Cloudflare R2 Privacy Guide

Cloudflare R2 Storage is object storage service launched by Cloudflare Inc. to provide developers with S3-compatible storage infrastructure without egress bandwidth fees characterizing traditional cloud providers. According to company positioning, R2 represents fundamental challenge to cloud storage ecosystem where providers impose 'data transfer tax' every time customers access stored data. R2 eliminates egress fees enabling developers to freely access data without accumulating bandwidth charges that can reach six-figure annual costs for high-traffic applications.

According to service architecture, R2 provides comprehensive object storage capabilities including S3 API compatibility (enabling migration from AWS S3, Google Cloud Storage, Azure Blob with minimal code changes), Workers Binding for serverless integration (Cloudflare Workers can access R2 directly without external API calls), REST API powering dashboard and Wrangler CLI, public bucket exposure for direct internet access, custom domain support with Cloudflare features (Cache, Access, Bot Management, DDoS protection), CORS configuration for browser-based interactions, bucket policies and access control lists, presigned URLs for temporary access grants, and Apache Iceberg integration transforming object storage into data warehouse.

According to technical implementation, R2 architecture consists of multiple components including R2 Gateway as entry point for all API requests handling authentication and routing logic deployed across Cloudflare's global network via Cloudflare Workers, Metadata Service as distributed layer built on Durable Objects storing and managing object metadata (object keys, checksums) to ensure strong consistency across storage system, Tiered Read Cache as caching layer using Cloudflare Tiered Cache to serve data closer to clients, and Distributed Storage Infrastructure as underlying persistence layer storing encrypted object data.

When write request occurs (uploading object), according to operational flow, request received by R2 Gateway at edge close to user where authenticated, Gateway reaches out to Metadata Service to retrieve encryption key and determines which storage cluster to write encrypted data, data encrypted and streamed to storage infrastructure, and Gateway publishes object metadata after write completes returning success response to client. For read requests (retrieving object), Gateway queries Metadata Service for object location and metadata, attempts to serve from Tiered Read Cache if available, retrieves from distributed storage data centers within region if not cached, decrypts object, and serves to client.

According to data controller-processor relationship, Cloudflare processes customer content (objects stored in R2 buckets, object metadata, access patterns) as data processor on behalf of customers who are data controllers. Customers determine what data to store in R2, what access controls to implement, what retention periods to establish, and how to respond to data subject rights requests. According to Self-Serve Subscription Agreement and Data Processing Addendum, customers retain all right, title, and interest in customer content in form provided to Cloudflare—Cloudflare processes this content only to provide R2 services.

For Customer Account Information (account registration, billing, service configuration), according to Privacy Policy, Cloudflare acts as independent data controller collecting and processing information necessary to manage customer relationships and provide services.

The data residency framework provides multiple options. According to documentation, Location Hints are optional parameters provided during bucket creation indicating primary geographical location from which data will be accessed—this optimizes performance by suggesting where Cloudflare should preferentially store data but does not guarantee jurisdiction. Jurisdictional Restrictions provide stronger guarantee that objects in bucket stored within specific jurisdiction meeting data residency requirements. According to implementation, once bucket created with Jurisdictional Restriction, jurisdiction cannot be changed. Available jurisdictions include EU (European Union—objects guaranteed stored within EU), FedRAMP (US government workloads, Enterprise customers only), with additional jurisdictions potentially added based on customer demand.

According to Local Uploads feature introduced February 2026, for non-jurisdiction-restricted buckets, when client uploads object from region distant from bucket location, R2 writes object data to storage infrastructure close to client first, then asynchronously copies to bucket region in background via replication tasks processed through Cloudflare Queues. Object immediately accessible after initial write completes and remains accessible throughout replication with strong consistency maintained. Local Uploads not available for jurisdiction-restricted buckets (EU, FedRAMP) where data must remain within jurisdiction boundaries.

Security infrastructure according to documentation includes encryption at rest for all objects and metadata using AES-256 with GCM (Galois/Counter Mode) as preferred mode, encryption keys managed by Cloudflare in same key management systems used internally, automatic encryption requiring no user configuration with no performance impact, encryption in transit via TLS/SSL on all Cloudflare domains, and option to disable plaintext HTTP access by connecting custom domain with Always Use HTTPS enabled.

