, Switzerland and London. Kinsta is EU US Data Privacy Framework certified, SOC 2 Type II audited and ISO 27001 attested.
Kinsta processes server logs, request headers, visitor IP addresses, bandwidth and CDN usage. The hosting itself does not set tracking cookies in the visitor browser. The MyKinsta dashboard (my.kinsta.com) and marketing site (kinsta.com) set first party cookies for authentication, session management, analytics and customer support chat. Cloudflare sits in front of every site for DDoS protection and may set the __cf_bm and cf_clearance security cookies.
Kinsta is a data processor under Art. 28 GDPR. The site owner is the controller. Kinsta publishes a Data Processing Addendum, a list of sub processors including Google Cloud and Cloudflare, and supports Standard Contractual Clauses. Because Cloudflare is always in the request path, it must be disclosed even if no other front edge service is enabled. The ePrivacy Directive does not require consent for the hosting layer itself, but any analytics or marketing tools installed on top of WordPress are still subject to consent.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
No visitor consent is required for the Kinsta hosting layer or for the Cloudflare strictly necessary security cookies. Consent remains required for any third party tools installed inside WordPress, such as Google Analytics, Meta Pixel, marketing chat widgets or A/B testing tools. Kinsta APM, an internal performance tool, runs server side and does not require visitor consent.
Kinsta Inc. is a US incorporated company, so support, billing and admin access can take place from the United States. By selecting an EU GCP data centre, the customer site data stays in the EEA. US staff access remains a transfer to a third country and is covered by Standard Contractual Clauses and the EU US Data Privacy Framework, for which Kinsta is certified. Cloudflare points of presence are global and can route traffic through nodes outside the EEA, which must be documented.
Accept the Kinsta Data Processing Addendum in MyKinsta, choose a European GCP region during site creation, add Kinsta, Google Cloud and Cloudflare to your sub processor list, run a Transfer Impact Assessment that references Kinsta''s certifications, configure WordPress to avoid unnecessary cookies, set GeoIP edge rules if needed, and review the Kinsta sub processor list at least once a year for changes.
Websites using Kinsta must obtain user consent under GDPR regulations.
DPIA considerations
Kinsta Inc. acts as a data processor under Art. 28 GDPR. Key DPIA considerations: (1) data centre region choice, an EU region keeps visitor data within the EEA but does not eliminate access by US staff; (2) Cloudflare is always in front of customer sites as an additional sub processor and must be disclosed; (3) MyKinsta dashboard and Kinsta APM track customer side usage with first party cookies; (4) automatic daily backups are retained across regions, retention is configurable; (5) server logs include visitor IPs processed under legitimate interest; (6) Kinsta has SOC 2 Type II, ISO 27001 attestations and EU US Data Privacy Framework certification which strengthen the Transfer Impact Assessment.
Sample consent text
Our website is hosted by Kinsta, a managed WordPress hosting provider running on Google Cloud Platform. Kinsta processes connection logs, IP addresses and security data on our behalf, with Cloudflare as an additional sub processor for edge security. We have signed a Data Processing Addendum with Kinsta and rely on Standard Contractual Clauses for transfers outside the EEA.
Third-party domains contacted
kinsta.commy.kinsta.comkinsta.cloudkinstacdn.comcloudflare.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| kinsta_session | Functional | Session | MyKinsta dashboard session cookie used to maintain an authenticated customer session. |
| _intercom_session_* | Functional | 7 days | Used by the customer support chat (Intercom) embedded on kinsta.com and MyKinsta to identify ongoing conversations. |
| __cf_bm | Functional | 30 minutes | Cloudflare bot management cookie set in front of Kinsta hosted sites to distinguish humans from automated traffic. |
| cf_clearance | Functional | 30 days | Cloudflare cookie indicating that a visitor has passed a security challenge before reaching a Kinsta hosted site. |
Kinsta collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Kinsta's hosting layer itself does not set tracking cookies on visitor browsers. Cookies appear on the MyKinsta dashboard and the kinsta.com marketing site for authentication, sessions, analytics and support chat. Cloudflare sits in front of every site and may set strictly necessary security cookies (__cf_bm, cf_clearance), which are exempt from consent.
No consent is required for the hosting layer or Cloudflare's strictly necessary security cookies. Consent remains required for any third party tools you install on top of WordPress, such as Google Analytics, Meta Pixel or marketing scripts. Kinsta should be disclosed as a sub processor in your privacy policy.
Hosting relies on contract performance (Art. 6(1)(b) GDPR) between the controller and visitor for delivering the site, and on legitimate interest (Art. 6(1)(f) GDPR) for server logs, DDoS protection and abuse prevention. Kinsta acts as a processor under Art. 28 GDPR through the Data Processing Addendum you accept in MyKinsta.
Customer site data is stored in the GCP region selected during site creation. You can pick EU regions such as Belgium, Netherlands, Frankfurt, Finland, Italy, France, Poland, Switzerland or London. Because Kinsta Inc. is US incorporated, support, billing and admin access can occur from the US, which is a transfer to a third country covered by Standard Contractual Clauses and the EU US Data Privacy Framework, for which Kinsta is certified.
A DPIA is recommended for sites handling special category data or large volumes of personal data. The key risks to assess are third country transfers via support and billing access, Cloudflare edge routing, and retention of server logs and daily backups. Kinsta's SOC 2 Type II, ISO 27001 and DPF certifications strengthen the analysis but do not eliminate the need.
Accept the Data Processing Addendum in MyKinsta, select an EU GCP region during site creation, document Kinsta, Google Cloud and Cloudflare as sub processors, run a Transfer Impact Assessment, configure WordPress to avoid unnecessary cookies, restrict admin access to EU based staff where possible, and review Kinsta's sub processor list at least once a year.
EU based managed WordPress hosts that may simplify compliance include Raidboxes (Germany), Savvii (Netherlands), 20i (UK), Pressidium (UK) and Hetzner with WordPress add ons. Cloud agnostic alternatives include Pantheon and Cloudways. Picking an EU controller and EU data centre removes the third country transfer question for support and admin access.
Add Kinsta as a hosting sub processor in your privacy policy, name the GCP region you selected, mention Google Cloud as an upstream sub processor and Cloudflare for edge security. Link Kinsta's sub processor list and Data Processing Addendum. Document your Transfer Impact Assessment and note that Kinsta is certified under the EU US Data Privacy Framework.