Skip to content

FAQs

Are DLP and DLS the same?

No, they are not. DLP stands for Data Loss Prevention, and it is part of Cloudflare's Zero Trust offering (requiring Gateway, Cloudflare's secure web gateway for filtering outbound internet traffic). DLP allows you to scan web traffic and SaaS applications for sensitive data like secret keys, financial information (credit card numbers), and other keywords.

Data Localization Suite (DLS) is a separate suite of features that allows you to control where your data is processed and stored to meet data residency requirements.

Are Cloudflare's services GDPR compliant?

Yes, even without DLS, Cloudflare services are designed to satisfy the requirements of the GDPR (General Data Protection Regulation). Cloudflare services are also verified compliant with the EU Cloud Code of Conduct (EU Cloud CoC), Verification-ID: 2023LVL02SCOPE4316. For further information, visit EU Cloud CoC public register.

How can I use DLS?

Once you have purchased DLS, your account team will enable DLS on your account, and you will be able to configure all features via the dashboard or API. You can find more specific information under the Configuration guides section.

Does Regional Services work with HTTP/3 / QUIC?

Not yet. HTTP/3 uses the QUIC transport protocol, which is not currently compatible with Regional Services.

Can I apply Regional Services to only part of my traffic?

Yes. Regional Services is not all-or-nothing. You choose which hostnames or zones are regionalized by assigning a region to each one, and all other traffic continues to be served from Cloudflare's global network as usual. For example, you can regionalize eu.example.com to the European Union while www.example.com keeps using the global network. Different hostnames can also use different regions.

This also lets you keep latency-sensitive, non-sensitive content global. For instance, you can serve static CDN content that does not normally contain PII — such as product images on a global assets.example.com hostname — from Cloudflare's global network for best performance, while regionalizing only the hostnames that handle personal data.

The granularity depends on which Regional Services option you use. With Regional Hostnames, you assign a region per hostname. With Regionalized Spectrum Applications, the region is assigned per zone and applies to all Spectrum HTTP/S applications in that zone.

How is traffic from users outside the configured region handled?

Regional Services accepts connections at any Cloudflare data center worldwide. When a request arrives outside the configured region, Cloudflare forwards it — still encrypted — to a data center inside the region, where TLS termination (decryption) and all Layer 7 processing take place. As a result, requests from users far from the configured region experience additional latency corresponding to the round trip to the in-region data center.

If you want users inside a region to benefit from local processing while still serving a global audience, consider using a regionalized hostname for in-region users (for example, eu.example.com) alongside a non-regionalized hostname for everyone else (for example, www.example.com).

Which Regional Services option works with Static IPs or BYOIP?

  • Spectrum Static IPs are supported only by Regionalized Spectrum Applications.
  • BYOIP is supported by both Regionalized Spectrum Applications and Regionalized IP Bindings.
  • Regional Hostnames use Cloudflare's shared anycast IP addresses and do not support Static IPs.

For an overview of each option, refer to Ways to use Regional Services.

What is the difference between managed and custom regions?

In short, managed regions are predefined regions that Cloudflare maintains and are available to all accounts, while custom regions are tailored to your account when the managed regions do not meet your compliance requirements. For full details on both region types and which Regional Services options support them, refer to Region types.

Are there other options if I prefer not to have Cloudflare handle TLS termination (decryption)?

Yes, you have these options available:

These options only offer L3/L4 DDoS protection (network-layer and transport-layer protections). Using them means that no application-layer (L7) security or performance services can be applied, because Cloudflare does not decrypt the traffic.

I have configured Customer Metadata Boundary for EU region, I am accessing the Cloudflare Dashboard from Europe, why am I getting an error Data not available due to your account's Customer Metadata Boundary configuration?

This is typically caused by dynamic network routing. Based on Internet conditions that vary over time, your connection may be routed to a data center that is physically outside your configured region. This can be based on a variety of factors, including latency and network congestion. Enabling Out of region access allows requests arriving in the United States to pull Customer Logs from the European Union and vice-versa. The analytics are still exclusively stored in the CMB configured region.