Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
STRATO is a German web hosting provider headquartered in Berlin and a subsidiary of United Internet AG. It offers domain registration, shared and managed Linux hosting, dedicated and bare metal servers, the Webseiten-Baukasten drag and drop website builder, HiDrive cloud storage, Microsoft 365 mailboxes and Wordpress hosting. With ISO 27001 certified twin data centres in Karlsruhe and Berlin and no extra-EU transfer for the core service, STRATO is a popular choice for German speaking small and medium businesses that want a fully GDPR aligned hosting partner.
STRATO AG, registered in Berlin, is a German hosting provider founded in 1997 and now part of United Internet AG. It targets the German speaking small and medium business market with shared web hosting plans, managed WordPress, dedicated and bare metal servers, the Webseiten-Baukasten drag and drop builder, HiDrive cloud storage, mailboxes powered by Microsoft 365 and a domain registrar service. STRATO operates two twin data centres in Karlsruhe and Berlin that are ISO 27001 certified and have received the TUEV-Saarland trusted data centre attestation.
On a website hosted with STRATO, the infrastructure layer sets technical session cookies for the customer panel and may add load balancing cookies. The Webseiten-Baukasten injects strato_session and strato_csrf cookies for the editor. Analytics, marketing or social embed cookies are only added by the customer through Baukasten blocks or by integrating third party services. STRATO server logs capture IP, User-Agent, requested URL and Referer for security and abuse detection.
STRATO acts as Auftragsverarbeiter for hosting, mail, HiDrive and Baukasten, and as Verantwortlicher for its own customer communications. The Auftragsverarbeitungsvertrag (AVV) is signed automatically as part of the customer contract, fully aligned with Articles 28 and 32 GDPR, and is available in the customer panel in German, English, French and Spanish.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
All customer data for the core STRATO hosting service stays in Germany. The optional Microsoft 365 mailbox plan introduces a Microsoft processing layer, with its own EU Data Boundary scope. The HiDrive Pro plan and dedicated servers stay strictly inside the EU.
Article 6(1)(b) GDPR (contract) covers hosting, mailbox and Baukasten services. Article 6(1)(f) covers security. Article 6(1)(a) only applies if the customer integrates analytics or marketing scripts through the Baukasten.
Sign the STRATO AVV in the customer panel, enable two factor authentication, review the ISO 27001 attestation and the TUEV-Saarland trusted data centre certificate, list STRATO in the privacy notice, document the sub-processor list (in particular Microsoft for the optional 365 mailbox) and integrate any optional analytics or marketing snippet into the Consent Management Platform.
Websites using STRATO must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is rarely required for STRATO alone. Document a short transfer impact assessment confirming that the data stays in the Karlsruhe and Berlin datacentres, the ISO 27001 certification, the BSI principles followed by STRATO and the response plan for any government access request based on German Bundesnachrichtendienst rules.
Sample consent text
This website is hosted on STRATO infrastructure in Germany. Hosting cookies for load balancing and security are strictly necessary and exempt from consent. Optional cookies set by Webseiten-Baukasten templates for analytics or marketing only fire after you click Accept on the cookie banner.
Third-party domains contacted
strato.destrato.comhidrive.comcdn.strato.deCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| strato_session | HTTP cookie | Session | STRATO customer panel and Webseiten-Baukasten session identifier. |
| strato_csrf | HTTP cookie | Session | Anti CSRF token for STRATO panel and Baukasten editor. |
| strato_lang | HTTP cookie | 1 year | Stores the preferred language for the customer panel. |
STRATO collects user analytics data — you legally need a consent banner. Try FlowConsent free.
STRATO hosting and Webseiten-Baukasten set technical session cookies (strato_session, strato_csrf) and a language preference cookie. No analytics or marketing cookies are deployed by default.
Hosting cookies are strictly necessary and exempt from prior consent under TTDSG and ePrivacy. Only the optional analytics or marketing snippets added by the customer require consent.
Article 6(1)(b) GDPR (contract) for hosting, domain and mailbox services. Article 6(1)(f) for security. Article 6(1)(a) only for optional analytics or marketing scripts.
No, the core hosting service stays in Germany. The optional Microsoft 365 mailbox plan introduces Microsoft processing under its own EU Data Boundary commitment.
Rarely. A short transfer impact assessment confirms that data stays in Karlsruhe and Berlin and references the ISO 27001 and TUEV-Saarland trusted data centre attestations.
Sign the AVV in the customer panel, enable 2FA, review ISO 27001 and TUEV-Saarland attestations, list STRATO in the privacy notice, document Microsoft as a sub-processor for optional 365 plans and channel optional analytics into the CMP.
Hetzner, IONOS, Mittwald, all-inkl, Netcup, Domainfactory for German speaking markets. OVHcloud and Scaleway in France. Infomaniak in Switzerland. All offer EU only hosting.
List STRATO AG as a processor for hosting and registrar for the domain, describe the technical cookies, mention the ISO 27001 and TUEV-Saarland attestations and link to the STRATO AVV and privacy notice.