Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Neos is an open source enterprise content management system focused on editorial flexibility, structured content, and self hosted GDPR friendly publishing.
Neos is an open source content management system written in PHP and used widely across Europe to power corporate websites, magazines, intranets and multi site networks. The platform is self hosted, which means the operator chooses the hosting region, the database location and the server stack. For European publishers Neos is often deployed in Germany, the Netherlands or France, which keeps personal data inside the European Economic Area by default.
In a vanilla configuration Neos only sets a small number of strictly necessary cookies. A PHP session identifier maintains the editorial backend session and any logged in member area. A CSRF token cookie protects forms against cross site request forgery. The frontend itself does not load any third party tag, fingerprinting library or analytics script unless the operator explicitly installs a package that does so.
Strictly necessary session and security cookies do not require prior consent under article 5(3) of the ePrivacy Directive. They can be relied upon under legitimate interest, article 6(1)(f) GDPR. As soon as Neos is extended with analytics, A/B testing, embedded videos, social plugins or marketing automation, those modules become subject to consent and must be blocked until the visitor has accepted the relevant categories.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For a Neos site that only serves editorial content, a privacy notice describing session and CSRF cookies is sufficient. For a site that adds analytics or third party services, integrate a consent management platform that gates the relevant scripts and store the consent record server side or in a first party cookie. Editor accounts in the backend should be treated as employee data and protected with strong authentication and limited retention of activity logs.
Because Neos is self hosted, third country transfers only occur if the operator selects a non EU hosting provider, uses a CDN with US points of presence without proper safeguards, or integrates third party services such as US based analytics or fonts. To stay clearly inside the EEA, choose an EU hosting region, host fonts and assets locally, and document any sub processor in the records of processing activities.
Document the Neos cookies in your cookie policy, list any installed packages that process personal data, configure your CMP to block non essential scripts before consent, restrict editor access on a least privilege basis, and review installed plugins regularly to confirm none of them silently load tracking pixels.
Websites using Neos CMS must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for a vanilla Neos installation that only uses session and CSRF cookies. A DPIA becomes relevant when operators add analytics, marketing, profiling or AI modules, when Neos hosts large volumes of personal data such as member areas, or when content is hosted outside the EU.
Sample consent text
This website is powered by the Neos CMS open source platform. Strictly necessary session and security cookies are set so the site can function. No tracking or analytics cookies are used unless you accept them in the cookie banner.
Third-party domains contacted
neos.iodocs.neos.iopackagist.orgCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| Neos_Flow_Session | Strictly necessary | Session | Maintains the editor or member session in the Neos backend and on protected frontend pages. |
| TYPO3_Flow_CSRF_Token | Strictly necessary | Session | Stores an anti CSRF token used to validate form submissions in the Neos editorial interface. |
| NEOS_PREVIEW_MODE | Strictly necessary | Session | Remembers the editor preview mode chosen for previewing unpublished content. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
A vanilla Neos installation only sets a PHP session cookie that keeps editors signed in to the backend and an anti CSRF token cookie that protects forms. No analytics or advertising cookies are dropped unless an operator installs a package that does so.
No. The default session and security cookies are strictly necessary and can rely on legitimate interest under the GDPR. Consent only becomes required if you add analytics, A/B testing, marketing or third party embeds to your Neos installation.
Legitimate interest, article 6(1)(f) GDPR, covers the strictly necessary cookies and the editorial workflow. Editor accounts are processed on the basis of the contract with the operator, while any added analytics or marketing module must rely on consent, article 6(1)(a).
Not by itself. Neos is self hosted and stores data wherever the operator chooses. Transfers only occur if the operator selects a non EU host, a US based CDN, or third party services that send data outside the EEA.
A DPIA is usually not required for a content only installation. It becomes appropriate when Neos hosts large member areas, when added modules profile users, or when content is deployed via providers outside the EEA.
Use an EU host, host fonts and assets locally, document the session and CSRF cookies in your privacy notice, and integrate a CMP that blocks any non essential script before consent. Keep editor accounts on least privilege and rotate credentials regularly.
Other self hostable CMSs that fit a similar privacy posture include TYPO3, Drupal, Statamic, Strapi and Directus. Each has its own cookie footprint, so review their default cookies before switching.
List the strictly necessary session and CSRF cookies with their purpose and lifetime, mention any installed Neos package that introduces additional cookies, name your hosting provider, and update the policy whenever you add an analytics, marketing or embed module.