Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
CloudCannon is a Git, based headless CMS for static sites built with Jekyll, Hugo, Eleventy, Astro, or Next.js. Editors work in a visual interface that commits changes to a Git repository, and the generated static site is served from a Cloudflare, backed CDN. Because the public output is plain HTML with no default tracking, the visitor, facing privacy footprint is minimal.
CloudCannon is a Git, based headless CMS founded in 2014 in New Zealand and now headquartered in the United States. It targets static site generators such as Jekyll, Hugo, Eleventy, Astro, and Next.js. Editors author content in a visual web interface that commits Markdown, YAML, JSON, or TOML files to a Git repository (GitHub, GitLab, Bitbucket, Azure DevOps). CloudCannon then triggers a build and either hosts the generated site on its own Cloudflare, fronted CDN or pushes the build artifact to an external provider. Because the public, facing output is plain HTML, CSS, and JavaScript with no embedded CloudCannon scripts, the privacy footprint visible to end visitors is essentially zero.
On a public CloudCannon, hosted page, the only cookies you typically see come from Cloudflare itself: __cf_bm (bot management) and cf_clearance (CAPTCHA / challenge), both first, party and short, lived. There are no analytics cookies, no advertising cookies, and no fingerprinting scripts injected by CloudCannon. Inside the editorial application (app.cloudcannon.com), CloudCannon sets functional session cookies to keep editors authenticated, plus a CSRF token cookie. CloudCannon also collects the standard editor account data: name, email, organisation, IP address at login, and a basic activity log used for audit and version history.
For end visitors, a CloudCannon, hosted static site is one of the lowest, friction architectures from a GDPR perspective. The Cloudflare bot management cookie qualifies as strictly necessary under EDPB and CNIL guidance, so no consent banner is required for the public site unless you add third, party scripts (analytics, embeds, fonts loaded from external CDNs). For the editorial side, CloudCannon acts as a processor under Article 28 GDPR. The relationship with editors is governed by contract performance, and CloudCannon publishes a Data Processing Addendum that customers can sign to formalise the relationship.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
No consent is required to deliver a static site through CloudCannon Hosting. The Cloudflare functional cookies fall under the strictly necessary exemption of the ePrivacy Directive, in line with EDPB Opinion 4/2012 and CNIL guidelines. If you add third, party services on top (Google Analytics, YouTube embeds, Calendly), those services keep their own consent obligations and you should gate them with a CMP. Inside the CMS, editors operate under their employment or contractor relationship and do not need a website, style consent banner.
CloudCannon Pty Ltd processes editorial data on AWS in the United States and uses Cloudflare as its public CDN. Cloudflare automatically routes traffic to the nearest edge, so requests from European visitors are normally terminated at EU edge nodes, but origin requests, build artifacts, and CMS metadata transit through US infrastructure. Both AWS and Cloudflare are certified under the EU, US Data Privacy Framework, and CloudCannon signs Standard Contractual Clauses with customers. A Transfer Impact Assessment is recommended when relying on the DPF, although the practical risk for editorial metadata is low.
Sign a DPA with CloudCannon Pty Ltd and add it to your record of processing activities as a sub, processor for content management. List Cloudflare as a sub, processor in the privacy policy and explain that the website is delivered via a CDN. Restrict editor access using SSO or two, factor authentication, set a sensible password policy, and review the audit log periodically. If you embed external scripts in the static site, gate them through a CMP. Otherwise, the site can be served without a consent banner, which is one of the main reasons teams pick CloudCannon for European audiences.
Websites using CloudCannon must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for using CloudCannon as a CMS because the public static site does not embed user tracking by default. The editorial backend processes only editor account data (email, login timestamp) which falls under standard contract performance. A DPIA becomes relevant only if you connect CloudCannon to data, sources or webhooks that pull personal data of end users into editor previews. Document the AWS sub, processor, the Cloudflare CDN, the data retention for backups, and the access controls of the editorial team.
