Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Parmin Cloud is an Iranian cloud and hosting provider headquartered in Tehran that delivers shared hosting, VPS, dedicated servers and a CDN. All compute and storage sits in Iran. There is no European Commission adequacy decision for Iran, and EU sanctions complicate the operation of Standard Contractual Clauses. Hosting EU resident personal data on Parmin Cloud is therefore very hard to justify under the Schrems II framework and usually requires explicit consent or a contract derogation under Art. 49 GDPR.
Parmin Cloud (parmin.cloud) is a Tehran based cloud and hosting company that offers shared web hosting, virtual private servers, dedicated servers, object storage, a managed database catalogue and a content delivery network operated from data centres inside Iran. The provider mainly serves Iranian businesses, government bodies and developers who need infrastructure resilient against external network disruption. Compute, storage and the customer portal are operated within Iranian jurisdiction by an Iranian legal entity, with no announced presence inside the European Economic Area.
As a hosting provider Parmin Cloud processes IP addresses, authentication credentials, billing data and all content the customer uploads, which may contain personal data of EU residents, employees or website visitors. The Parmin Cloud customer portal and any websites hosted on the platform typically set first party session cookies, a CSRF token and load balancer affinity cookies. Audit and operational logs (HTTP access logs, application logs) are stored in Iran. Backup snapshots are also kept inside Iran unless the customer ships them out manually.
Iran does not benefit from a European Commission adequacy decision under Art. 45 GDPR. Transfers therefore fall under Chapter V GDPR. After Schrems II (CJEU C 311/18) the controller must verify that the third country provides a level of protection essentially equivalent to that of the EU, taking into account local surveillance and intelligence laws. Iran is also subject to EU restrictive measures (Council Regulation 359/2011 on serious human rights violations and Regulation 267/2012 on nuclear sanctions), which makes the conclusion and enforcement of Standard Contractual Clauses difficult and may prohibit certain commercial relationships outright.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For hosted websites that face EU visitors the controller still needs Art. 6(1)(a) GDPR consent for any non essential cookie or tag served via Parmin Cloud, and Art. 5(3) ePrivacy applies. For the substantive transfer of EU personal data to Iran a regular Art. 6 basis is not enough on its own: the controller must additionally satisfy Chapter V GDPR. In practice, given the difficulty of operating SCCs with an Iranian processor, the only realistic legal route for ongoing transfers is explicit consent under Art. 49(1)(a), which the data subject must give after being clearly informed of the absence of an adequacy decision and the risks involved.
Hosting on Parmin Cloud means EU data physically leaves the EEA and is stored under Iranian jurisdiction. The Iranian Computer Crimes Act and Telecommunications Regulations grant broad access powers to security agencies that are not subject to EU equivalent independent oversight. Supplementary measures such as customer held end to end encryption with keys never disclosed to the provider, strict pseudonymisation and partitioning may, in narrow scenarios, mitigate the risk, but the EDPB Recommendations 01/2020 make clear that this only works where the provider has no access to plain text data. For most operational workloads this condition cannot be met.
If you must use Parmin Cloud, run a full DPIA and Transfer Impact Assessment, document why no EEA alternative is viable, sign SCCs (Module Two or Three depending on roles) to the extent permitted by EU sanctions law, encrypt all data at rest and in transit with customer managed keys held in the EU, and minimise the personal data stored. Inform visitors clearly in the privacy notice that data is hosted in Iran without adequacy, obtain explicit consent under Art. 49(1)(a) where the transfer is the primary purpose, and stand ready to migrate or repatriate data on short notice if sanctions or regulators tighten further.
Websites using Parmin Cloud must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is mandatory before processing any EU resident personal data on Parmin Cloud. The assessment must document that Iran has no EU adequacy decision, evaluate the impact of Iranian intelligence and surveillance laws on the essence of GDPR rights, examine whether Standard Contractual Clauses can be effectively enforced against an Iranian provider under EU sanctions (Council Regulation 359/2011 and 267/2012), and consider whether any supplementary technical measures (end to end encryption with keys held in the EU, pseudonymisation, fragmentation) can bring the transfer to essentially equivalent protection. In most cases the conclusion will be that ordinary commercial deployments cannot lawfully transfer EU data and must rely on Art. 49(1) derogations only for limited, occasional flows.
Sample consent text
This website is hosted on Parmin Cloud, an infrastructure provider based in Iran. By continuing to use the service you accept that your personal data will be stored and processed in Iran, a country without an EU adequacy decision and outside the European Economic Area. The transfer is based on your explicit consent under Art. 49(1)(a) GDPR, and you can withdraw it at any time. We cannot guarantee a level of protection essentially equivalent to that of the EU.
