Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
321 CMS is an open source content management system (formerly Mura CMS) used to build and manage websites with PHP. Self hosted deployments stay first party only, but optional modules can introduce third party trackers that fall under GDPR and ePrivacy.
321 CMS is an open source content management system (formerly known as Mura CMS) developed in PHP by Mura Software. It is typically self hosted on the deployer infrastructure and provides editor tools, content modelling, role based access and a module ecosystem for forms, e commerce and third party integrations.
Out of the box, 321 CMS sets only strictly necessary first party cookies: a session identifier (PHPSESSID), a CSRF token, an editor session and a language preference. Visitor IP, user agent and request logs are kept by the web server. Any further cookies depend on the modules you activate.
Strictly necessary session cookies are exempt from consent under Article 5(3) of the ePrivacy Directive. Modules that add analytics (Google Analytics, Matomo cloud), marketing (Meta Pixel, Mailchimp), social embeds (YouTube, Twitter) or hCaptcha all require prior, granular and revocable consent under Article 6(1)(a) GDPR.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Hosting region is fully under the deployer control. Choose an EU hosting provider (e.g. OVHcloud, Scaleway, Hetzner, Infomaniak) to keep data inside the EEA. Each integration with a US service must be evaluated under the SCC framework with a Transfer Impact Assessment.
Plug a Consent Management Platform in front of every optional module. Wrap third party scripts so they only execute after the visitor opts in to the relevant category. On withdrawal, clear the corresponding cookies and stop loading external assets.
Keep the core CMS up to date, document each module in the Records of Processing, sign a hosting DPA, configure log retention, anonymize IPs in web server logs where possible, run regular security and accessibility reviews and audit cookies actually written by the published site.
Websites using 321 CMS must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for the core 321 CMS engine. It becomes relevant if you add modules that perform behavioural analytics, profiling, automated decision making or large scale processing of sensitive content.
Sample consent text
This site runs on the open source 321 CMS. Strictly necessary session cookies are set without consent. Optional analytics or marketing modules only load after you accept them.
Third-party domains contacted
321cms.orggetmura.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| PHPSESSID | first_party | Session | Strictly necessary PHP session identifier used to keep visitor and editor sessions. |
| csrf_token | first_party | Session | Strictly necessary token used to protect form submissions from cross site request forgery. |
| editor_session | first_party | 14 days | Strictly necessary cookie that keeps logged in editors authenticated to the 321 CMS admin panel. |
| locale | first_party | 1 year | Stores the visitor language preference so the right localized content is served on subsequent visits. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
The core 321 CMS engine sets only strictly necessary first party cookies: session ID (PHPSESSID), CSRF token, editor session and language preference. Any additional cookies depend on the modules you activate.
Strictly necessary session cookies are exempt from consent under Article 5(3) of the ePrivacy Directive. Optional analytics, marketing or social embed modules require prior, granular and revocable consent.
Strictly necessary cookies rely on legitimate interest (Art. 6(1)(f) GDPR). Editor accounts rely on contract performance (Art. 6(1)(b)). Optional trackers loaded by modules need consent (Art. 6(1)(a)).
The core engine itself does not transfer data anywhere. Transfers only happen if you connect modules to US services (Mailchimp, Google Analytics, Meta Pixel). Each must be governed by Standard Contractual Clauses and a Transfer Impact Assessment.
Generally no for the core CMS. A DPIA becomes necessary if you enable modules performing behavioural analytics, automated decisions or large scale processing of sensitive content (health, political, biometric).
Self host on an EU provider, keep the core up to date, sign a hosting DPA, plug a CMP in front of every optional module, document each cookie in your policy and audit the deployed site to verify what cookies are actually written.
Open source alternatives include WordPress, Drupal, TYPO3, Strapi, Directus, Payload CMS and Statamic. European SaaS options like Storyblok or Hygraph reduce vendor lock in while preserving GDPR friendly hosting.
List the strictly necessary 321 CMS session cookies. For every active module, add a separate entry with provider, country, purpose, retention and a link to its privacy policy. Refresh after every module change or upgrade.