Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Imperva is a leading web application firewall (WAF) and DDoS protection provider used by European banks, governments, retailers and SaaS companies to defend their web infrastructure. It sits in front of the customer's website as a reverse proxy or DNS-routed CDN, inspecting every HTTP request for attacks. Imperva sets a small number of strictly necessary security cookies (such as the incap_ses_<id> and visid_incap_<id> cookies) which are exempt from prior consent under Art. 5(3) ePrivacy.
Imperva (originally Incapsula) is a leading WAF, DDoS protection, bot management and API security provider. Deployed as a reverse proxy or DNS-routed CDN, it inspects every HTTP request before it reaches the origin server, blocking attacks (SQL injection, XSS, credential stuffing, layer 7 DDoS) and validating suspicious traffic with CAPTCHA challenges.
Imperva typically sets incap_ses_<id> (session identifier for security context), visid_incap_<id> (visitor security identifier across sessions), and nlbi_<id> (load-balancing cookie). All are classified as strictly necessary for security. Imperva also processes IP, User-Agent, request bodies, headers and behavioural signals on the WAF level.
Imperva''s security cookies fall under the strictly necessary exemption of Art. 5(3) ePrivacy. They do not require prior consent. The processing of request data relies on legitimate interest (Art. 6(1)(f)) and the legal obligation in Art. 32 GDPR. EDPB guidance treats security cookies as strictly necessary as long as they remain proportionate.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Imperva has European PoPs (Frankfurt, Paris, Dublin, London). You can request EU-only routing for traffic from European visitors. The central threat intelligence is in the US; aggregated and anonymised attack signatures are shared globally, covered by SCCs and EU-US DPF. For high-sensitivity deployments, document the routing and the threat-sharing in your security policy.
For essential and important entities under NIS2, Imperva is a key technical measure. Integrate Imperva alerts and logs into your SIEM and incident response runbook. Configure log retention to match NIS2 reporting obligations (significant incidents must be reported within 24 hours).
1. Sign the Imperva DPA. 2. Configure EU PoPs for European traffic. 3. Document Imperva in your Record of Processing Activities as a security measure. 4. Disclose Imperva in your privacy notice. 5. Integrate logs with your SIEM. 6. Map Imperva to your NIS2 incident response runbook. 7. Configure log retention to match obligations.
Websites using Imperva must obtain user consent under GDPR regulations.
DPIA considerations
Imperva processes visitor IP, User-Agent, request URLs, request bodies and headers for inspection, plus aggregated threat telemetry. Key DPIA considerations: (1) cookies set are strictly necessary for security and may rely on the consent exemption of Art. 5(3) ePrivacy; (2) request inspection processes personal data, justified by legitimate interest and Art. 32 GDPR; (3) data may be processed in Imperva PoPs (some in EU, some elsewhere); (4) US threat intelligence sharing covered by SCCs; (5) NIS2 incident response obligations may apply. A streamlined DPIA is sufficient.
Sample consent text
Our site is protected against attacks and bots by Imperva. Imperva inspects each request and sets strictly necessary cookies (incap_ses_<id>, visid_incap_<id>) to remember which visitors have already passed security challenges. This processing is based on our legitimate interest in security and our legal obligation under Art. 32 GDPR.
Third-party domains contacted
imperva.comincapdns.netincap.iocloudwaf.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| incap_ses_<id> | Strictly necessary | Session | Imperva security session identifier used to recognise visitors that have already passed the WAF and bot challenges. |
| visid_incap_<id> | Strictly necessary | 1 year | Persistent visitor identifier across sessions, used to maintain security context and prevent re-challenging trusted visitors. |
| nlbi_<id> | Strictly necessary | Session | Load-balancing cookie that pins a visitor to the same Imperva PoP for consistent inspection. |
Imperva is an essential service, but transparency matters. Manage all your consent with FlowConsent.
incap_ses_<id>, visid_incap_<id>, nlbi_<id>. All strictly necessary for security.
No, security cookies fall under the strictly necessary exemption of Art. 5(3) ePrivacy.
Legitimate interest (Art. 6(1)(f)) and Art. 32 GDPR security obligation.
Threat intelligence is centralised in the US, covered by SCCs and DPF. Traffic can be EU-routed.
A streamlined DPIA is sufficient; full DPIA recommended for NIS2 critical entities.
Sign DPA, EU PoP routing, document in Record of Processing Activities, integrate with SIEM, NIS2 runbook.
EU-friendly WAF/DDoS: Cloudflare (US, EU PoPs), Akamai (US, EU PoPs), Fastly (US, EU PoPs), DataDome (France), Variti (Switzerland).
Disclose Imperva as a security processor, mention the US threat intelligence transfer with SCCs, list the security cookies as strictly necessary.