Does your website use third-party services? Get GDPR compliant in minutes.

OpenGSE

What does OpenGSE do?

OpenGSE (Google Servlet Engine) is Google's internal HTTP front, end, identified by the response header Server: GSE. It serves Google Sites, Blogger, Firebase Hosting and several other Google products. As a pure web server it does not set cookies of its own, but it routes traffic through Google's global infrastructure, so the privacy analysis focuses on server logs and on US data transfers rather than on browser storage.

What OpenGSE is

OpenGSE (Google Servlet Engine) is the in, house HTTP front, end used by many Google products. It exposes itself through the Server: GSE HTTP response header. Sites built on Google Sites, Blogger, Firebase Hosting and several Cloud Run defaults are served by GSE. Detecting GSE on a site does not by itself reveal personal data processing : it only tells you that the page is delivered by Google''s infrastructure.

Does OpenGSE set cookies?

As a pure HTTP server, OpenGSE does not set any cookies of its own. Cookies you see on a GSE, served page come from the application layered above (Google Sites widgets, Blogger gadgets, Firebase Authentication) or from third, party scripts loaded by the publisher. The cookie inventory of a GSE site is therefore the inventory of those applications and third parties, not of the server itself.

Server logs and GDPR

OpenGSE produces request logs (timestamp, IP address, URL, User, Agent, referer, response code). Those logs are processed by Google LLC in the United States and are retained for security and operational purposes. Under GDPR these logs constitute personal data and the publisher relies on Article 6(1)(f) (legitimate interest in running and securing the service) as the lawful basis. No banner is required, but the privacy notice should mention Google as a processor and the United States as a country of destination.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Transfers and Google Cloud DPA

Sites hosted on a Google service that uses GSE are covered by the Google Cloud Data Processing Addendum, which incorporates the Standard Contractual Clauses for international transfers and references the EU, US Data Privacy Framework certification of Google LLC. A Transfer Impact Assessment is still expected by European supervisory authorities to document the residual US surveillance risk under FISA 702.

Practical compliance steps

Treat OpenGSE the same way you treat any cloud hosting service : sign the Google Cloud DPA, mention Google LLC in the privacy notice, document the US transfer, and concentrate the cookie analysis on the application layer (Google Sites embeds, Blogger gadgets, embedded YouTube, Maps or Forms). Audit the actual cookies loaded by your pages with a browser developer tools session, because GSE itself will never appear in that inventory.

GDPR consent category

Other

Websites using OpenGSE must obtain user consent under GDPR regulations.

Legal basisLegitimate interest for server operation and security (Art. 6(1)(f) GDPR)

Risk levellow

Applicable regulationsGDPR, ePrivacy Directive

DPIA considerations

OpenGSE itself does not implement first, party tracking; the privacy footprint depends on the Google product layered on top of it (Google Sites, Blogger, Firebase Hosting, Cloud Run). Key DPIA considerations: (1) request logs (IP, User, Agent, URL, referer, timestamp) are processed by Google LLC and may be replicated to US data centres; (2) bot, mitigation systems such as reCAPTCHA Enterprise may be applied transparently to OpenGSE traffic; (3) Google may correlate request logs with signed, in user state through other Google products; (4) the hosting customer remains the controller for the data exposed by the served content even though Google operates the infrastructure. A DPIA is only required when the application layer (e.g. Google Sites form) collects sensitive data, not for the web server itself.

Sample consent text

This site is served through Google's OpenGSE web front, end. Standard server logs (IP address, browser type, page requested) are processed by Google LLC under our hosting contract and may be stored in data centres located in the United States. These logs are kept for security and operational purposes only and do not require your consent. Any analytics or marketing cookies loaded on top of the site are governed by the separate consent banner.

Technical details

Tracking methodHTTP server (Server response header identification only)

Server locationGoogle global infrastructure (multi, region)

Cookieless tracking availableYes

Data transferred outside the EUOpenGSE (Google Servlet Engine) is Google's in, house HTTP front, end. When a site is hosted on Google Sites, Blogger, Cloud Run or any other Google product served by GSE, requests are routed through Google's global anycast network and may terminate in data centres located in the United States or in other Google regions. Standard web server logs (IP, User, Agent, request path) are processed by Google LLC and transferred outside the EU.

Third-party domains contacted

sites.google.comblogger.comblogspot.comfirebaseapp.comweb.appgoogleusercontent.com

This service may collect user data. Ensure GDPR compliance with FlowConsent.

Get started free Scan your site

Frequently asked questions

Which cookies does OpenGSE set?

None. OpenGSE is a pure HTTP server identified by the Server: GSE response header. It does not write to localStorage, sessionStorage or document.cookie. Any cookies you see on a GSE, served page come from the application layered on top (Google Sites widgets, Blogger gadgets, Firebase Authentication, embedded YouTube or Maps).

Do I need a consent banner because of OpenGSE?

No. As a server, OpenGSE does not trigger Article 5(3) ePrivacy obligations. A banner is only required when application, level cookies or trackers are loaded. Audit the actual cookies set by your pages and base the banner on that inventory, not on the detection of GSE.

What is the legal basis for the server logs?

Article 6(1)(f) GDPR (legitimate interest in operating, securing and troubleshooting the website). The publisher remains controller for the logs, Google LLC is the processor under the Google Cloud Data Processing Addendum.

Are requests transferred to the United States?

Yes. Google routes traffic through its global anycast network and many GSE points of presence terminate in the United States. Transfers rely on Standard Contractual Clauses and the EU, US Data Privacy Framework certification of Google LLC; a Transfer Impact Assessment is still expected.

Is a DPIA required for OpenGSE?

Not for the server itself. A DPIA is triggered by the application layer, for example a Google Sites form collecting health data, a Firebase Authentication flow for minors, or a Blogger comment system tracking visitors. Scope the DPIA to those flows, not to the web server.

How do I implement compliance when I host on a GSE backed product?

Sign the Google Cloud DPA, list Google LLC as a processor in your privacy notice, mention the United States as a destination country, and audit application, level cookies independently. Document the legitimate interest balancing test for log retention.

What are the alternatives to OpenGSE for European hosting?

If avoiding US transfers at the infrastructure level is critical, look at Scaleway, OVHcloud, Hetzner, Infomaniak or any provider that runs nginx, Apache or Caddy in EU only data centres. Those alternatives apply only if you can move off the Google product (Google Sites, Blogger, Firebase Hosting) itself.

How should I update my cookie policy?

Do not list GSE as a cookie. Instead, audit the cookies actually loaded by your pages (Google Sites embeds, Blogger gadgets, third, party scripts) and list each one with its purpose, lifetime and category. Mention Google LLC as a hosting processor and the United States as a transfer destination in the wider privacy notice.

Get compliant — Try FlowConsent free

Free plan · 10-min setup