Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Pingdom is a website monitoring service operated by SolarWinds (US) that provides uptime monitoring, page speed testing, Real User Monitoring (RUM), and transaction monitoring. While basic uptime checks do not involve end user data, the RUM feature deploys a JavaScript snippet that collects visitor performance metrics and sets cookies, requiring GDPR consent. All monitoring data is stored on US infrastructure.
Pingdom is a website monitoring SaaS operated by SolarWinds Worldwide LLC since 2014. It provides three main capabilities: synthetic uptime checks (HTTP, TCP, ping, transaction recorder) from external probes located in 70 cities worldwide; page speed monitoring; and Real User Monitoring (RUM), a JavaScript beacon embedded on the publisher pages that captures navigation timing for every actual visitor and reports it to the SolarWinds cloud.
When the publisher injects the Pingdom RUM script (prum.min.js) into the page, the beacon writes the cookie pa_user (random identifier, persistent), pa_vid (visitor id, 1 year) and pa_id (page view id, session). The beacon then sends a JSON payload to rum-collector.pingdom.net containing the visitor IP address, user agent, referrer, navigation timing API metrics, page URL and the cookie values. Synthetic checks do not write any cookie because they run from Pingdom probes, not from real visitors.
Pingdom synthetic monitoring does not process visitor data and can rely on the legitimate interest of the publisher in keeping its site available (GDPR art. 6(1)(f)). Pingdom RUM, on the other hand, is a measurement of real visitor behaviour and processes the IP address as personal data (CJEU Breyer 2016, CNIL guidance 2022). Consent is therefore required under ePrivacy art. 5(3) and GDPR art. 6(1)(a) before loading prum.min.js. The CNIL exemption for analytics does not apply because the data is sent to a US processor that may reuse it for product analytics on SolarWinds aggregate dashboards.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
SolarWinds Worldwide LLC is established in the United States and adheres to the EU US Data Privacy Framework since 18 December 2023. Customer account data, alert routing and RUM beacons are processed in the United States. The Pingdom data processing addendum incorporates the EU Standard Contractual Clauses (module 2 controller to processor) and a transfer impact assessment. Publishers should keep the active DPF certification reference (verifiable at dataprivacyframework.gov) and refresh the TIA every year, particularly in light of the ongoing litigation around US surveillance laws.
Block the prum.min.js script before consent (the CMP must remove it from the page until the visitor accepts the performance category). Document Pingdom and SolarWinds Worldwide LLC in the records of processing (GDPR art. 30) and in the privacy notice. Sign the Pingdom data processing addendum including the EU Standard Contractual Clauses. Run a DPIA when RUM is combined with custom dimensions that reveal user behaviour (logged in user id, plan name, search terms). Keep raw RUM logs to 14 months maximum, in line with the CNIL guidance on analytics retention.
For uptime monitoring without RUM, Better Stack (formerly Better Uptime), Uptime Kuma (open source), Cronitor, StatusCake and Hetrix Tools are EU friendly options. For Real User Monitoring with EU hosting, Plausible Web Vitals, Cabin Real User Monitoring, Sentry Performance and SpeedCurve provide alternatives. Server side monitoring (server access logs sent to a self hosted ELK stack) avoids consent entirely.
Websites using Pingdom (Uptime Monitoring) must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not required for synthetic uptime monitoring alone, which processes only server response metadata. If the optional Pingdom RUM JavaScript is deployed, evaluate visitor data collection separately.
Sample consent text
We use Pingdom, a website monitoring service from SolarWinds, to keep this site fast and available. Pingdom synthetic checks run from external probes and do not collect any data about you. When Real User Monitoring is enabled, a JavaScript beacon collects your IP address, user agent, page URL and navigation timings and sends them to SolarWinds in the United States under the EU US Data Privacy Framework. RUM is only activated if you accept the performance category in our cookie preferences, and you can withdraw your consent at any time.
