Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Craft CMS is a self hosted commercial PHP content management system by Pixel & Tonic, designed for editorial websites and offering excellent GDPR friendliness when hosted in the EU.
Craft CMS is a commercial content management system written in PHP and built on the Yii framework. It was created in 2013 by Pixel & Tonic, Inc., a company based in Bend, Oregon, United States. The platform targets professional editorial websites and is widely adopted by digital agencies, especially in Europe, for content rich corporate sites, magazines, and brand publications. Craft CMS is distributed under a commercial licence with three tiers: Solo (free for personal or single editor projects), Pro (paid, multi user) and Enterprise (custom). The same company offers Craft Commerce, an ecommerce extension, and Craft Cloud, a managed hosting service that runs on DigitalOcean infrastructure.
Out of the box, Craft CMS only processes data related to back end administration. It stores administrator and editor accounts (email, hashed password, name, optional profile fields), content created by those users, and basic session information for authenticated administrative requests. The CMS sets a small number of strictly necessary cookies for the administration panel: a CSRF token to protect against cross site request forgery, a session identifier for logged in users, and an optional persistent authentication cookie when the remember me feature is used. The public facing website does not receive any tracking cookies from Craft itself, and there is no built in analytics, telemetry or visitor profiling.
Craft CMS can be installed on any infrastructure that supports PHP and a compatible database, giving the controller full freedom over the hosting region and data residency. European agencies frequently deploy Craft on EU based providers such as Hetzner, OVH, Scaleway or Combell to ensure that personal data remains within the European Economic Area. Alternatively, Pixel & Tonic offers Craft Cloud, a turn key managed hosting platform built on DigitalOcean that lets the controller choose a region, including EU locations. Regardless of the hosting choice, the licence activation and the optional plugin store communicate with Pixel & Tonic systems in the United States; these exchanges concern licence keys and software metadata, not visitor personal data.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
From a GDPR perspective the Craft CMS core is one of the most privacy friendly mainstream solutions available. There are no tracking cookies, no third party network calls on the public site, and the controller can keep the entire data flow inside the EU. The applicable legal bases for the data Craft does process are performance of contract (Art. 6(1)(b) GDPR) for the administrative relationship with editors, and legitimate interest (Art. 6(1)(f) GDPR) for securing the back end. The picture changes as soon as the website integrates third party services such as Google Analytics, Meta Pixel, embedded YouTube or Vimeo players, marketing automation forms or a tag manager: each of these may require a consent banner under the ePrivacy Directive and a documented legal basis. Plugins installed from the Craft Plugin Store can also extend the processing scope, so each addition must be reviewed.
To deploy Craft CMS in a fully compliant manner, choose an EU based hosting region or a Craft Cloud EU region; sign a data processing agreement with the hosting provider; document the Pixel & Tonic licence exchange as ancillary processing; maintain an inventory of installed plugins and the data they process; implement a consent management platform for any third party scripts added on the front end; configure secure cookie attributes (Secure, HttpOnly, SameSite) on administrative cookies; enable backups and an incident response procedure; and update the privacy policy to reflect the actual data flows including hosting region and any sub processors.
If the site uses Craft Commerce, the processing footprint expands significantly. Customer accounts, order history, billing and shipping addresses are stored in the same database. Payment processing is typically delegated to third parties such as Stripe, PayPal, Mollie or Adyen, each of which acts as an independent controller or processor and must be reflected in the privacy notice. Marketing features (abandoned cart emails, transactional notifications) may require separate consent. A dedicated DPIA is recommended when Craft Commerce is deployed at scale or when sensitive product categories are involved.
Websites using Craft CMS must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for a default Craft CMS installation because the core CMS sets only essential cookies for administrative authentication and CSRF protection, with no analytics or telemetry. Assessment scope should focus on the customer chosen hosting environment (self hosted infrastructure or Craft Cloud region), any installed plugins that may add third party services, front end integrations such as analytics, embedded videos or marketing forms, and the Craft Commerce module if used for ecommerce. Document the hosting region, plugin inventory, and any third party processors involved.
