Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Acquias managed CDN built on Akamai that proxies every visitor request and sets routing, load balancing and bot management cookies on the browser.
Acquia Cloud Platform CDN is the content delivery network bundled with Acquias managed Drupal hosting offer. It is technically powered by Akamai and acts as a reverse proxy in front of customer origins, serving cached HTML, images, scripts and assets from edge points of presence located around the world. Acquia is headquartered in the United States, while the edge layer runs on Akamai infrastructure spread across many countries.
When Bot Manager and load balancing features are enabled, the CDN sets first party cookies such as AKA_A2 (HTTP/2 affinity), ak_bmsc (Bot Manager session) and bm_sv (Bot Manager validation). It also creates short lived bm_sz and _abck cookies to fingerprint clients and score bot likelihood. The Akamai edge processes the visitor IP address, TLS handshake metadata, request URL, headers and a behavioural score.
Strictly necessary routing cookies such as AKA_A2 may rely on the ePrivacy exemption, but Bot Manager cookies that profile visitor behaviour generally require informed consent under Article 5(3). The lawful basis for security processing is usually legitimate interest under Article 6(1)(f), but European regulators expect a documented balancing test and a clear notice in the privacy policy.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Acquia is a US controller and Akamai operates worldwide. Even if EU traffic is served by EU edge nodes, the configuration and security data may flow back to the United States. EU customers must rely on the EU US Data Privacy Framework or Standard Contractual Clauses, perform a Transfer Impact Assessment and ensure that contractual safeguards are in place with both Acquia and Akamai.
Sign a data processing agreement with Acquia, confirm subprocessor coverage for Akamai, document the EU US Data Privacy Framework status, configure Bot Manager only where necessary and list every CDN cookie in your cookie policy. Set a consent banner that gates Bot Manager and any optional analytics cookies until the visitor opts in.
Websites using Acquia Cloud Platform CDN must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended because Acquia Cloud Platform CDN combines large scale traffic processing, Bot Manager profiling, transfers to the United States and routing through Akamai edge nodes worldwide. Document the legal basis for each cookie, the EU US Data Privacy Framework status and the residual risk before deploying.
Sample consent text
This site is delivered via Acquia Cloud Platform CDN powered by Akamai. It sets routing and security cookies on your device and may send data to servers in the United States. Click Accept to allow them or Reject to keep only the strictly necessary cookies.
Third-party domains contacted
acquia.comacquia-sites.comakamaihd.netakamaized.netedgekey.netedgesuite.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| AKA_A2 | necessary | Session | Akamai HTTP/2 connection affinity cookie that keeps a visitor pinned to the same edge server during a browsing session for performance and reliability. |
| ak_bmsc | necessary | 2 hours | Akamai Bot Manager session cookie used to identify legitimate human traffic and to mitigate automated requests without challenging real users. |
| bm_sv | necessary | 2 hours | Akamai Bot Manager validation cookie used to confirm a session that has already passed bot detection challenges, preventing repeated CAPTCHAs. |
| bm_sz | necessary | 4 hours | Short lived Akamai Bot Manager cookie that stores a session fingerprint used to compute a bot likelihood score on subsequent requests. |
| _abck | necessary | 1 year | Akamai Bot Manager cookie that maintains a longer term anti bot state for the visitor and supports behavioural scoring across sessions. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
The CDN sets AKA_A2 for HTTP/2 connection affinity, ak_bmsc and bm_sv for Akamai Bot Manager sessions and validation, and short lived bm_sz and _abck cookies for client fingerprinting. They are first party cookies issued by the customer domain through the Akamai edge.
Strictly necessary routing cookies may rely on the ePrivacy exemption, but Bot Manager and analytics cookies generally require prior consent. If you activate Bot Manager you must collect informed consent before the cookies are written.
Routing and security processing typically relies on legitimate interest under Article 6(1)(f) of the GDPR, with a documented balancing test. Non essential profiling and analytics rely on consent under Article 6(1)(a).
Yes. Acquia is a US controller and Akamai operates globally, so configuration, security telemetry and support data may be processed in the United States. You must rely on the EU US Data Privacy Framework or Standard Contractual Clauses and document the transfer impact.
A DPIA is recommended whenever you process visitor data at scale through a US controller with bot profiling. The combination of behavioural scoring, large user numbers and international transfers usually meets the Article 35 thresholds.
Sign the Acquia data processing agreement, confirm Akamai as a subprocessor, document the Data Privacy Framework status, only enable Bot Manager where needed, gate non essential cookies behind consent and list every cookie in your cookie policy.
EU based managed CDNs such as Bunny.net, Gcore EU edge, OVHcloud CDN or self hosted Varnish behind a European hosting provider can deliver similar performance while keeping traffic inside the EEA and reducing transfer risks.
Disclose Acquia Cloud Platform CDN as your CDN and security provider, list AKA_A2, ak_bmsc, bm_sv, bm_sz and _abck, indicate their retention, identify the controller in the United States and link to the Acquia and Akamai privacy notices.