Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Vercel is a cloud platform that hosts modern frontend applications and serverless functions, popular for Next.js, SvelteKit and Astro sites. Vercel routes every request through its global Edge Network, serves static assets from CDN points of presence and runs serverless or edge functions in selected regions. From a GDPR perspective, Vercel acts as a processor that handles visitor IP addresses and request metadata on behalf of customers, with corporate control in the United States.
Vercel is a cloud platform created by the team behind Next.js. It hosts modern frontend applications, ships them through a global Edge Network and runs serverless and edge functions close to the visitor. Most customers connect a Git repository, push a new commit and Vercel automatically builds, deploys and serves the result. The platform is widely used for Next.js, SvelteKit, Nuxt, Astro, Remix and SolidStart projects, both on the marketing side and for full SaaS applications.
Vercel processes the visitor IP address, request URL, HTTP method, headers (including User Agent, Referer and forwarded cookies), TLS handshake parameters, derived geolocation, the selected edge region and execution metadata when serverless or edge functions handle the request. Access logs and runtime logs are stored for a customer configured retention period. Vercel Analytics, if enabled, collects pseudonymous web vitals and pageview signals without setting cookies, and Speed Insights samples Core Web Vitals from a subset of visitors.
IP addresses processed by Vercel are personal data under the GDPR. Vercel Inc. is a processor for the customer and a controller for limited operational purposes. Pure hosting and CDN delivery do not write information to the visitor device, so the ePrivacy storage rule is not triggered and explicit consent is not required for the hosting itself. Vercel Analytics is designed without cookies and is generally considered compliant under legitimate interest, but local guidance from supervisory authorities (CNIL, AEPD, Garante) recommends still listing it in the privacy notice and gating it behind consent if you also use other marketing tools that aggregate identifiers.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Vercel offers EU regions (fra1 Frankfurt, cdg1 Paris, dub1 Dublin, lhr1 London) for serverless and edge functions, but the control plane, customer support and account data remain in the United States. Transfers rely on the Vercel Data Processing Addendum, the EU Standard Contractual Clauses under Article 46(2)(c) GDPR and the EU US Data Privacy Framework, with TLS 1.3, encryption at rest, SOC 2 Type II, ISO 27001 and ISO 27018 controls. Pro and Enterprise customers can pin function execution to specific EU regions to limit personal data flows.
Sign the Vercel Data Processing Addendum, pin the production deployment and functions to EU regions, configure short log retention and document Vercel as a processor in your record of processing activities. Update the privacy notice to mention Vercel Inc., the United States destination, the SCC and DPF safeguards and the function regions selected. If Vercel Analytics is enabled, list it as a privacy first analytics tool and decide whether it is exposed before or after consent based on local guidance.
Websites using Vercel must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not required for a standard public website hosted on Vercel. A DPIA is recommended when the hosted application performs systematic profiling of EU users, when it serves regulated sectors (financial services, health, public sector) or when Vercel KV, Postgres or Blob stores hold significant volumes of personal data.
Sample consent text
This site is hosted on Vercel, a cloud platform operated by Vercel Inc. (USA), which delivers our pages through a global Edge Network. Vercel processes your IP address and request metadata to route the traffic. By accepting, you allow this transfer to Vercel servers, including in the United States, under EU Standard Contractual Clauses and the EU US Data Privacy Framework.
Third-party domains contacted
vercel.comvercel.appvercel-analytics.comvercel-insights.comvercel-storage.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __vercel_live_token | Strictly necessary | Session | Set on Vercel preview deployments when Live Mode is active. Maintains the collaborative preview session between teammates. |
| _vercel_jwt | Strictly necessary | Session | Set on password protected preview deployments to authenticate the visitor against the Vercel access control gateway. |
| vercel-toolbar | Functional | 1 year | Set when an authenticated Vercel user views a deployment, in order to display the Vercel Toolbar overlay on preview environments. Not present for anonymous visitors of production sites. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Vercel does not set marketing, analytics or advertising cookies for the public website. It may set strictly necessary cookies for password protected preview deployments, for the customer admin at vercel.com, and short lived session cookies for SSO. Vercel Analytics is designed without cookies and identifies sessions through a server side hash of IP plus User Agent.
No consent is required to host a site on Vercel and to deliver static content through its Edge Network, because no information is stored or read on the visitor device. Consent becomes required when the application running on Vercel itself sets non essential cookies or loads third party trackers, in which case the responsibility lies with the application owner.
For hosting and content delivery, the legal basis is legitimate interest under Article 6(1)(f) GDPR. For application data stored in Vercel KV, Postgres, Blob or Edge Config, the legal basis is the one chosen by the customer (typically performance of a contract or consent depending on the data flow). Vercel acts as a processor under the Vercel Data Processing Addendum.
Vercel signs the EU Standard Contractual Clauses under Article 46(2)(c) GDPR via its Data Processing Addendum and confirms participation in the EU US Data Privacy Framework. Supplementary measures include TLS 1.3, encryption at rest, SOC 2 Type II, ISO 27001, ISO 27018 and the option to pin function execution to EU regions. The control plane and account data remain in the United States.
A DPIA is not required for a typical informational or marketing website hosted on Vercel. A DPIA is recommended when the application performs systematic profiling of EU visitors, when it serves regulated sectors (financial services, health, public sector), when it stores meaningful volumes of personal data in Vercel KV, Postgres or Blob, or when traffic from EU minors is expected.
Sign the Vercel Data Processing Addendum, configure the production project to use EU regions (fra1, cdg1, dub1, lhr1) for serverless and edge functions, limit log retention to a defined period, pseudonymise application data stored on Vercel services, and document Vercel as a processor in your record of processing activities. Update the privacy notice to mention Vercel Inc., the United States destination and the SCC plus DPF safeguards.
European or self hostable alternatives include Cloudflare Pages with EU data residency, Netlify (also US based but with simple deployment), Coolify (self hosted, open source), Dokku (self hosted), Scaleway Serverless (France), Clever Cloud (France) and the OVHcloud Web PaaS. Self hosting Next.js on a regional Kubernetes cluster or on a Node based hosting like Render with EU regions is also an option.
List Vercel Inc. as the processor in charge of hosting and content delivery, mention that the public website does not load Vercel marketing cookies, describe Vercel Analytics if enabled (cookieless, hashed identifiers), state that data including IP addresses may be transferred to the United States under SCCs and the EU US Data Privacy Framework, and link to the Vercel Privacy Policy.