Third-party domains contacted
parmin.cloudmy.parmin.cloudcdn.parmin.cloudapi.parmin.cloudCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| parmin_session | Session | Session | Customer portal authentication session cookie used to maintain a logged in state in my.parmin.cloud. Strictly necessary for service operation. |
| XSRF-TOKEN | Session | Session | Cross site request forgery protection token for portal and API requests. Strictly necessary security cookie. |
| parmin_lb | Session | Session | Load balancer affinity cookie that pins the visitor to a specific backend server. Strictly necessary for stable session handling. |
| parmin_locale | Persistent | 12 months | Stores the preferred user interface language (Persian or English) for the customer portal. Functional cookie subject to user information requirements. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
As a hosting and cloud provider, Parmin Cloud processes everything a customer pushes to the platform: visitor IP addresses, authentication credentials, session cookies, application data, uploaded files, database content and backup snapshots. The Parmin Cloud customer portal sets first party session cookies and a CSRF token for authentication, and any website hosted on the platform inherits the cookie behaviour configured by the customer. Operational logs (HTTP access logs, system logs, audit events) are retained on infrastructure inside Iran for security and incident response.
Yes, and the consent is more demanding than for an EU based host. The hosted site still needs ordinary Art. 6(1)(a) GDPR plus Art. 5(3) ePrivacy consent for non essential cookies. On top of that, because every page view causes a transfer of personal data to Iran, a non adequate third country, the controller usually needs explicit consent under Art. 49(1)(a) GDPR for the transfer itself. The privacy notice must clearly state that data is hosted in Iran, that no adequacy decision exists and that the level of protection cannot be guaranteed to match the EU.
Two layers must be satisfied. Layer one: an Art. 6 lawful basis (typically Art. 6(1)(b) contract for the customer relationship and Art. 6(1)(a) consent for visitor side cookies and analytics). Layer two: a Chapter V transfer mechanism. SCCs are technically possible but their enforcement against an Iranian processor is uncertain because of EU sanctions and the limits of Iranian judicial review. In practice most controllers rely on explicit consent under Art. 49(1)(a), or on the necessity of contract performance under Art. 49(1)(b) for occasional flows initiated by the data subject.
Hosting on Parmin Cloud is itself a transfer to a third country, since all infrastructure operates in Iran. Iran has no EU adequacy decision, is subject to EU restrictive measures (Council Regulation 359/2011 and Regulation 267/2012) and has surveillance laws that grant broad access to security agencies. Schrems II requires the controller to assess whether the third country offers an essentially equivalent level of protection and to put supplementary measures in place where it does not. For Iran the conclusion is usually that ordinary commercial transfers cannot meet the standard.
Yes. Processing involves transfer to a non adequate third country with a high surveillance risk, which the EDPB lists as a high risk indicator. The DPIA must describe the data categories, the volume, the retention, the technical and organisational measures and a careful Transfer Impact Assessment under Schrems II. The DPIA should also evaluate whether supplementary measures (customer held encryption keys, pseudonymisation, sharding) can bring the transfer to an essentially equivalent level, and identify a clear exit and repatriation plan if sanctions or regulators tighten further.
Minimise the EU personal data stored on the platform, encrypt every dataset at rest and in transit with keys generated and held on EU infrastructure outside Parmin Cloud, use customer side hashing for identifiers, and disable telemetry that may export plain text content. Sign whatever SCC module is operationally enforceable, log every access from the provider, gather explicit Art. 49(1)(a) consent where the transfer is the substantive purpose, and document the entire setup in the DPIA, ROPA and Transfer Impact Assessment. Plan for migration to an EEA host as the default future state.
Yes, and switching is usually the safer choice. EU based hyperscalers and independent hosts such as OVHcloud (France), Scaleway (France), Hetzner (Germany), IONOS (Germany), Aruba (Italy) and UpCloud (Finland) offer comparable VPS, dedicated and managed services with EEA data residency, signed DPAs and tested SCCs. EU sovereign cloud offerings (Bleu, S3NS, Delos) target sensitive workloads under French SecNumCloud or German C5. These options remove the Iran specific sanctions and Schrems II exposure while keeping latency low for European visitors.
Treat this as a high risk transfer that needs ongoing monitoring. Review the DPIA, Transfer Impact Assessment and privacy notice at least every six months and immediately whenever EU sanctions against Iran change, when EU US or EU Iran case law develops, or when Parmin Cloud changes its infrastructure or sub processors. Re prompt users for consent when the legal basis, retention or categories of data change. Keep a written exit plan with concrete RTO and RPO so you can repatriate workloads to an EEA host on short notice.