Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Zeabur is a developer cloud platform (PaaS) that enables one-click deployment of web applications from Git, with global edge regions, custom domains and managed infrastructure.
Zeabur is a developer cloud platform (Platform as a Service) that allows engineering teams to deploy web applications, APIs, databases and background workers from a Git repository in a single click. It positions itself as an alternative to Vercel, Railway or Render and targets full-stack developers who want managed infrastructure without operating their own Kubernetes cluster. From a GDPR perspective Zeabur is typically a processor under Article 28: it executes customer code, stores customer databases, terminates TLS, manages custom domains and emits build, runtime and deployment telemetry on behalf of its customers.
Zeabur is headquartered in Asia (Singapore/Taiwan) and exposes multiple deployment regions including Singapore, Hong Kong, Tokyo, the United States and EU regions depending on the plan. The actual location where compute and storage live is determined by the region selected at deployment time, not by the location of the customer or of the Zeabur dashboard. EU operators must verify this region carefully: Singapore benefits from a UK adequacy decision but not from a current EU adequacy decision, Hong Kong is not covered by any adequacy decision and Tokyo is covered by the EU-Japan adequacy decision. The chosen region must be recorded in the Record of Processing Activities under Article 30 GDPR.
Where Zeabur deploys workloads outside the EEA in a country that does not benefit from an EU adequacy decision (notably Hong Kong, the United States and Singapore), transfers must rely on Article 46 GDPR safeguards. In practice this means Standard Contractual Clauses signed between the controller and Zeabur, combined with a Transfer Impact Assessment in line with the Schrems II ruling of the Court of Justice of the European Union (case C-311/18). Supplementary measures such as encryption in transit and at rest, key management under the customer''s control and minimisation of personal data in build logs should be documented.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Zeabur itself, as a hosting platform, does not place advertising or analytics cookies on visitors of the customer''s website. The Zeabur dashboard uses strictly necessary cookies such as ''zeabur_session'' and CSRF tokens to authenticate developers, and these are exempt from consent under Article 5(3) of the ePrivacy Directive. However, applications hosted on Zeabur may set their own cookies, and operators remain responsible for collecting consent for any non-essential cookie placed by the hosted application.
Like most PaaS providers Zeabur relies on underlying IaaS sub-processors (cloud providers, CDN providers, observability vendors) to deliver compute, storage and edge capacity. EU controllers should obtain an up-to-date list of sub-processors from Zeabur, ensure that the DPA grants them prior information and a right to object to new sub-processors, and verify that flow-down SCCs exist down the chain.
Operators who wish to keep their hosting infrastructure within the EEA can consider European PaaS and cloud providers such as Scalingo (France), Clever Cloud (France), OVHcloud (France) and Hetzner Cloud (Germany), as well as fly.io configured exclusively with EU regions. These alternatives avoid most Article 46 transfer obligations by keeping compute and storage in EU data centres operated by EU entities.
Websites using Zeabur must obtain user consent under GDPR regulations.
DPIA considerations
Zeabur acts as a hosting and infrastructure processor under Article 28 GDPR. A DPIA is recommended when sensitive or large-scale personal data is processed on the platform. Key risks to document: data residency depending on the region selected (Singapore, Hong Kong, Tokyo, US, EU), transfers to non-adequate third countries (notably Hong Kong), sub-processor chain (underlying IaaS providers), retention of build logs and deployment telemetry, access by Zeabur support staff, and incident response timelines. A Data Processing Agreement (DPA) including SCCs must be signed and the chosen region must be documented in the Record of Processing Activities (Article 30 GDPR).
Sample consent text
We use Zeabur to host and deliver this website. Zeabur sets strictly necessary session cookies (such as 'zeabur_session' and CSRF tokens) required to operate its dashboard and to serve the application. These cookies are exempt from prior consent under Article 5(3) of the ePrivacy Directive. Depending on the selected region, application data may be processed outside the European Economic Area under appropriate Article 46 GDPR safeguards.
Third-party domains contacted
zeabur.comdash.zeabur.comapi.zeabur.comzeabur.appcdn.zeabur.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| zeabur_session | http_cookie_first_party | session | Strictly necessary authentication session cookie used by the Zeabur dashboard to keep developers logged in. Exempt from prior consent under Article 5(3) of the ePrivacy Directive. |
| zeabur_csrf_token | http_cookie_first_party | session | Cross-Site Request Forgery (CSRF) protection token used by the Zeabur dashboard to validate that state-changing requests originate from the legitimate logged-in user. Security cookie, exempt from prior consent. |
| zeabur_preferences | http_cookie_first_party | 12 months | Stores developer preferences (theme, selected workspace, last region) for the Zeabur dashboard. Functional cookie strictly necessary for the requested service. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Zeabur itself sets only strictly necessary cookies on its developer dashboard (session, CSRF), which are exempt from prior consent under Article 5(3) of the ePrivacy Directive. Sites hosted on Zeabur may set their own cookies and remain subject to the consent obligations of the hosting operator.
Data is stored in the region you select at deployment time. Zeabur currently exposes Singapore, Hong Kong, Tokyo, the United States and EU regions depending on the plan. The chosen region governs the location of compute, persistent storage and most logs and must be documented in your Record of Processing Activities under Article 30 GDPR.
Zeabur can be used in a GDPR-compliant manner when a Data Processing Agreement is signed and an EU region is selected, or when Article 46 safeguards (Standard Contractual Clauses plus a Transfer Impact Assessment) are in place for transfers to non-adequate countries such as Hong Kong, Singapore or the United States. Compliance is ultimately the responsibility of the controller.
Hong Kong is not covered by any EU adequacy decision and the United States only benefits from the EU-US Data Privacy Framework for participating organisations. In line with the Schrems II ruling (CJEU C-311/18) any transfer to these regions through Zeabur must rely on SCCs, a Transfer Impact Assessment and supplementary measures such as strong encryption and customer-managed keys.
Zeabur, like most PaaS providers, relies on underlying IaaS sub-processors for compute, storage, CDN and observability. EU controllers should request an up-to-date sub-processor list, ensure the DPA grants prior notification and a right to object to new sub-processors, and confirm that flow-down SCCs exist down the chain.
On the Zeabur dashboard the strictly necessary cookies include the authentication session cookie (typically 'zeabur_session'), a CSRF protection token and a small number of preference cookies. These cookies do not require prior consent under Article 5(3) of the ePrivacy Directive because they are needed for the service explicitly requested by the user.
Yes. For EU-only hosting, operators can consider Scalingo (France), Clever Cloud (France), OVHcloud (France) and Hetzner Cloud (Germany), as well as fly.io restricted to EU regions. These providers operate compute and storage from EU data centres and typically simplify GDPR transfer obligations.
A DPIA should document: the categories of personal data processed via the hosted application, the selected Zeabur region and the resulting third-country transfer risk, the sub-processor chain, retention of build logs and telemetry, encryption and key management, access controls for Zeabur staff, and the incident response timeline agreed in the DPA.