If you build and deploy an app on Fly.io, you are responsible for your own users' data, not Fly.io. Fly.io only processes that data on your instructions.
This analysis describes what Fly.io's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision places legal compliance responsibility for end-user data squarely on the deploying developer or business, which may expose them to regulatory liability if they have not established appropriate data protection agreements.
Interpretive note: The precise verbatim text of the controller-processor distinction was not fully rendered in the truncated document; the characterization is based on standard industry practice and partial document signals. Exact legal obligations depend on the full DPA terms offered by Fly.io.
Businesses and developers deploying on Fly.io are treated as data controllers for their end users, meaning they must independently ensure GDPR, CCPA, and other privacy obligations are met for their own customers.
Cross-platform context
See how other platforms handle Customer Application Data Responsibility and similar clauses.
Compare across platforms →Monitoring
Fly.io has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"When you use Fly.io to deploy applications, you may collect and process personal data belonging to your own end users. In that context, you are the data controller and Fly.io acts as a data processor on your behalf.— Excerpt from Fly.io's Fly.io Privacy Policy
REGULATORY LANDSCAPE: This controller-versus-processor distinction directly engages GDPR Article 28, which requires a written data processing agreement between controller and processor. UK GDPR imposes equivalent requirements. CCPA similarly requires a service provider agreement to limit the processor's use of personal information. Non-compliance with Article 28 requirements can result in enforcement by EU supervisory authorities. GOVERNANCE EXPOSURE: High. The absence of a documented Data Processing Agreement between Fly.io and its deploying customers would constitute a GDPR compliance gap. Fly.io's characterization of deploying customers as controllers is legally significant and shifts regulatory accountability; compliance teams must verify this framing is supported by actual contractual documentation. JURISDICTION FLAGS: EU and UK jurisdictions create the highest exposure given GDPR and UK GDPR Article 28 mandatory DPA requirements. California businesses deploying consumer-facing apps on Fly.io must ensure CCPA service provider terms are in place. Illinois, New York, and sector-specific regulations may also apply depending on the nature of end-user data processed. CONTRACT AND VENDOR IMPLICATIONS: Any organization using Fly.io to host applications processing personal data of EU, UK, or California residents must have a compliant DPA or service provider agreement in place with Fly.io. Procurement teams should request and review Fly.io's standard DPA and assess whether it meets applicable regulatory requirements before deployment. COMPLIANCE CONSIDERATIONS: Legal teams should audit existing deployments on Fly.io to confirm DPA status. Data mapping exercises should reflect Fly.io as a sub-processor where relevant. If Fly.io engages sub-processors, the chain of processing agreements must be assessed for compliance.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision places legal compliance responsibility for end-user data squarely on the deploying developer or business, which may expose them to regulatory liability if they have not established appropriate data protection agreements.
Businesses and developers deploying on Fly.io are treated as data controllers for their end users, meaning they must independently ensure GDPR, CCPA, and other privacy obligations are met for their own customers.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Fly.io.