Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Wiki.js is a modern, open source, self hosted wiki and knowledge management platform built in Node.js with a Vue.js front end. Teams use it as an internal documentation portal, a public knowledge base or a customer help center, with role based access, multiple storage backends and federation features.
Wiki.js is a modern, open source, self hosted wiki and knowledge management platform. It is written in Node.js with a Vue.js front end and stores content in a relational database (PostgreSQL, MySQL, MariaDB or SQLite). Organisations use it as an internal documentation portal, a customer knowledge base, a developer handbook or a public wiki, with full markdown and WYSIWYG editing.
Wiki.js handles authentication (local accounts, OAuth, LDAP, SAML, OIDC), page editing with versioning, search through a configurable backend (built in, PostgreSQL full text or external such as Elasticsearch), media storage on disk or on S3 compatible buckets, and access control by group and page path. Optional modules add analytics (server side, opt in) and external rendering.
Wiki.js sets only strictly necessary cookies: a session identifier (jwt or wiki_jwt) once a user logs in, a CSRF protection cookie, and a theme preference cookie when the dark mode toggle is used. Editor and reader IP addresses, user agents and edit timestamps are stored in the database for moderation and version history. No analytics, advertising or third country tag is loaded by Wiki.js itself.
Because Wiki.js is self hosted, the operator is the data controller and bears responsibility under GDPR. The strictly necessary session and CSRF cookies fall under the consent exemption of Article 5(3) ePrivacy Directive. Public reading of pages requires no consent. When the wiki uses external authentication (Microsoft, Google, GitHub) those identity providers may set their own cookies, which must be disclosed and, depending on the integration, consented to.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
No consent is required for the wiki itself in a typical deployment. Consent becomes necessary when the operator activates non essential modules: third party comment widgets, embedded videos or marketing pixels. The operator should map these in the cookie scan and present them through a CMP. The wiki privacy notice should disclose the editor list, the legal basis and the retention of page revisions and uploads.
Wiki.js sends no data to the upstream project by default. Data transfers are determined entirely by the operator: a Wiki.js on a German VM with a managed Postgres in Frankfurt has no third country transfer, while a Wiki.js using an external storage bucket in us east 1 does. Document the geography in the records of processing.
Host Wiki.js and its database in the EU/EEA. Configure short retention for visitor IPs in the database (or hash them at write time). If single sign on is used, sign a DPA with the identity provider and add it to the records of processing. Disable any analytics module not strictly needed. Audit the user role matrix and delete inactive editor accounts at least once a year.
Websites using Wiki.js must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not required for a typical Wiki.js deployment, since the platform is self hosted, processes limited editorial data on a defined legal basis and does not perform automated decision making. A DPIA becomes relevant when the wiki holds large volumes of special category data (health, biometric), when single sign on involves cross border transfers, or when public editing is enabled and IP addresses are stored for moderation. Document the wiki in the records of processing as an internal collaboration system with editorial purpose.
Sample consent text
This site uses Wiki.js, an open source self hosted wiki, to publish documentation. Only strictly necessary cookies are set when you log in or save a draft. No telemetry, analytics or advertising cookies are loaded by Wiki.js itself.
Third-party domains contacted
js.wikidocs.requarks.iogithub.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| wiki_jwt | Strictly Necessary | Session or as configured | First party authentication cookie storing the encoded JSON Web Token used to maintain the editor session after login. |
| wiki_csrf | Strictly Necessary | Session | First party CSRF protection cookie used to mitigate cross site request forgery on form submissions in the editor and the admin interface. |
| wiki_theme | Preferences | 1 year | First party preference cookie remembering the dark or light theme chosen by the user. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Wiki.js sets only strictly necessary cookies: a session cookie (wiki_jwt) once a user logs in to record the authenticated session, a CSRF cookie used to protect form submissions, and an optional theme cookie when the dark mode toggle is used. No analytics or advertising cookie is set by the upstream project.
No. The cookies set by Wiki.js are strictly necessary for authentication and CSRF protection, which fall under the consent exemption of Article 5(3) of the ePrivacy Directive. Public reading of pages and editing through an authenticated session do not require additional consent.
For an internal team wiki: legitimate interest of the controller (Art 6(1)(f) GDPR) for documentation purposes and, for authenticated editors, the performance of the contract or employment relationship (Art 6(1)(b)). For public wikis where anonymous edits are allowed, legitimate interest of the controller for moderation may justify IP logging.
Not by Wiki.js itself. The upstream project sends no telemetry. Third country transfers depend entirely on the operator: a self hosted Wiki.js on a German VM with EU storage performs no transfer, while a Wiki.js using S3 in us east 1 or Microsoft 365 SSO does. The operator must document the hosting in its records of processing.
A DPIA is not required for a typical internal Wiki.js deployment. It becomes necessary when the wiki processes special category data (health, biometric), runs at very large scale or is used as the single record system for HR documentation. Run a screening assessment first, then a full DPIA if any criterion is met.
Host Wiki.js and its database in the EU/EEA. Disable any optional analytics module not needed. Hash visitor IP addresses or set a short retention. If SSO is enabled, sign a DPA with the identity provider and add it to the records of processing. Audit user roles and delete inactive accounts at least yearly.
Open source alternatives include BookStack, Outline, MediaWiki, DokuWiki, XWiki and Hugo based static sites. Hosted options include Notion, Confluence, GitBook and Slab. The choice depends on collaboration model, hosting flexibility and data residency requirements.
List the three strictly necessary cookies (wiki_jwt, CSRF, theme) with their duration and purpose. Mention that no analytics or marketing cookie is set. If you have added external modules (Disqus comments, embedded YouTube, Google Tag Manager) document them separately and route them through the CMP.