Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Iranian CDN, reverse proxy and DDoS protection service that routes every visitor request through Tehran based edge nodes and sets routing and security cookies.
Derak Cloud is an Iranian content delivery network and reverse proxy operated from Tehran. It is one of the most popular Iranian alternatives to Cloudflare and provides DDoS protection, a web application firewall, bot mitigation and caching. When a website sits behind Derak Cloud, every HTTP request from a visitor first reaches a Derak edge node, which inspects the traffic and only then forwards it to the customer origin.
Derak Cloud sets first party cookies on the protected domain to bind a visitor to a specific edge server, to remember the result of a JavaScript or CAPTCHA challenge and to track suspicious behaviour. The proxy logs the visitor IP address, user agent, requested URL, TLS fingerprint and timestamps in order to detect and block automated traffic. These data points are personal data under the GDPR.
Some Derak cookies are strictly necessary for security and may rely on the exemption under Article 5(3) of the ePrivacy Directive and the legitimate interest legal basis under Article 6(1)(f) of the GDPR. However, cookies used for performance routing, analytics or extended retention require prior consent. Storing connection logs in Iran also implies that visitors must be clearly informed before browsing.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Derak Cloud operates from Iran, a country without an EU adequacy decision and subject to broad surveillance laws. Transfers therefore require Standard Contractual Clauses, a Transfer Impact Assessment and supplementary measures such as encryption with keys held outside Iran. Many EU controllers will find it difficult to demonstrate an essentially equivalent level of protection, so the risk level is high.
Sign a data processing agreement with Derak Cloud, document the transfer to Iran, perform a Transfer Impact Assessment and inform visitors in your privacy notice. For non security cookies, block them through a consent management platform until the visitor accepts. If you target European audiences only, prefer an EU based CDN such as a European hosted Bunny.net or self hosted Varnish.
Websites using Derak Cloud must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required because Derak Cloud processes visitor IP addresses, behavioural data and security signals in Iran, a third country with no adequacy decision and broad governmental access rights. Document the transfer impact assessment, the supplementary measures applied and the residual risk for data subjects.
Sample consent text
We use Derak Cloud, an Iranian CDN and security proxy, to protect this website. It sets cookies on your browser and routes your traffic through servers located in Iran. Click Accept to allow Derak Cloud or Reject to leave the site.
Third-party domains contacted
derak.cloudwww.derak.cloudcdn.derak.cloudapi.derak.cloudCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| drk_session | necessary | Session | Session identifier used by the Derak Cloud reverse proxy to maintain a sticky connection between the visitor and a specific edge server during a browsing session. |
| derak_route | necessary | 1 hour | Load balancing cookie that records which edge node should serve the visitor in order to keep cache and TLS state consistent. |
| derak_challenge | necessary | 30 minutes | Stores the result of a JavaScript or CAPTCHA challenge so a verified visitor does not have to repeat it on every request. |
| derak_bot | necessary | 1 day | Bot mitigation cookie that records a behavioural score and helps the WAF decide whether subsequent requests should be challenged. |
| derak_geo | functional | 30 days | Caches the geographic region detected from the visitor IP address to route requests to the closest Derak Cloud edge. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Derak Cloud sets first party cookies on the protected domain to bind a visitor to a specific edge server, to record the result of a security challenge and to track suspicious sessions. Typical names include drk_session, derak_route and derak_challenge. They are placed as part of the reverse proxy logic.
For strictly necessary security cookies, the ePrivacy exemption usually applies and no consent is required, although you must still inform the visitor. For performance routing, analytics or extended retention cookies, prior consent under Article 5(3) of the ePrivacy Directive is mandatory.
Security and integrity processing typically relies on legitimate interest under Article 6(1)(f) of the GDPR. Non essential cookies and additional analytics rely on consent under Article 6(1)(a). The transfer to Iran requires Article 46 transfer tools such as Standard Contractual Clauses.
Yes. All HTTP requests are processed by Derak edge nodes located in Iran, which is a third country without an EU adequacy decision. You must therefore sign Standard Contractual Clauses, complete a Transfer Impact Assessment and put supplementary measures in place.
A DPIA is required when you systematically route all visitor traffic through a third country with strong governmental access rights. The combination of large scale processing, international transfer and security logging triggers Article 35 of the GDPR.
Sign a data processing agreement and SCCs with Derak Cloud, run a Transfer Impact Assessment, deploy encryption that keeps keys outside Iran where possible, inform visitors in your privacy notice and block any non security cookies behind a consent banner.
Yes. European or EEA based CDNs such as Bunny.net, Gcore EU, Stackpath EU or self hosted Varnish behind a European hosting provider keep traffic inside the EEA and reduce transfer risks. They typically offer comparable DDoS protection and WAF features.
Add a Derak Cloud entry under your CDN and security category, list the cookies set, declare the lawful basis used for each, mention that traffic is routed through Iran, identify the controller and link to the Derak Cloud privacy notice.