Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Azion is a Brazilian edge computing and content delivery network platform. It routes website traffic through globally distributed edge nodes for caching, image optimisation, web application firewall and serverless edge functions. Azion does not drop tracking cookies on end users. It logs connection metadata such as IP, user agent and path on the edge for security and operations, which makes it generally low risk under GDPR.
Azion is a Brazilian edge computing platform. It provides a content delivery network, edge cache, image and video optimisation, a web application firewall, DDoS protection and a serverless edge runtime where customers can deploy JavaScript functions close to end users. Sites using Azion route their traffic through nearby edge nodes before reaching the origin.
IP address, TLS handshake metadata, user agent, request method, path, status code, response size, latency, WAF events and bot signals. Azion does not write tracking cookies on visitors and does not build advertising profiles. Edge functions only see the data passed by the customer''s code.
Operating a CDN is strictly necessary to deliver the requested website. Article 5(3) ePrivacy exempts strictly necessary storage from consent. Azion does not write to the device, so no consent is required for the CDN itself. Logs containing IP addresses are personal data and need a retention policy under article 5(1)(e) GDPR.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
No consent is required for Azion as a CDN. If you deploy edge functions that process personal data beyond the strictly necessary scope, evaluate the additional purpose against article 6 GDPR and disclose it in your privacy notice.
Azion is headquartered in Brazil. Edge nodes outside the EEA process connection metadata to deliver content efficiently. Brazilian LGPD aligns with GDPR principles, and EU operators rely on Standard Contractual Clauses to cover non EEA processing. Choose EU edge regions when possible for maximum proximity.
Sign a DPA with Azion, document the use of Azion as a sub processor in the records of processing, set a short retention on edge logs, configure WAF rules without retaining sensitive payloads longer than needed, and audit any edge function that handles personal data. List Azion in the privacy notice but not in the cookie policy.
Websites using Azion must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for Azion as a CDN, since it acts as a strictly necessary network intermediary. It can be appropriate when edge functions process personal data substantially (authentication, A/B testing, personalisation), in which case document the edge logic, retention and the regions involved.
Sample consent text
Our website is delivered through Azion's global edge network. Azion does not set tracking cookies. It processes connection metadata (IP, browser) at the edge solely to deliver the page and to protect the website. No consent is required for this strictly necessary processing.
Third-party domains contacted
azion.comazioncdn.netedge.azion.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| azion_waf | session | session | Optional security cookie set by the Azion WAF when challenging a suspicious client. Strictly necessary, exempt from consent. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Azion as a pure CDN does not set tracking cookies. It can pass through cookies set by the origin website. WAF and bot management features may temporarily set a security cookie to challenge suspicious clients. Such security cookies are strictly necessary and exempt from consent.
No. Azion is a strictly necessary intermediary delivering the requested website. Article 5(3) ePrivacy does not require consent for strictly necessary processing. Edge functions that go beyond and process personal data for other purposes need their own legal basis.
Performance of contract between operator and visitor for delivering the site, and legitimate interest in protecting it (article 6(1)(f) GDPR). No prior consent under article 5(3) ePrivacy because no non essential storage is written.
Edge nodes outside the EEA can process EU visitor connection metadata. Azion is based in Brazil. Brazilian LGPD is broadly aligned with GDPR. EU operators should sign SCCs and review the regions of edge processing.
Not for the CDN itself. A DPIA may be appropriate when edge functions perform substantial personal data processing (authentication, scoring, personalisation) on top of Azion.
Sign a DPA, document Azion as a sub processor, set short retention on edge logs, configure WAF carefully, restrict access to logs, and disclose Azion in the privacy notice as a hosting/CDN sub processor.
EU oriented alternatives include Cloudflare (US with EU Data Localisation Suite), Bunny.net (Slovenia, EU), Fastly (US with EU controls), Akamai, Gcore (Luxembourg, EU), KeyCDN (Switzerland), and Scaleway Edge Services (France).
You normally do not need to list Azion in the cookie policy because no tracking cookies are set. List Azion in the privacy notice as a sub processor providing CDN and security. If you add edge functions that drop cookies, list them like any other vendor.