Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Imunify360 is a server-side security suite by CloudLinux that protects Linux web servers against malware, brute-force, vulnerability exploitation and bot traffic. It runs on the hosting infrastructure and does not normally set cookies on visitors' browsers, although the optional CAPTCHA challenge layer can integrate with Google reCAPTCHA which does. For most European hosting providers and webmasters, Imunify360 has a low privacy footprint and relies on legitimate interest as its legal basis.
Imunify360 is a comprehensive security stack for Linux web servers offered by CloudLinux. It combines a web application firewall (WAF) with proactive defence, a malware scanner with one-click clean-up, brute-force protection, intrusion detection, IP reputation filtering and an optional CAPTCHA challenge for suspicious visitors. It is widely deployed by European hosting companies (cPanel-based shared hosting providers, VPS operators) and self-managed servers.
For each incoming HTTP request, Imunify360 inspects the source IP, User-Agent, request path, query parameters, headers and (for POST traffic) the body. It maintains a local IP reputation cache plus a connection to the CloudLinux threat intelligence service. Malware scanning is performed on files inside the web roots and email mailboxes. None of this processing is exposed to the visitor''s browser; no cookies are set by default.
Imunify360 processes personal data (IP, request payload that may contain identifying information). The legal basis is legitimate interest (Art. 6(1)(f) GDPR), reinforced by the Art. 32 GDPR obligation to maintain security of processing. ePrivacy does not apply to server-side inspection; it only becomes relevant when the optional CAPTCHA layer (Google reCAPTCHA) is used, because reCAPTCHA itself sets cookies and transmits data to Google.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Imunify360 sends suspicious request fingerprints, IP reputation data and malware sample hashes to CloudLinux Inc. servers in the United States. This transfer is covered by Standard Contractual Clauses in the CloudLinux EULA / DPA. The data minimisation is good: only hashes and metadata, not raw request bodies, are transmitted upstream.
For essential and important entities under the EU NIS2 Directive, Imunify360 fits into the broader cybersecurity risk management framework. Document its deployment in your information security management system (ISMS), tie it to incident response runbooks, and ensure the logs (Imunify360 incident log) are retained for the period required by NIS2 reporting obligations.
1. Sign the CloudLinux DPA. 2. Document Imunify360 in your Record of Processing Activities under security. 3. Disclose the US threat intelligence transfer in your privacy notice. 4. If reCAPTCHA is enabled, treat it as a separate processor with consent obligations. 5. Configure incident logs retention to match NIS2 requirements. 6. Test the false-positive workflow so legitimate visitors are not unfairly blocked.
Websites using Imunify360 must obtain user consent under GDPR regulations.
DPIA considerations
Imunify360 processes IP addresses, request headers, request bodies (for WAF inspection), and uploaded files (for malware scanning). All processing happens on the customer's server; only suspicious patterns and IP reputation submissions are sent back to CloudLinux. Key DPIA considerations: (1) IP and request inspection is personal data processing under GDPR; (2) the legal basis is legitimate interest for security plus legal obligation under Art. 32; (3) threat intelligence sharing transmits hashed payloads to CloudLinux in the US, covered by SCCs; (4) if the CAPTCHA layer is enabled and uses Google reCAPTCHA, additional cookies and US transfers apply; (5) NIS2 Directive (EU) increases the importance of documented incident response. A streamlined DPIA is sufficient for typical hosting deployments.
Sample consent text
Our servers are protected by Imunify360 (CloudLinux). When you access this site, Imunify360 inspects your request to block malicious traffic. This processing is based on our legitimate interest in security under Art. 6(1)(f) GDPR and our legal obligation to protect data under Art. 32 GDPR. No cookies are set on your browser by Imunify360 itself. If the optional CAPTCHA challenge is shown, separate Google reCAPTCHA terms apply.
Third-party domains contacted
imunify360.comcloudlinux.comupdates.imunify360.comiplists.imunify360.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| imunify360_xs | Strictly necessary | Session | Set only when the optional CAPTCHA challenge is triggered. Maintains the challenge session until the visitor is verified. |
| imunify360_temp_test | Strictly necessary | 1 day | Test cookie used to verify cookie support before issuing a CAPTCHA challenge to a suspicious visitor. |
Imunify360 is an essential service, but transparency matters. Manage all your consent with FlowConsent.
No, not by default. Imunify360 is server-side and inspects requests at the web server level. Cookies appear only if the optional CAPTCHA challenge layer is enabled and configured to use Google reCAPTCHA, which sets its own cookies and is subject to separate consent.
No. Imunify360 itself does not set cookies or access information on the visitor's device, so Art. 5(3) ePrivacy does not apply. The lawful basis for processing IP and request data is legitimate interest plus the Art. 32 GDPR security obligation.
Legitimate interest under Art. 6(1)(f) GDPR (network and information security), supported by the legal obligation under Art. 32 GDPR to ensure the security of processing. For essential or important entities under NIS2, the legal obligation aspect is reinforced.
Yes, hashed signatures and IP reputation submissions are sent to CloudLinux Inc. in the US. Transfers are covered by Standard Contractual Clauses in the CloudLinux DPA. The data minimisation is good: only metadata and hashes, not full request bodies.
A streamlined DPIA is sufficient for typical hosting deployments. Run a more detailed DPIA if you process special category data, operate as a critical NIS2 entity, or use Imunify360 in combination with reCAPTCHA and behavioural rate-limiting.
Sign the CloudLinux DPA, document Imunify360 in your Record of Processing Activities under security, disclose the US threat intelligence transfer in your privacy notice, configure log retention to match NIS2 obligations, test the false-positive workflow, and treat the optional reCAPTCHA layer as a separate processor with its own consent requirements.
EU-friendly WAF alternatives include ModSecurity with OWASP CRS (open source, self-hosted), BitNinja (Hungary, EU), Wordfence (US, plugin for WordPress), Sucuri (US, cloud-based WAF) and the WAF capabilities of Cloudflare or Bunny.net. For a fully EU stack, ModSecurity self-hosted plus fail2ban is the canonical choice.
Add an entry in your privacy notice describing the server security processing under Art. 6(1)(f) GDPR and Art. 32, naming CloudLinux Inc. as a processor for threat intelligence sharing with the US transfer disclosed. No cookie policy entry is needed unless the optional reCAPTCHA layer is enabled.