Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Statamic is a self hosted Laravel based CMS that can run on flat files or a database. The core product sets no tracking cookies and sends no telemetry, which makes it a privacy friendly choice for GDPR compliant projects under customer controlled hosting.
Statamic is a Laravel based content management system created in 2012 by Jack McDade and Jason Varga. It started as a flat file CMS where every piece of content lives in YAML or Markdown files on disk, and has since been extended to support traditional databases such as MySQL, PostgreSQL and SQLite. Statamic is published under a commercial licence by Wilderborn Software LLC in the United States, with a free Statamic Solo edition available for small single user sites. It is very popular in the Laravel ecosystem because it integrates natively with Laravel features such as Eloquent, queues, Blade and the Artisan command line.
Statamic is installed on infrastructure that the customer chooses and operates. It can run on any PHP capable host: a virtual private server, a managed PaaS, Laravel Forge, Laravel Vapor, or the official Statamic Cloud offering which is itself built on top of Laravel Forge. In every case the customer remains in full control of where the data lives, which directly simplifies GDPR data residency analysis. Statamic Cloud lets the customer pick the deployment region, so European projects can keep their data within the EEA when they need to.
The core CMS stores three categories of data: content authored by editors (pages, entries, taxonomies, assets), administrative user accounts (email, hashed password, optional profile fields, roles and permissions), and authentication artefacts such as the statamic_session cookie, the XSRF-TOKEN cookie used by Laravel for CSRF protection, and the optional laravel_session cookie when database sessions are enabled. No analytics, no fingerprinting and no behavioural tracking are performed on public visitors. The licence key validation contacts the Wilderborn servers in the United States during activation, which is a one off administrative call rather than ongoing user tracking.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Because Statamic itself runs on customer infrastructure and does not embed third party scripts, it is one of the more GDPR friendly CMS options on the market. The data controller (the website operator) remains the sole party in contact with personal data, and there is no need to sign a data processing agreement with Statamic for the CMS engine itself. A processing agreement may however be required with the hosting provider, and with Wilderborn if Statamic Cloud is used. The GDPR footprint grows quickly when addons are installed: form builders, comment systems, analytics integrations, search providers and marketplace addons can each introduce their own cookies, telemetry and third country transfers, and must be evaluated individually.
Statamic supports a headless mode through its REST and GraphQL APIs, where the administration interface runs on a private origin and a separate front end (Next.js, Nuxt, Astro, mobile app) consumes the content. In a headless deployment the public front end does not see the statamic_session or XSRF-TOKEN cookies at all, so the cookie banner only needs to cover the front end stack. The compliance checklist typically includes: hosting in an appropriate region, enforcing TLS, restricting the admin panel by IP or VPN, configuring secure cookie flags, documenting the role of Wilderborn as a licensor in the records of processing, and reviewing every Statamic addon for its own data flows.
Teams looking for similarly privacy friendly self hosted CMS options can consider Kirby (PHP flat file), Craft CMS (PHP, database backed), ProcessWire (PHP, very flexible), October CMS (Laravel based, similar audience), Laravel Nova (admin panel for custom Laravel apps) or Bagisto (Laravel e-commerce). All of these can be deployed under sole customer control, which keeps the GDPR analysis as straightforward as it is for Statamic.
Websites using Statamic must obtain user consent under GDPR regulations.
DPIA considerations
No DPIA required for the core Statamic installation since the CMS itself processes only administrator credentials and content data on customer infrastructure. A DPIA may be needed when paired with addons that collect end user data (forms, analytics, comments) or when using Statamic Cloud with EU personal data, in which case the customer should document the chosen region and the Wilderborn licence validation flow.
Sample consent text
No consent banner is required for the core Statamic CMS because it does not set tracking cookies on public visitors. Only administrative session and CSRF cookies are issued, and only to authenticated editors, which are strictly necessary under the ePrivacy Directive.
Third-party domains contacted
statamic.comcontrol.statamic.com*.laravel.cloudCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| statamic_session | session | Session (typically 2 hours) | Administrator session cookie issued by Statamic to authenticated editors in the control panel. Strictly necessary, not set on public visitors. |
| XSRF-TOKEN | session | Session (typically 2 hours) | Cross site request forgery token cookie set by the underlying Laravel framework to protect administrative form submissions. Strictly necessary, only present in the admin context. |
| laravel_session | session | Session (typically 2 hours) | Optional Laravel session cookie used when database sessions are enabled instead of file based sessions. Strictly necessary for authenticated administrators only. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
The core Statamic CMS sets only administrative cookies for authenticated editors: statamic_session for the admin session, XSRF-TOKEN for CSRF protection (a Laravel default), and the optional laravel_session cookie when database sessions are enabled. None of these touch public website visitors, and no analytics or tracking cookies are issued by the core product.
No consent banner is required for the Statamic CMS itself because it does not set tracking cookies on public visitors. The session and CSRF cookies issued to authenticated administrators fall under the strictly necessary category of the ePrivacy Directive. A banner becomes necessary only if you install addons or front end scripts that themselves set non essential cookies.
For the CMS itself the relevant legal bases are performance of contract (Art. 6(1)(b) GDPR) for editorial accounts and legitimate interest (Art. 6(1)(f) GDPR) for the administrative authentication and CSRF protection mechanisms. Public visitors are not tracked by the core product, so no consent based legal basis is required for Statamic out of the box.
No, not for the core CMS. Statamic is self hosted, so the controller chooses the country of hosting. The only outbound connection in the core product is the one off licence validation to Wilderborn Software LLC in the United States during activation. When using Statamic Cloud the customer also chooses the deployment region via Laravel Forge, which lets EU projects keep data in the EEA.
A DPIA is generally not required for a standard Statamic installation because the CMS processes only administrator credentials and content data on customer infrastructure. A DPIA may be triggered by specific addons that collect end user data (form builders, comment systems, analytics) or by large scale processing scenarios. Each installed addon should be evaluated separately.
Host Statamic in a region appropriate to your audience, enforce HTTPS, restrict the admin panel by IP, network or VPN, configure secure cookie flags, keep the application and its addons up to date, document the role of Wilderborn as licensor in your records of processing, and audit every Statamic addon for its own cookies and third party calls before publishing it.
Comparable self hosted CMS options include Kirby (PHP flat file), Craft CMS (PHP, database backed), ProcessWire (PHP, very flexible), October CMS (Laravel based), Laravel Nova (admin panel for custom Laravel apps) and Bagisto (Laravel e-commerce). All can be deployed under sole customer control, which keeps the GDPR analysis comparable to Statamic.
You do not need to declare Statamic itself in a public cookie policy, since the core CMS sets no cookies on public visitors. You should mention the administrative cookies in an internal staff privacy notice, and you must declare in the public policy any cookie that originates from the Statamic addons or from the front end you build on top of the CMS.