Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Contentstack is an enterprise headless CMS by Contentstack LLC. The Content Delivery API serves JSON without setting cookies on the visitor, so the public delivery layer is GDPR friendly when the EU stack region is selected. Editor authentication on app.contentstack.com uses strictly necessary session cookies.
Contentstack is an enterprise headless content management system founded in 2018 by Contentstack LLC. Editors create entries inside content types using the app.contentstack.com web application. Published entries are served as JSON via the Content Delivery API (cdn.contentstack.io) backed by Akamai. The frontend, written in any framework, fetches JSON server side or via a JavaScript client and renders the HTML. The delivery layer is stateless and does not require any cookie on the visitor browser.
The public Contentstack Content Delivery API does not set cookies on visitors. Editor side, app.contentstack.com sets session, XSRF TOKEN and tracking cookies used to authenticate logged in users and protect against cross site request forgery. The marketing site contentstack.com sets analytics cookies (Google Analytics, HubSpot, LinkedIn Insight Tag) that are scoped to contentstack.com and never reach customer websites that consume the Content Delivery API.
Because the public Contentstack delivery does not place identifiers on the visitor terminal, Article 5(3) of the ePrivacy Directive does not require prior consent. Article 6(1)(f) GDPR (legitimate interest) covers the limited request metadata processed at the Akamai edge. Contentstack LLC acts as processor under Article 28 GDPR with a DPA available in the dashboard. The session cookies on app.contentstack.com are strictly necessary and fall outside the consent requirement.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For European projects, create the stack in an EU region (Azure Western Europe or GCP EU). When an EU region is selected, the editorial content and Content Delivery API origin stay inside the EEA. Akamai cache nodes are global, which is acceptable since only the published JSON is cached. The app.contentstack.com application is operated from the US and customer access to it constitutes a transfer covered by Standard Contractual Clauses and the EU US Data Privacy Framework. Brand Studio, Lytics CDP and Personalize add ons may process additional data in the US.
Select an EU stack region at creation since regions cannot be migrated afterwards. Sign the Contentstack DPA and document the processor in your RoPA with region, purpose and DPA reference. Enable SSO and MFA for editor accounts. Use delivery tokens scoped to a single environment for your public frontend, never publish management tokens client side. Govern any third party tracker injected through Contentstack content behind a consent management platform.
Websites using Contentstack must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for the public Contentstack delivery layer when the EU region is used. It should be considered when Contentstack is integrated with Personalize, Lytics CDP or Brand Studio features, when special category data is stored in entries, or when the US region is used for European visitor flows. Document the region selection, the DPA with Contentstack LLC and access controls on the editor application.
Sample consent text
This website uses Contentstack to deliver editorial content. The Contentstack Content Delivery API does not set cookies on visitors. No consent is required for the public delivery. Authentication cookies only apply to editors logged into app.contentstack.com.
Third-party domains contacted
contentstack.comapp.contentstack.comcdn.contentstack.ioeu-cdn.contentstack.comimages.contentstack.ioazure-eu-images.contentstack.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| connect.sid | first-party (app.contentstack.com) | Session | Editor session cookie that authenticates a logged in user in the Contentstack web application. Strictly necessary, not set on the public website. |
| XSRF-TOKEN | first-party (app.contentstack.com) | Session | Anti CSRF token used by the Contentstack app to protect state changing requests. Strictly necessary, only present in the editor interface. |
| _ga | third-party (marketing site only) | 2 years | Google Analytics identifier used on contentstack.com (marketing site). Does not appear on customer websites that consume the Content Delivery API. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
No. The public Content Delivery API serves JSON without any cookies. Cookies are set on app.contentstack.com (editor application) for session, XSRF protection and tracking, and on contentstack.com (marketing site) for analytics, but neither propagates to customer websites that consume the Content Delivery API.
No consent is required for the public delivery because no identifier is stored on the visitor terminal. The strictly necessary editor cookies on app.contentstack.com are exempt under Article 5(3) ePrivacy. Consent only applies to third party trackers embedded in your frontend.
Article 6(1)(f) GDPR (legitimate interest) covers the limited request metadata processed at the Akamai CDN edge. Contentstack LLC is documented as processor under Article 28 GDPR with a DPA available in the dashboard.
Content storage stays in the EEA when an EU stack region is selected (Azure Western Europe or GCP EU). The app.contentstack.com editor application is operated from the US, so accessing it as an editor constitutes a transfer covered by SCCs and the EU US Data Privacy Framework. Brand Studio, Lytics CDP and Personalize add ons can process additional data in the US.
A DPIA is generally not required for a public editorial deployment when an EU region is used. It should be considered when Contentstack is combined with Personalize, Lytics CDP, large user generated content workflows or when sensitive data is stored in entries.
Pick an EU stack region at creation, sign the Contentstack DPA, document the processor in your RoPA, enable SSO and MFA for editors, scope delivery tokens to a single environment, never publish management tokens client side and govern third party scripts injected through content via a consent management platform.
Alternatives in the enterprise headless CMS space include Storyblok (Austria), Contentful (Germany), Sanity (Norway), Strapi Cloud Enterprise (France), Sitecore XM Cloud, Adobe Experience Manager and Optimizely Content Cloud.
List Contentstack as a content processor in your privacy policy with the EU stack region, purpose, DPA reference and a note on the US based editor application transfer. The public site does not need Contentstack in the cookie banner because no cookies are placed on visitors.