Cloudflare transfers your personal data to the United States and other countries, where data protection laws may offer fewer protections than in your home country, and relies on Standard Contractual Clauses for EU, UK, and Swiss users.
This analysis describes what Cloudflare's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
If you are in the EU, UK, or Switzerland, your data is transferred to the U.S. under Standard Contractual Clauses, a mechanism whose adequacy has been subject to ongoing legal scrutiny, and you may have fewer legal protections in the destination country.
Interpretive note: The adequacy of Standard Contractual Clauses as a transfer mechanism depends on complementary measures and evolving regulatory guidance following Schrems II; the document does not specify whether a Transfer Impact Assessment has been conducted.
EU, UK, and Swiss users' personal data is transferred to the U.S. under Standard Contractual Clauses, and while this is a recognized transfer mechanism, its adequacy depends on complementary measures and evolving regulatory developments.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Your personal information may be transferred to, and maintained on, computers located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction.
Your personal information may be transferred to, stored, and processed in the United States or other countries outside of your country of residence, which may have data protection laws that are different from those in your country.
Monitoring
Cloudflare has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Cloudflare is a U.S.-based company and the information we collect is governed by U.S. law. By accessing or using our Services or otherwise providing information to us, you consent to the processing, transfer and storage of information in and to the U.S. and other countries, where you may not have the same rights and protections as you do under local law. When we transfer the personal data of those in the EEA, UK and/or Switzerland, we rely on transfer mechanisms including the EU Standard Contractual Clauses.— Excerpt from Cloudflare's Cloudflare Privacy Policy
REGULATORY LANDSCAPE: International data transfers from the EU engage GDPR Chapter V, specifically Articles 44 through 49. Cloudflare's reliance on Standard Contractual Clauses (SCCs) is the primary stated mechanism. Following the Schrems II ruling by the Court of Justice of the EU, SCCs must be supplemented by a Transfer Impact Assessment confirming adequate protection in the destination country. The EU-U.S. Data Privacy Framework, adopted in 2023, provides an alternative adequacy mechanism, and compliance teams should determine which mechanism Cloudflare currently relies upon. GOVERNANCE EXPOSURE: Medium. SCC-based transfers are widely used and recognized by EU supervisory authorities, but require documented Transfer Impact Assessments. Cloudflare's infrastructure role and the volume of data transiting its network create heightened scrutiny risk. The policy's language that users consent to transfers by using the services may not satisfy GDPR's requirements for consent as a transfer mechanism under Article 49, as consent under Article 49 must be explicit and informed for occasional transfers. JURISDICTION FLAGS: EU and EEA users face the highest exposure given GDPR Chapter V requirements. UK users are subject to UK GDPR international transfer rules and the UK's International Data Transfer Agreement mechanism. Swiss users are subject to the Swiss Federal Act on Data Protection. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers subject to GDPR should confirm with Cloudflare which specific SCC modules apply to their relationship, whether a Transfer Impact Assessment has been conducted covering Cloudflare's U.S. operations, and whether the EU-U.S. Data Privacy Framework certification is in place as a supplementary or alternative mechanism. COMPLIANCE CONSIDERATIONS: Legal teams should obtain Cloudflare's current Transfer Impact Assessment documentation, confirm SCC version (2021 SCCs under GDPR), and assess whether complementary technical measures such as encryption are in place. The policy's consent framing for transfers should not be relied upon as the sole transfer mechanism; SCCs or adequacy decisions should be the documented basis.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
If you are in the EU, UK, or Switzerland, your data is transferred to the U.S. under Standard Contractual Clauses, a mechanism whose adequacy has been subject to ongoing legal scrutiny, and you may have fewer legal protections in the destination country.
EU, UK, and Swiss users' personal data is transferred to the U.S. under Standard Contractual Clauses, and while this is a recognized transfer mechanism, its adequacy depends on complementary measures and evolving regulatory developments.
ConductAtlas has identified this type of provision across 54 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Cloudflare.