Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Strapi is the leading open source headless CMS, published by Strapi SAS in Paris. The public REST and GraphQL API serves JSON without setting cookies, so the public delivery layer is GDPR friendly by default. Hosting is chosen by the customer, which gives full control over the storage region for European projects.
Strapi is the most popular open source headless CMS in the world. Published by Strapi SAS in Paris since 2015 under an MIT licence, it lets developers model collections in an admin panel, then expose the data via REST or GraphQL. Customers run Strapi on their own infrastructure (Docker, Kubernetes, VPS, PaaS) or on Strapi Cloud. The public delivery API is stateless and does not require any client side identifier to function.
Out of the box Strapi sets no cookies on the public site. The only cookie produced by Strapi is jwtToken, an httpOnly session cookie used by the admin panel under /admin to authenticate editors. That cookie is never exposed to the public website. Strapi Cloud customers using the strapi.io account portal also have a portal session cookie and may be tracked by the strapi.io marketing analytics, which are scoped to the strapi.io domain only.
Because no identifier is written on the visitor browser by the public Strapi delivery, Article 5(3) of the ePrivacy Directive (transposed in TTDSG in Germany, LCEN in France, LSSI in Spain) does not require prior consent. Article 6(1)(f) GDPR (legitimate interest) covers the limited request logging needed for delivery and abuse prevention. The customer is the controller of the data stored in Strapi, the Strapi instance acts as a system used to manage that data. When Strapi Cloud is used, Strapi SAS is a processor under Article 28 GDPR with a DPA available in the dashboard.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For self hosted Strapi the customer fully controls the hosting region. Pick an EU based provider (OVH Roubaix, Scaleway Paris, Clever Cloud, Hetzner Falkenstein, AWS Frankfurt or Ireland) to avoid any third country transfer. Strapi Cloud lets customers select a region at project creation: Frankfurt (eu central 1) keeps data inside the EU, while the US options (Virginia us east 1) trigger Schrems II considerations and require Standard Contractual Clauses plus a transfer impact assessment.
Document Strapi in the record of processing activities (RoPA) with hosting region, purpose, retention and access controls. Protect the /admin route behind IP allowlists or a VPN where possible, enable SSO and require 2FA on editor accounts. Use strong rate limiting on the public API to prevent enumeration. If user submitted content (comments, forms) is ingested through Strapi, document the legal basis for that processing separately. Audit the plugins you install since they can extend the data flow.
Websites using Strapi must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not required for the public Strapi delivery layer in most cases because no personal data is processed on visitors beyond standard request logs. A DPIA should be considered if the Strapi instance stores special categories of data (health, biometrics, political opinions) or if a user generated content workflow handles many natural persons. Document the hosting region, the access controls on /admin and the editor authentication method.
Sample consent text
This website uses Strapi to manage and deliver editorial content. The Strapi public API does not set cookies and does not track you. No consent is required. If you log in to the administration area, a strictly necessary session cookie is created to authenticate you.
Third-party domains contacted
strapi.iocloud.strapi.iomarket.strapi.ioapi.strapi.ioanalytics.strapi.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| jwtToken | first-party (admin panel only) | Session (or 30 days if "remember me" is enabled) | httpOnly cookie that carries the JSON Web Token authenticating a logged in editor on the Strapi admin panel under /admin. Strictly necessary, only set after a successful sign in, never reaches anonymous visitors. |
| strapi_session | first-party (Strapi Cloud portal) | Session | Authenticates a user on the Strapi Cloud account portal (cloud.strapi.io). Strictly necessary for the customer side. Not set on the public website. |
| ajs_anonymous_id | third-party (Segment, on strapi.io only) | 1 year | Anonymous identifier set by Segment on the strapi.io marketing site for product analytics. Does not appear on customer instances. Disclosed here for completeness. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
No. The public Strapi REST and GraphQL APIs do not set cookies. The only cookie produced by Strapi is jwtToken, a httpOnly session cookie scoped to the /admin route and used to authenticate logged in editors. Anonymous visitors never receive it.
No consent is required for the public Strapi delivery because no identifier is stored on the visitor terminal. Article 5(3) of the ePrivacy Directive does not apply. Consent only becomes relevant if your frontend embeds third party trackers fed by Strapi content.
Article 6(1)(f) GDPR (legitimate interest) covers the limited request logging needed for delivery and security. The customer is the controller of the editorial data managed in Strapi. Strapi SAS only acts as a processor when Strapi Cloud is used, with an Article 28 DPA.
Self hosted Strapi does not transfer anything by itself, the customer chooses the hosting location. Strapi Cloud transfers to the United States only when the US region is selected. The Frankfurt region keeps data in the EU. The strapi.io marketing site uses some US tools but they only apply to that site, not your deployed instance.
A DPIA is not required for a typical editorial CMS deployment because no profiling or special category data is processed by default. A DPIA should be considered when Strapi stores sensitive content (health, biometrics), when large volumes of user submissions are handled, or when integrated with personalization or AI features.
Host inside the EU, restrict /admin behind IP allowlist or VPN, enable SSO and 2FA, sign the Strapi Cloud DPA if applicable, document the processing in your RoPA, set strong rate limits on the public API and audit installed plugins for additional data flows.
Other headless CMS options used in Europe include Storyblok (Austria), Contentful (Germany), Hygraph (Germany), Sanity (Norway), Directus (Germany, open source), Payload CMS (open source, self hosted) and Wagtail (Python, open source).
No Strapi specific cookie disclosure is needed for the public site when no cookies are set. List Strapi as the content management processor in your privacy policy with hosting region, purpose and access controls. The admin only jwtToken cookie does not need to appear in the cookie banner because it is strictly necessary and only set after a successful login.