Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Cloudflare Workers is a serverless platform that runs custom JavaScript and WebAssembly code at the edge of Cloudflare's global network, close to end users.
Cloudflare Workers is a serverless compute platform that runs custom JavaScript, TypeScript and WebAssembly code on the Cloudflare edge network. Workers can transform requests and responses, build APIs and full applications, and integrate with other Cloudflare products like KV, D1 and R2.
The platform itself processes IP addresses, request headers and URLs to route traffic to the nearest POP. Cloudflare may set its own operational cookies such as __cf_bm for bot management and cf_clearance for challenge results. Any additional data processing depends on the code deployed by the operator of the Worker.
Cloudflare classifies __cf_bm and cf_clearance as strictly necessary for security and bot mitigation, so they do not require consent under Article 5(3) of the ePrivacy Directive. Consent is required for any custom cookie that the Worker code sets for non strictly necessary purposes.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Workers run on the closest Cloudflare POP, including in the EU. However, Cloudflare is a US headquartered company, and control plane data, account information and certain logs are processed in the United States. Transfers are governed by Standard Contractual Clauses and the EU US Data Privacy Framework. The Cloudflare Data Localisation Suite can restrict data residency.
Sign the Cloudflare Data Processing Addendum, document Workers in your record of processing activities, consider the Data Localisation Suite for EU only routing, and ensure that any cookie or storage operation performed by your Worker code respects consent obligations.
Websites using Cloudflare Workers must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for Cloudflare Workers as infrastructure, but the use case must be assessed. A DPIA is recommended when Workers process sensitive data, build profiling features or call third country services.
Sample consent text
We use Cloudflare Workers to run code at the edge for performance and security. Cloudflare may set strictly necessary security cookies and process technical data including your IP address.
Third-party domains contacted
cloudflare.comworkers.devcloudflareinsights.comchallenges.cloudflare.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __cf_bm | necessary | 30 minutes | Cloudflare bot management cookie that distinguishes humans from automated traffic to protect the website. |
| cf_clearance | necessary | 30 days | Confirms that the visitor has successfully passed a Cloudflare security challenge. |
| __cflb | necessary | 1 day | Cloudflare load balancer cookie used to provide session affinity to the appropriate origin server. |
| __cfwaitingroom | necessary | session | Cloudflare Waiting Room cookie used to manage queueing of users during traffic spikes. |
| __cfruid | necessary | session | Cloudflare rate limiting cookie used to identify trusted web traffic. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Cloudflare itself may set __cf_bm to differentiate humans from bots and cf_clearance to remember the result of a security challenge. The Worker code deployed by the operator can also set arbitrary cookies, which must each be classified depending on their purpose.
Workers as edge compute do not require consent for strictly necessary security cookies such as __cf_bm and cf_clearance. Consent is required for any custom cookie or local storage operation set by the Worker code for analytics, personalisation or marketing purposes.
The legal basis is legitimate interest under Article 6(1)(f) of the GDPR for the security, performance and delivery of the website. For features that require consent under the ePrivacy Directive, the legal basis is the user's explicit consent.
Yes. Although Workers execute on the closest POP, including in the EU, Cloudflare's control plane, account information and some logs are processed in the United States. Transfers are governed by Standard Contractual Clauses and the EU US Data Privacy Framework.
A standalone DPIA is generally not required for Workers used as plain infrastructure. A DPIA is recommended when Workers process sensitive data, build profiling features, call third country services or implement automated decision making.
Sign the Cloudflare DPA, enable the Data Localisation Suite for EU only routing where required, audit the cookies and storage operations performed by your Worker code, log only what you need, hash identifiers and respect consent signals received from the CMP.
Alternatives include EU based edge platforms like Scaleway Edge Services, Clever Cloud, Fastly Compute@Edge in EU regions, OVHcloud and self hosted Node or Rust services. The choice depends on geographic coverage and the level of data residency you need.
Mention Cloudflare as a processor for hosting, performance and security. Describe the __cf_bm and cf_clearance cookies as strictly necessary, disclose potential transfers to the United States, list your own application cookies separately and provide a clear opt out path for non strictly necessary processing.