Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Sucuri is a US-based website security suite (now owned by GoDaddy) combining a cloud Web Application Firewall (WAF), a CDN, malware scanning and removal, and uptime monitoring. Sucuri proxies all incoming traffic through its global edge network, inspecting requests for attacks and serving cached content. It is widely used by WordPress, Joomla, and Magento sites for hardening and incident response.
Sucuri is a US-based website security platform, founded in 2010 and acquired by GoDaddy in 2017. It bundles a cloud Web Application Firewall (WAF), a global CDN, malware scanning and removal, uptime monitoring, and incident response services. The protected site updates its DNS to point to the Sucuri edge, which proxies all HTTP traffic, applies the WAF rules, and serves cached content. Sucuri is particularly popular among WordPress, Joomla, and Magento sites in EU and US markets.
At the WAF/CDN layer: every HTTP request transiting to the protected site, including the IP address, user agent, URI, request headers, and (when full logging is enabled) the request body. At the management plane: site owner identity, scan results, malware findings, and configuration history. The WordPress plugin (sucuri-scanner) processes core file inventories, admin user activity, and security events on the host server.
IP addresses are personal data under GDPR. The processing falls under the security exemption recognised by Recital 49 GDPR and relies on legitimate interest (Art. 6(1)(f)). The cookies Sucuri sets (sucuri_cloudproxy_uuid, etc.) are functional and tied to the WAF logic, generally qualifying for the strict service-delivery exemption of Art. 5(3) ePrivacy. A Legitimate Interest Assessment is recommended to document the necessity and proportionality.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Sucuri operates a global CDN with EU PoPs, but the management plane, logs and threat intelligence are centralised in the United States under GoDaddy. Transfers from the EU rely on Standard Contractual Clauses under Art. 46(2)(c) GDPR and on the EU-US Data Privacy Framework certification of GoDaddy. A Transfer Impact Assessment is recommended for sites in sensitive sectors.
Sign the Sucuri (GoDaddy) DPA, confirm SCCs and DPF, run an LIA, document a short DPIA if you enable full request body logging, configure the cache to bypass authenticated pages with personal data, exclude payment forms from caching, mention Sucuri in the privacy notice as a security processor with US transfer, and document the WordPress plugin in the RoPA.
Websites using Sucuri must obtain user consent under GDPR regulations.
DPIA considerations
Sucuri inspects every HTTP request to the protected site, processing IP addresses, request payloads, user agents, and (optionally) WordPress admin user activity through the plugin. Key DPIA considerations: (1) the WAF can log POST bodies, which incidentally include personal data submitted via forms; (2) IP addresses are systematically processed, with retention configurable in the Sucuri dashboard; (3) the centralised threat intelligence is hosted in the US under GoDaddy operational control; (4) the CDN caches responses, which can include personal data in the page output of authenticated pages if not properly excluded; (5) the WordPress plugin (sucuri-scanner) requires admin access and processes site file inventories. A DPIA is recommended for high-traffic sites and any deployment that enables full request body logging.
Sample consent text
Our website is protected by Sucuri, a US-based website security service (a GoDaddy company). All incoming traffic transits through Sucuri to detect and block attacks. To do this, Sucuri processes your IP address, user agent, and request details. The processing relies on our legitimate interest in keeping the site secure (Art. 6(1)(f) GDPR, Recital 49). Transfers to the United States are governed by Standard Contractual Clauses and the EU-US Data Privacy Framework.
Third-party domains contacted
sucuri.netwww.sucuri.netcloudproxy.sucuri.netfirewall.sucuri.netsitecheck.sucuri.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| sucuri_cloudproxy_uuid | Functional / Security | 1 year | Unique identifier set by the Sucuri Web Application Firewall to recognise a returning visitor and apply consistent firewall rules and rate limits across requests. |
| sucuri_protect_* | Functional / Security | Session | Short-lived session cookies used by the Sucuri WAF to confirm that a request comes from a previously challenged browser, avoiding repeated CAPTCHAs. |
| sucuri_session | Functional / Security | Session | Maintains the security session between the visitor browser and the Sucuri edge for the duration of the visit. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Sucuri sets a small number of functional cookies (sucuri_cloudproxy_uuid, sucuri_protect_*) used to identify a returning visitor and apply firewall rules consistently. These cookies are functional and tied to the security purpose.
Generally no. The cookies fall under the strict service-delivery exemption of Art. 5(3) ePrivacy and the data processing relies on legitimate interest under Recital 49 GDPR. Document the LIA and mention Sucuri in the privacy notice.
Legitimate interest (Art. 6(1)(f) GDPR), with the security exemption of Recital 49. Document a short LIA covering necessity, proportionality, and the rights of the data subjects.
Yes. The management plane and logs are hosted in the US under GoDaddy operational control. Transfers rely on Standard Contractual Clauses under Art. 46(2)(c) GDPR and on the EU-US Data Privacy Framework.
For typical deployments, no. Document a DPIA if you enable full request body logging (which incidentally captures personal data from forms) or if you are in a sensitive vertical (health, public sector, finance).
Sign the GoDaddy DPA, confirm SCCs and DPF, configure CDN cache rules to bypass authenticated pages with personal data, exclude payment forms from caching, document the LIA, mention Sucuri in the privacy notice, and document the WordPress plugin scope in the RoPA.
EU and EU-friendly alternatives include Cloudflare WAF (US headquartered, EU PoPs), Imperva Cloud WAF, Akamai Web Application Protector, Fastly Next-Gen WAF, Patchstack (Estonia), Wordfence (US), and self-hosted ModSecurity with OWASP Core Rule Set.
List the Sucuri functional cookies under the strictly-necessary or security section of your cookie policy, with name, purpose, duration, and a mention of the US data transfer with SCCs and DPF. State that no consent is required because the processing is based on legitimate interest with the security exemption.