Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Directus is an open source headless CMS and data platform that runs on top of any SQL database. It exposes content through REST and GraphQL APIs and ships with a frontend admin app. Directus can be self hosted on your own infrastructure (in the EU or anywhere else) or used through Directus Cloud, a managed offering on Google Cloud Platform with regional choice. The self hosted edition does not set third party trackers and is one of the most privacy friendly CMS choices for organisations that need full data residency control under the GDPR.
Directus is an open source headless CMS and data platform created in 2004 and now developed by Monospace Inc. with teams in Brooklyn (United States) and Bordeaux (France). It connects to any SQL database (PostgreSQL, MySQL, MariaDB, SQLite, MS SQL) and turns existing tables into a fully featured admin interface with REST and GraphQL APIs. Directus is published under a Business Source License that becomes open source after a delay, and most teams use it as a self hosted application running in containers on their own infrastructure. A managed offering called Directus Cloud is also available on Google Cloud Platform, with the ability to pick a hosting region including europe west.
By default Directus only sets technical cookies that are strictly necessary to operate the admin interface. The main cookies are directus_session_token (a short lived JWT used to authenticate the editor), directus_refresh_token (used to issue new access tokens, with a typical lifetime of 7 days) and directus_session_id (used by the admin app to track the session). There is no analytics, advertising or third party tracking embedded in the product. Public visitors of a website built on top of Directus do not receive any Directus cookie because they only consume the public API, which does not require a browser session.
When you self host Directus, you are the sole controller and the sole processor of the data, which makes the GDPR analysis very simple: data stays in the database you chose, in the region you chose, with the providers you contracted with. When you use Directus Cloud, Monospace Inc. acts as a processor and Google Cloud as a sub processor. You can pick a European region to keep data in the EEA and rely on the EU SCCs for any onward transfer. This flexibility is the main reason Directus is frequently selected as a GDPR friendly alternative to US first SaaS CMS platforms.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For self hosted deployments, residency depends entirely on where the containers and the database run. Many teams deploy Directus on EU hosters such as Scaleway, OVHcloud, Clever Cloud, Hetzner or on the EU regions of AWS, Azure and Google Cloud. For Directus Cloud, the customer chooses a Google Cloud region at project creation time, including europe west which is suitable for European data residency commitments. Storage of uploaded files can be redirected to any S3 compatible bucket, which lets European customers store media on EU only object storage even when using Directus Cloud.
Directus is commonly paired with modern frontends such as Next.js, Nuxt, SvelteKit, Astro or Remix, which fetch content through the REST or GraphQL API at build time or on demand. Because the frontend does not need a Directus session, end users of the public website never receive Directus cookies and do not need a consent banner for the CMS itself. The cookie banner only needs to cover the analytics, advertising or chat tools that the frontend may add on top.
To keep a self hosted Directus deployment compliant, document the hosting provider and region in your record of processing activities, restrict admin access through SSO or strong passwords plus multi factor authentication, enable role based access control to limit who can read personal data, configure backups with an appropriate retention period and rotate the admin secret keys. Add Directus and its sub processors (hoster, object storage, email provider) to your privacy policy, and remember that Directus cookies are strictly necessary so they do not require prior consent, only a clear mention in the cookie policy.
Websites using Directus must obtain user consent under GDPR regulations.
DPIA considerations
Self hosted Directus rarely triggers a DPIA on its own since it only manages back office authentication and content. A DPIA may still be required when Directus stores sensitive content (Art. 9 GDPR), powers large scale public services or is combined with analytics, AI or marketing modules. For Directus Cloud, document the hosting region, the Google Cloud sub processor and the international transfer mechanism (SCCs and TIA) when a non EEA region is selected.
Sample consent text
Directus is used as the back office to manage the content of this website. It only sets technical cookies that are strictly necessary to keep editors signed in and to operate the admin interface. No analytics or advertising cookies are set by Directus.
Third-party domains contacted
*.directus.appmarketing.directus.iodirectus.cloudCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| directus_session_token | HTTP cookie (first party) | Session (short lived JWT, typically 15 minutes) | Strictly necessary access token (JWT) used by the Directus admin interface to authenticate the signed in editor on each API request. |
| directus_refresh_token | HTTP cookie (first party) | 7 days (configurable) | Strictly necessary refresh token used by the Directus admin interface to obtain a new access token without forcing the editor to sign in again. |
| directus_session_id | HTTP cookie (first party) | Session | Strictly necessary identifier used by the Directus admin app to bind UI state and CSRF protection to the current authenticated session. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Directus only sets technical session cookies on the admin interface: directus_session_token (short lived JWT used to authenticate editors), directus_refresh_token (used to issue new access tokens, typical lifetime 7 days) and directus_session_id (used by the admin app). No analytics, advertising or third party cookies are set by Directus. End users of a public website that consumes the Directus API do not receive any Directus cookie.
No prior consent is required for self hosted Directus because the cookies it sets are strictly necessary to operate the back office under Art. 5(3) ePrivacy Directive. For Directus Cloud the same reasoning applies to the cookies themselves, but you must still inform users about the processor (Monospace Inc.) and the sub processor (Google Cloud) in your privacy policy. Public website visitors are not affected because they never see Directus cookies.
The legal basis is performance of contract under Art. 6(1)(b) GDPR for editor authentication and content management, combined with legitimate interest under Art. 6(1)(f) GDPR for security, monitoring and operations. When Directus stores personal data submitted by end users (forms, comments, profiles), the controller must identify a separate legal basis for that processing in addition to the basis used for Directus itself.
Self hosted Directus does not transfer data anywhere on its own; the controller decides where the application and the database run. Directus Cloud runs on Google Cloud Platform and lets the customer pick a region; choosing a European region (such as europe west) keeps data in the EEA. If a US region is selected, transfers are governed by Standard Contractual Clauses under Art. 46(2)(c) GDPR and a Transfer Impact Assessment is required.
A DPIA is rarely triggered by Directus itself when it only manages back office authentication and ordinary editorial content. It becomes necessary when Directus stores special category data under Art. 9 GDPR, when it powers large scale public services or when it is combined with analytics, AI or marketing modules that change the risk profile. For Directus Cloud in a US region, the TIA on international transfers should be documented in the DPIA.
Pick a hosting region inside the EEA (your own datacenter, a European hoster or europe west on Directus Cloud), enable SSO or strong passwords plus multi factor authentication, restrict roles to the minimum needed, configure database backups with an appropriate retention period, log admin actions, rotate secret keys and add Directus plus all its sub processors to your record of processing activities and to your privacy policy.
Other open source headless CMS options that can be self hosted in the EU include Strapi, Payload CMS and Keystone. Managed alternatives with EU hosting options include Storyblok (CDN in the EU) and Hygraph (EU region). Sanity and Contentful are US based and require careful transfer analysis, while WordPress remains the most common monolithic option. Directus is often picked when teams want a headless model on top of an existing SQL database.
Yes if Directus is exposed to anyone who reaches the admin interface. List the three session cookies (directus_session_token, directus_refresh_token, directus_session_id) under the strictly necessary category, with their purpose and approximate lifetime, and explain that they are not subject to prior consent. If the public website does not use the Directus admin interface and only consumes the API server side, you do not need to mention the cookies because they are never set in visitors browsers.