Sample consent text
Our website is built with CloudCannon and served as static HTML through a CDN. CloudCannon does not set any tracking cookies on visitors. For the editorial team, CloudCannon uses functional cookies to keep editors logged in. Do you accept the strictly necessary cookies required for the editorial interface?
Third-party domains contacted
cloudcannon.comapp.cloudcannon.comcdn.cloudcannon.com*.cloudvent.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __cf_bm | first-party | 30 minutes | Cloudflare bot management cookie set on sites delivered through CloudCannon Hosting. Distinguishes humans from automated traffic to protect against bot abuse. Considered strictly necessary under the ePrivacy Directive. |
| cf_clearance | first-party | 1 year | Cloudflare CAPTCHA / managed challenge cookie. Records that the visitor has passed a security challenge so they are not re, prompted on subsequent requests. Strictly necessary for security purposes. |
| cloudcannon_session | first-party | Session | Functional session cookie set inside the CloudCannon editorial application (app.cloudcannon.com) to keep editors authenticated. Not present on public sites. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
On a publicly hosted CloudCannon site you typically only see Cloudflare's functional cookies (__cf_bm for bot management, around 30 minutes; cf_clearance for CAPTCHA challenges, up to 1 year). The editorial application sets short, lived session cookies for editor authentication and a CSRF token. CloudCannon does not inject analytics, advertising, or fingerprinting cookies into the public output by default.
No. The Cloudflare bot, management cookie qualifies as strictly necessary under the ePrivacy Directive, in line with EDPB Opinion 4/2012. As long as you do not add third, party scripts on top (Google Analytics, embeds, fonts loaded from external CDNs), the site can be served without a consent banner. The editorial application is used by employees or contractors and does not need a website, style consent prompt.
Contract performance (GDPR Article 6(1)(b)) for editor accounts, content versioning, and CMS operations. Legitimate Interest (Article 6(1)(f)) for CDN security, abuse prevention, and operational logs through Cloudflare and AWS. End visitors of the published static site are not subject to a separate legal basis since CloudCannon does not write tracking cookies on them.
Yes. CloudCannon Pty Ltd hosts the editorial application on AWS in the United States and serves the public site through Cloudflare's global edge. Cloudflare normally terminates traffic at EU edge nodes, but the origin and editorial metadata transit through US infrastructure. Both sub, processors are certified under the EU, US Data Privacy Framework, and CloudCannon signs Standard Contractual Clauses with EU customers.
Not for a typical CMS use case. A DPIA is generally not required because the public site does not embed user tracking and the editorial backend processes only standard account data. It becomes relevant if you build editor previews on top of personal data sources, or if you store special categories of data in repositories that CloudCannon edits. Document the AWS sub, processor and editorial access controls in your record of processing activities.
Sign a DPA with CloudCannon, list AWS and Cloudflare as sub, processors in your privacy policy, enforce SSO or 2FA for editors, and review the audit log. Keep the static output clean: load any third, party scripts (analytics, embeds, maps) only behind a CMP. With this setup, the public site can usually run without a consent banner while remaining fully GDPR, compliant.
Yes. Other Git, based or headless CMS options popular with European teams include Netlify CMS / Decap CMS (open source, self, hostable), Forestry (now sunset, succeeded by Tina), TinaCMS (open source visual editing), Strapi (EU, headquartered, self, hostable), Directus (self, hostable, EU options), and Sanity. The right choice depends on whether you need EU hosting, full self, hosting, or a managed Git, native experience.
List Cloudflare as a sub, processor with the cookies __cf_bm and cf_clearance under the strictly necessary category. Mention CloudCannon as the CMS and AWS as a sub, processor for editorial data. Specify that no analytics or marketing cookies are set unless you have explicitly added third, party scripts. Include links to the privacy policies of CloudCannon, Cloudflare, and AWS.