Sample consent text
No consent banner is required for the Craft CMS core because it sets only strictly necessary cookies for the administrative back end. If your site adds analytics, advertising, video embeds or other tracking technologies, implement a compliant consent management platform that loads such scripts only after explicit opt in.
Third-party domains contacted
craftcms.complugins.craftcms.comelliptic.iopackagist.orgCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| CRAFT_CSRF_TOKEN | Strictly necessary | Session | Cross site request forgery (CSRF) protection token used by the Craft CMS administration panel to validate form submissions and AJAX requests originating from authenticated users. |
| CraftSessionId | Strictly necessary | Session | Administrative session identifier used to maintain the authenticated state of editors and administrators in the Craft CMS control panel. Not set on visitors who do not log in to the back end. |
| CraftAuthorization | Strictly necessary | Up to 14 days (configurable, only when remember me is enabled) | Persistent authentication cookie set when an administrator checks the remember me option at login, allowing the back end to recognise the user across sessions without requiring a fresh password entry. Duration is configurable via the userSessionDuration setting in Craft CMS. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
No. The Craft CMS core only sets strictly necessary cookies for the administration panel: CRAFT_CSRF_TOKEN for cross site request forgery protection, CraftSessionId for authenticated admin sessions, and an optional CraftAuthorization cookie when the remember me feature is enabled. The public website receives no tracking, analytics or marketing cookies from Craft itself. Any tracking on the front end comes from integrations you add (analytics scripts, embedded videos, marketing pixels), not from the CMS.
Not for the core CMS. The cookies set by Craft itself are strictly necessary and fall under the exemption of Article 5(3) of the ePrivacy Directive, so no banner is required. A consent banner becomes necessary as soon as you add non essential technologies on the front end such as Google Analytics, advertising pixels, embedded social media players, marketing forms or any third party tag.
For the administrative back end, the appropriate bases under GDPR are performance of contract (Art. 6(1)(b)) for the relationship with editors and administrators, and legitimate interest (Art. 6(1)(f)) for securing the platform against attacks. If you collect visitor data through forms or accounts on the public site, identify a specific legal basis for that processing (consent, contract or legitimate interest) and document it in your records of processing activities.
It depends entirely on the hosting you choose. Because Craft CMS is self hosted, you decide where the application runs: pick an EU based provider (Hetzner, OVH, Scaleway, Combell, etc.) or an EU region of Craft Cloud, and visitor data stays in the EU. The only systematic outbound flow to the United States is the licence validation and plugin store communication with Pixel & Tonic, which concerns licence keys and software metadata, not personal data of website visitors.
A DPIA is generally not required for a default installation since the CMS core processes only administrative data with low risk. A DPIA becomes appropriate when Craft Commerce is used at scale, when sensitive data is processed (health, biometrics, large user communities), when third party plugins introduce profiling or extensive tracking, or when the front end integrates many marketing and analytics services.
Host Craft on an EU based infrastructure or an EU region of Craft Cloud, sign a data processing agreement with the hoster, keep an up to date plugin inventory, set Secure, HttpOnly and SameSite attributes on administrative cookies, implement a consent management platform for any third party scripts on the front end, document the licence exchange with Pixel & Tonic, enable automatic backups, define an incident response procedure, and reflect all of this in a clear privacy policy.
Comparable self hosted CMS solutions include Kirby (flat file, German publisher), Statamic (Laravel based, flat file or database), ExpressionEngine (PHP, long established), ProcessWire (open source PHP) and Wagtail (Python, Django based) for traditional CMS use. For headless approaches consider Sanity, Storyblok or Strapi. Many of these share Craft CMS strengths of giving the controller full control over hosting region and minimal default tracking.
List the strictly necessary cookies set by the back office (CRAFT_CSRF_TOKEN, CraftSessionId, and CraftAuthorization when remember me is enabled), explain that they are used only for administrative authentication and CSRF protection, and clarify that they are not deposited on visitors who do not log in to the back end. Add any front end cookies introduced by integrations or plugins to the same document, with their purpose, duration and legal basis.