Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Varnish is an open source HTTP accelerator and reverse proxy cache originally developed by Poul Henning Kamp for the Norwegian news site VG and now maintained by Varnish Cache project and Varnish Software AS. It sits between the client and the origin server, caches responses according to VCL rules, and serves cached content without hitting the backend. From a privacy perspective Varnish is server side software: no client side cookies, but access logs that contain IP addresses and request metadata.
Varnish is a high performance HTTP accelerator and reverse proxy cache. It was originally written in 2006 by Poul Henning Kamp for the Norwegian news site VG to handle large traffic spikes, and is now maintained by the open source Varnish Cache project and by the commercial company Varnish Software AS (Norway, Sweden, Germany). Varnish runs in front of one or more origin servers, caches HTTP responses according to a configuration language called VCL, and serves cached responses directly to clients, dramatically reducing backend load and latency. It is widely deployed by publishers, e commerce platforms, video streaming services and SaaS APIs.
Varnish does not set or read client side cookies of its own. It can pass cookies through from the client to the origin server (or strip them at the VCL level), but those cookies belong to the application backends, not to Varnish. What Varnish does generate is detailed transaction logs through varnishlog (full request/response tracing) and varnishncsa (Combined Log Format style access log), which contain the client IP, timestamp, request method, URL, status, response time and headers. These logs are personal data under the GDPR. Varnish also stores response bodies in shared memory while they are cached, which can briefly contain personal data from API responses or HTML.
Because Varnish does not store information on or retrieve information from the visitor''s terminal equipment, ePrivacy Directive Art. 5(3) (the cookie consent rule) does not apply to Varnish itself. The cache and access logs are governed by the GDPR and rest on legitimate interest under Art. 6(1)(f): caching is a normal operational activity that the visitor reasonably expects of a website, and logs are needed for cache tuning, security and stability. Retention should be short by default, since cache logs are not typically used for long term forensic investigation.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Varnish ships with a default VCL that strips cookies from cacheable GET requests to maximise the cache hit ratio. This is a privacy positive default because it means tracking cookies do not reach cached content paths. Operators can also configure Varnish to anonymise IP addresses in varnishncsa logs by truncating the last octet, or to use the standard $remote_addr through a Combined Log Format with custom anonymisation. Cache key construction can be tuned to avoid including session identifiers, which keeps caches efficient and reduces the risk of session data being inadvertently cached.
Varnish Cache as open source software does not transfer data anywhere by itself. Where the operator hosts the Varnish server determines the applicable transfer regime. Varnish Software AS, the commercial entity, is headquartered in Norway (recognised as adequate under GDPR) with offices in Sweden and Germany; if the operator purchases Varnish Enterprise or the Controlled Edge SaaS, the support relationship is governed by a Norwegian contract with EU/EEA data residency by default.
Document Varnish in the record of processing as an operational caching layer under legitimate interest. Set varnishncsa retention to 7 to 30 days, log rotation through logrotate, and store logs on EU infrastructure. Configure VCL to strip tracking cookies from cacheable paths, to anonymise IPs where the use case allows, and to omit query strings from logs on routes that carry tokens. If Varnish Enterprise or Controlled Edge is purchased, sign the Varnish Software DPA. Document Varnish on the cookie policy? Generally no, because Varnish does not set cookies, but the operator may want to mention the caching layer in the technology section of the privacy notice for transparency.
Websites using Varnish must obtain user consent under GDPR regulations.
DPIA considerations
Varnish does not require a DPIA on its own because it is server side caching software with no client tracking. Its log infrastructure (varnishlog, varnishncsa) writes access entries containing IP addresses, request URLs and response codes, which qualify as personal data under the GDPR. DPIA considerations: (1) cache logs typically have a shorter retention horizon than full application logs since they are used for cache tuning rather than long term forensics, 7 to 30 days is typical; (2) request URLs may carry tokens or personal data in query strings, which must be considered when sizing retention and access control; (3) Varnish can be configured to strip cookies on the request path (to maximise cache hit ratio) and on the response path, which is a privacy positive default; (4) Varnish Software AS as the commercial entity is EU based (Norway HQ), which limits Schrems II exposure for enterprise customers; (5) the cache itself stores response bodies in shared memory, which can briefly contain personal data from API responses, this is normal and falls under operational legitimate interest.
Sample consent text
We use Varnish Cache as an HTTP accelerator and reverse proxy on our infrastructure. Varnish does not set cookies on your device. Like any HTTP intermediary it writes access logs containing your IP address, the page you requested, headers and the response code. These logs are used for performance tuning, security investigation and operational stability under our legitimate interest. Logs are retained for [XX] days and then anonymised or deleted.
This service may collect user data. Ensure GDPR compliance with FlowConsent.
No. Varnish does not set or read cookies on the visitor's device. It can pass through or strip cookies in the request and response path via VCL, but those cookies belong to the application backends behind Varnish.
No. Because Varnish does not store or retrieve information on the visitor's terminal, the ePrivacy Directive cookie consent rule does not apply to Varnish itself. Cache and access logs are governed by the GDPR and rest on legitimate interest.
Legitimate interest under GDPR Art. 6(1)(f), justified by caching for performance, security and stability, and by access log retention for cache tuning and operations.
Varnish Cache as open source software does not transfer data. The hosting choice determines transfer risk. Varnish Software AS, the commercial entity, is headquartered in Norway (recognised as adequate under GDPR) with offices in Sweden and Germany.
A DPIA is not required for Varnish itself. It may be needed for the broader caching and logging architecture if cache logs are processed for advanced security analytics or shipped to non EU systems.
Keep the default VCL behaviour of stripping cookies on cacheable GET paths. Configure varnishncsa with a custom log format that anonymises IPs and omits query strings on token bearing routes. Rotate logs through logrotate with a short retention (7 to 30 days). Avoid including session identifiers in the cache key.
Other HTTP caching layers and reverse proxies include Nginx (with proxy_cache), Apache (mod_cache), Squid, Traefik, HAProxy and Caddy. Cloud CDNs (Cloudflare, Fastly, Akamai, Bunny.net, EdgeOne) provide globally distributed caching with their own privacy and data residency considerations.
Varnish does not belong on the cookie banner because it does not set cookies. In the privacy policy, you may mention that the site uses an HTTP cache and reverse proxy for performance and stability, the legal basis, the data categories, the retention period and the recipients.