Third-party domains contacted
www.pingdom.compingdom.comrum-static.pingdom.netmy.pingdom.comrum-collector.pingdom.netapi.pingdom.comsolarwinds.comrum-static.pingdom.netrum-collector.pingdom.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _pingdom_rum | analytics | Session | Real User Monitoring cookie tracking page load performance metrics within a visitor browsing session. |
| pingdom_rum | First party (Pingdom RUM, optional) | Session | Set only if the optional Pingdom Real User Monitoring JavaScript is deployed. Stores a session identifier used for performance attribution. |
| pingdom_session | authentication | Session | Maintains the authenticated session for the Pingdom dashboard (my.pingdom.com). |
| pingdom_csrf | security | Session | CSRF protection token for dashboard operations and account management. |
| _ga | analytics | 2 years | Google Analytics cookie on the Pingdom website tracking visitor behaviour. |
Pingdom (Uptime Monitoring) collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Uptime monitoring sets no cookies on visitor browsers. However, the Real User Monitoring (RUM) feature sets a _pingdom_rum cookie to track page load performance within a visitor session. The Pingdom dashboard (my.pingdom.com) sets authentication and analytics cookies for account management.
Not for uptime monitoring (server to server, no visitor data). Yes for RUM: the JavaScript snippet collects visitor IP addresses, browser data, and sets a cookie, requiring both ePrivacy and GDPR consent. The RUM script should only load after consent is given.
Uptime monitoring uses legitimate interest (Art. 6(1)(f)) as no visitor personal data is involved. RUM requires consent (Art. 6(1)(a)) for collecting visitor performance data. Dashboard access for employees relies on contract performance or legitimate interest.
Yes. SolarWinds is US based and all monitoring data is stored on US infrastructure. Probes operate globally but results are centralised in US data centers. No EU data residency option. Transfers covered by SolarWinds DPA with SCCs.
Only if using RUM, which collects visitor browser data at scale. Uptime monitoring alone does not require a DPIA. If RUM is deployed across high traffic websites, assess the scope of visitor data collected, the IP address processing, and US storage implications.
Execute the SolarWinds DPA. For RUM: implement cookie consent blocking the script until consent is granted. Classify _pingdom_rum as a performance cookie. Add RUM details to your cookie policy. For uptime only: no visitor facing compliance measures are needed. Restrict dashboard access and document Pingdom in your processing records.
For uptime monitoring: Uptime Kuma (open source, self hosted), Hetrixtools (with EU options), Checkly (EU friendly monitoring). For RUM alternatives: Plausible Analytics (EU hosted, privacy first), Matomo (self hosted), or browser native Performance API metrics collected server side. Self hosted monitoring eliminates third party data processing.
If using RUM, add the _pingdom_rum cookie to your cookie policy specifying its purpose (performance measurement), duration (session), and that data is processed by SolarWinds in the US. Classify it under performance or analytics. Provide opt out controls. If using uptime monitoring only, no cookie policy entry is needed as no visitor cookies are set.
None on the visitor side. Pingdom Uptime Monitoring relies on external server side probes that issue HTTP requests but do not store anything in the visitor's browser. Only the optional Pingdom Real User Monitoring (RUM) JavaScript sets a tracking identifier; treat it as a separate service.
No, the uptime checks themselves do not access the terminal equipment of any visitor and therefore fall outside Art. 5(3) of the ePrivacy Directive. Consent is only required if you also deploy the Pingdom RUM JavaScript.
Legitimate interest (Art. 6(1)(f) GDPR) for service availability and security. Account data of the Pingdom user is processed under contract (Art. 6(1)(b) GDPR) with SolarWinds.
Account data, monitoring metadata and alert logs are processed in the United States by SolarWinds Worldwide LLC. SolarWinds is certified under the EU US Data Privacy Framework and uses EU SCCs as additional safeguards.
No DPIA is required for the uptime checks alone. A DPIA is recommended if you combine Pingdom with Pingdom RUM or with deep transaction monitoring that captures personal data.
Sign the SolarWinds DPA, register Pingdom in your Article 30 record, select EU probe locations where possible, restrict alert recipients, and document any test users used in transaction checks.
European alternatives: Site24x7 (Zoho), Statuscake (UK), Uptime.com (US/EU regions), Better Stack (Czech Republic), Checkly (Berlin), Updown.io (France), Hyperping (Belgium) and Hetrixtools (UK).
No cookie policy entry is required for the synthetic uptime checks because no cookie is set. If Pingdom RUM is deployed, add a dedicated entry describing the rum identifier, the performance data collected and the US processing location.