Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
AdonisJS is a full-stack open-source web framework for Node.js, inspired by Laravel. It is a developer tool, not a data processor or tracking service. GDPR obligations do not arise from the framework itself but from the web application built with it and the infrastructure where it is deployed. Developers using AdonisJS are responsible for implementing GDPR-compliant data handling in their applications.
AdonisJS is a full-featured, open-source web framework for Node.js that follows the MVC (Model-View-Controller) architectural pattern. Inspired by Laravel for PHP, it provides built-in tooling for routing, authentication, ORM (Lucid), validation, and templating. AdonisJS is used by development teams to build API backends, server-rendered web applications, and microservices. It is a developer tool and not itself a data processor, tracking service, or third-party vendor.
AdonisJS is open-source software that runs on the developer''s own infrastructure. GDPR obligations are not triggered by the framework itself but by the application built with it. The organisation deploying the AdonisJS application is the data controller. GDPR compliance depends on what personal data the application processes, how it processes it, where it is hosted, and what third-party services it integrates.
AdonisJS includes built-in session management that uses cookies to maintain server-side sessions. Session cookies used solely for authentication (keeping a user logged in) are generally considered strictly necessary and do not require ePrivacy consent. Analytics, tracking, or personalisation cookies added by the developer do require consent. Developers should configure AdonisJS session settings to use secure, HttpOnly, SameSite cookies and implement appropriate consent management.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
When building with AdonisJS, developers are responsible for implementing data minimisation in database models, access controls for personal data, data subject rights endpoints (access, erasure, portability), audit logging for sensitive data access, encryption for sensitive fields, and secure password hashing. AdonisJS''s Lucid ORM and authentication package provide solid foundations for these requirements.
AdonisJS can be deployed on any infrastructure. For EU data residency, deploy on EU-based hosting such as OVHcloud, Hetzner, or AWS Frankfurt. The hosting provider acts as a data processor and requires a DPA. The framework itself does not determine data location.
Implement a cookie consent management system. Configure session cookies as strictly necessary only. Use EU-based hosting with a signed DPA. Implement data subject rights handlers. Apply data minimisation in database models. Encrypt sensitive fields. Conduct DPIAs for high-risk processing features.
Websites using AdonisJS must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not required for using AdonisJS itself. DPIAs may be required for specific applications built with AdonisJS that process large-scale personal data, perform automated decision-making, or handle special category data.
Sample consent text
This website is built using AdonisJS, an open-source Node.js framework. Cookies and data collection on this site are described separately in our privacy policy and cookie notice.
Third-party domains contacted
adonisjs.comnpm.adonisjs.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| adonis-session | session | Session | Strictly necessary server-side session cookie used for user authentication in AdonisJS applications |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
No. AdonisJS is an open-source framework, not a data processor or third-party service. GDPR applies to the application built with AdonisJS and the organisation running it, not to the framework code itself. The framework does not collect or process personal data independently.
Authentication session cookies are generally considered strictly necessary and do not require ePrivacy consent. However, any analytics, tracking, or personalisation cookies added to an AdonisJS application by the developer require prior consent under the ePrivacy Directive.
The legal basis depends on the application's purpose and design, not the framework. Common bases include contract performance for user accounts and services, legitimate interest for security logging, and consent for optional features like newsletters or tracking.
AdonisJS itself does not transfer data anywhere. Transfer obligations depend entirely on where the developer deploys their AdonisJS application and which third-party services they integrate.
A DPIA is not required for AdonisJS itself. It may be required for specific features in your AdonisJS application that process large-scale personal data, perform automated decision-making, or handle special category data.
Implement cookie consent management, configure secure session cookies, build data subject rights endpoints (access, erasure, portability), apply data minimisation in database models, encrypt sensitive fields, implement access controls, and sign DPAs with any third-party services you integrate.
For EU data residency, deploy on EU-based infrastructure such as OVHcloud, Hetzner, Scaleway, or AWS Frankfurt. Sign a Data Processing Agreement with your hosting provider. Avoid logging unnecessary personal data and implement appropriate data retention policies.
AdonisJS itself does not need to be mentioned in your privacy policy. However, all data processing in your AdonisJS application must be described, including what data is collected, the legal basis, retention periods, and any third-party processors integrated with the application.