Cloudflare · Cloudflare Privacy Policy

International Data Transfers

Medium severity
Share 𝕏 Share in Share 🔒 PDF

What it is

Cloudflare moves data about EU and UK users to the United States using legal frameworks called the EU-US Data Privacy Framework and Standard Contractual Clauses, which are EU-approved mechanisms designed to protect your data during cross-border transfers.

Consumer impact (what this means for users)

Your personal data as an EU or UK user is transferred to US servers, and your protections depend on Cloudflare maintaining its Data Privacy Framework certification — a framework that has previously been invalidated and could face future legal challenges.

Cross-platform context

See how other platforms handle International Data Transfers and similar clauses.

Compare across platforms →
Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

EU and UK users' personal data is transferred to the US, and the adequacy of legal protections for that data depends on Cloudflare's continued compliance with DPF certification requirements and the stability of the underlying legal framework.

View original clause language
Cloudflare complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Cloudflare has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom in reliance on the UK Extension to the EU-U.S. DPF. In addition to the Data Privacy Framework, Cloudflare uses Standard Contractual Clauses as approved by the European Commission to legitimize data transfers from the EEA to other third countries where necessary.

Institutional analysis (Compliance & legal intelligence)

REGULATORY FRAMEWORK: International data transfers are governed by GDPR Chapter V (Arts. 44–49), specifically Art. 45 (adequacy decision) for DPF transfers and Art. 46(2)(c) for Standard Contractual Clauses (2021 SCCs). The EU-US DPF was adopted by the European Commission on July 10, 2023 (Implementing Decision C(2023) 4745). UK transfers are governed by the UK GDPR and the UK-US Data Bridge. Swiss transfers fall under the revised Federal Act on Data Protection (nFADP). The US DoC and FTC share enforcement authority over DPF compliance.

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

  • FTC
    The FTC enforces US compliance with the EU-US Data Privacy Framework and can act against Cloudflare for misrepresentation of DPF adherence under FTC Act Section 5.
    File a complaint →

Provision details

Document information
Document
Cloudflare Privacy Policy
Entity
Cloudflare
Document last updated
April 29, 2026
Tracking information
First tracked
April 18, 2026
Last verified
April 18, 2026
Record ID
CA-P-003012
Document ID
CA-D-00282
Evidence Provenance
Source URL
https://www.cloudflare.com/privacypolicy/
Wayback Machine
View archived versions →
SHA-256
f8e88ec9d8c545e030482f3dd3f67f81792db81930414a668aae4f61c5cebe58
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: Cloudflare | Document: Cloudflare Privacy Policy | Record: CA-P-003012
Captured: 2026-04-18 11:44:46 UTC | SHA-256: f8e88ec9d8c545e0…
URL: https://conductatlas.com/platform/cloudflare/cloudflare-privacy-policy/international-data-transfers/
Accessed: May 2, 2026
Classification
Severity
Medium
Categories
Unknown

Other provisions in this document