Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Akamai Connected Cloud is the cloud computing platform of Akamai Technologies, built on the former Linode infrastructure that Akamai acquired in 2022. It offers virtual machines, managed databases, object storage, Kubernetes and load balancers across regions worldwide, including several EU locations. As a hosting platform it does not set browser cookies, but the choice of region, the role of Akamai as a US controlled processor and the access by Akamai support staff in the United States all matter under the GDPR.
Akamai Connected Cloud is the public cloud computing platform of Akamai Technologies, Inc. It was built on the former Linode IaaS that Akamai acquired in 2022 and combined with the Akamai global edge network. The platform offers compute (Shared, Dedicated and GPU VMs), Object Storage (S3 compatible), Managed Databases (PostgreSQL, MySQL, MongoDB, Redis), Kubernetes (LKE), NodeBalancers, Cloud Firewall and VLANs. Several regions are available in the EU (Frankfurt, Amsterdam, London, Paris, Stockholm, Milan, Madrid) alongside the historical US and APAC locations.
As a hosting layer, Akamai Connected Cloud processes whatever the customer puts on it: application binaries, databases, files in Object Storage and the IP traffic going through NodeBalancers and VLANs. Akamai itself collects operational metadata for billing, capacity planning, incident response and abuse handling: resource events, network flow logs at the infrastructure level, support tickets, console access logs. End user cookies are not in scope: Akamai Connected Cloud does not interact with the customer''s visitors directly.
Akamai acts as a processor under Article 28 GDPR for the customer data hosted on Connected Cloud. The Akamai Data Processing Addendum is the standard contract, embedding the EU SCCs and referring to the Data Privacy Framework certification of Akamai Technologies, Inc. ePrivacy is generally not engaged because the platform itself does not store or read information on user terminals. The key topics are region selection, support access from the US, encryption at rest, and the audit and breach notification obligations.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
No, not for hosting per se. The lawful basis is contract performance with the customer or legitimate interest in running the website. Consent only becomes relevant when the hosted application chooses to set cookies, run analytics or use third party services that themselves require consent. The privacy policy must still mention Akamai as the hosting provider, the region, and the Data Privacy Framework or SCC reliance.
Akamai Technologies, Inc. is incorporated in the United States and subject to US law including FISA 702 for electronic communications services. Akamai is self certified under the EU US Data Privacy Framework, which provides an adequacy decision for transfers to certified Akamai entities. EU customers can also rely on SCCs and Akamai''s public Transfer Impact Assessment summary. Persistent customer data stays in the chosen region; only metadata and support tickets routinely travel beyond.
Pick an EU region for resources that hold personal data, sign the Akamai DPA, enable disk encryption and database encryption, restrict access via SSH keys and IAM, retain Linode Cloud Manager audit logs only as long as needed and conduct a TIA when high risk data is processed. Add Akamai Technologies as a recipient in the privacy policy with the region and transfer mechanism. Consider VLANs and Cloud Firewall to constrain east west traffic.
Websites using Akamai Connected Cloud must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not triggered by the use of Akamai Connected Cloud as a hosting layer in itself. When the customer's application processes high risk data (health, financial, large scale UGC), a DPIA should cover the cloud region, the AWS DPA, encryption setup and the access logging.
Sample consent text
Our application is hosted on Akamai Connected Cloud. Loading the site connects you to servers operated by Akamai Technologies in the region we selected (EU data centre when applicable). Akamai may access metadata from the United States.
Third-party domains contacted
linode.comcloud.linode.comapi.linode.comlinodeobjects.comobjects.linodeobjects.comakamai.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| No cookies set on visitor browsers | none | N/A | Akamai Connected Cloud is a hosting platform and does not set client side cookies on the visitors of the customer's website. Cookies that may appear depend entirely on the application deployed on the platform. The Cloud Manager administrative console sets session cookies, but only for administrators logged in to cloud.linode.com. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
No. Akamai Connected Cloud is a cloud infrastructure platform and does not interact with end users directly. Cookies depend entirely on the application the customer deploys. The Cloud Manager console used by administrators does set cookies, but those are not seen by visitors.
No, hosting itself does not require consent. The lawful basis is contract performance with your customers or legitimate interest in operating the website. Consent only applies to specific cookies or tracking introduced by the application running on top.
Contract performance under Article 6(1)(b) GDPR for delivering the service and legitimate interest under Article 6(1)(f) for security and operational logs. Akamai is your processor under the Akamai Data Processing Addendum.
Persistent customer data stays in the chosen region. Operational metadata, support tickets and remote administrative access can reach Akamai in the United States. The transfer is covered by the EU US Data Privacy Framework and SCCs in the Akamai DPA.
Not for hosting itself. When the application processes high risk data (large scale UGC, health, financial data), include the cloud setup, encryption configuration and US access risk in the broader DPIA you conduct for that application.
Select an EU region, sign the Akamai DPA, encrypt block storage and databases, restrict admin access via SSO and SSH keys, use VLANs and Cloud Firewall to segment workloads, enable activity logs and shorten retention to what is necessary. Document everything in your Article 30 record.
EU based hyperscale alternatives include OVHcloud, Scaleway, Hetzner Cloud, Infomaniak, IONOS Cloud and 1&1. For sovereign workloads in France there are OVH SecNumCloud and Outscale. Larger players include Google Cloud and Microsoft Azure with EU regions.
State that the site is hosted on Akamai Connected Cloud, operated by Akamai Technologies, Inc. (USA) and its EU contracting entity, indicate the region(s) of the resources, the categories of data processed (application data, IP logs, operational metadata) and the transfer mechanism (Data Privacy Framework and SCCs).