From compliance perspective, according to certification documentation, Cloudflare maintains ISO/IEC 27001 certification with annual audits by external third-party auditors, AICPA SOC 2 Type II reports covering security, availability, confidentiality trust service principles, PCI DSS Level 1 certification for payment card industry security, and procedures consistent with HIPAA security requirements though HHS does not recognize HIPAA 'certification' concept. According to technical and organizational measures, Cloudflare implements formal Information Security Management System (ISMS) protecting confidentiality, integrity, authenticity, availability of data and information systems, and formal Privacy Information Management System (PIMS) supporting global managed network operations as both processor and controller.

According to durability and consistency guarantees, R2 designed for 99.999999999% (eleven 9's) annual durability—if storing 1,000,000 objects, expect to lose one once every 100,000 years matching major cloud providers' durability levels. R2 provides strong consistency meaning reads reflect writes immediately without eventual consistency delays. R2 resistant to regional failures through replicating objects multiple times with redundancy across large number of regions for high availability.

Use cases according to service positioning include serving web assets and media (images, videos, stylesheets, scripts) without egress charges, training machine learning models and storing datasets, AI/ML model checkpoints and artifacts, content distribution for applications with global user base, backup and archival storage, data lakes and analytics workloads, user-generated content storage, podcast and video hosting, e-commerce product images and media, gaming assets and downloadable content, and IoT device data collection and storage.

Pricing model according to documentation charges based on total volume of data stored, Class A operations (write, list operations), Class B operations (read operations), with zero egress fees for data retrieval regardless of transfer volume. Free tier provides 10 GB storage per month, 1 million Class A operations, 10 million Class B operations. This contrasts sharply with traditional cloud providers where egress can cost $0.08-$0.12 per GB resulting in substantial bills for high-traffic applications.

Integration ecosystem according to documentation supports Workers Binding for serverless access within Cloudflare Workers, S3 API compatibility enabling use of AWS SDKs and S3-compatible tools, migration tools from existing cloud storage, integration with analytics platforms (Snowflake external tables, data warehouse queries), Apache Iceberg data catalog for analytics without moving data, and Logpush for storing Cloudflare logs in R2 buckets.

Cloudflare R2's data collection framework distinguishes between Customer Content (objects and metadata stored in R2 buckets processed as processor on behalf of customers) and Account Information (data about customers themselves where Cloudflare acts as controller). According to Privacy Policy and Data Processing Addendum, following data categories apply.

Customer Content (Processor Role): When customers use R2 for object storage, according to service model, Cloudflare processes customer content including object data (files, images, videos, backups, datasets, application data, any unstructured data customers store), object metadata (object keys identifying files within buckets, object size and storage class, timestamps for creation and last modification, checksums and ETags for integrity verification, encryption status and methods, version IDs when versioning enabled, custom metadata key-value pairs specified during upload, content-type and content-encoding, cache control directives), bucket configuration (bucket names and creation timestamps, Location Hints indicating preferred storage location, Jurisdictional Restrictions if configured, versioning status, lifecycle policies for automatic transitions or deletions, CORS configuration for browser access, bucket policies and access control rules, public access settings, event notifications configuration), and access patterns (API requests to read, write, delete objects, request sources and IP addresses, authentication credentials used, request timestamps and operation types, bandwidth consumed per operation though not billed for egress).

According to processor relationship, Cloudflare processes this customer content only as necessary to provide R2 storage services. Customers determine what personal data (if any) to include in stored objects, what access controls to implement, what retention periods to establish, and purposes for which data processed. Cloudflare does not access object content for Cloudflare's own purposes, does not use customer content for advertising or marketing, does not share customer content with third parties except as necessary for service delivery or legal compliance, and does not perform analytics on object contents.

Customer Account Information (Controller Role): For R2 account management, according to Privacy Policy, Cloudflare collects as independent controller customer registration information (customer name, email address of account administrators, telephone numbers if provided, postal addresses for billing and payment, account usernames and credentials, organizational information including company name), billing and payment data (payment method details processed through payment processors, billing addresses and tax information, transaction history and invoice records, subscription tiers and feature access), service usage information (R2 storage volumes and capacity utilization, API operation counts (Class A, Class B operations), bandwidth transfer metrics, bucket counts and configurations, feature usage patterns, API token generation and usage), support interactions (support tickets and case contents, email correspondence with Cloudflare support, chat logs if support chat used, problem descriptions and resolution records), and authentication data (login timestamps and session information, IP addresses for account access, device information and user agents, API tokens and access keys generated, multi-factor authentication configuration).

End User Log Data (Processor Role): When end users access applications or websites utilizing R2 for storage, according to Privacy Policy End User processing provisions, Cloudflare processes log data including IP addresses of end users accessing customer content, traffic routing data for request delivery, system configuration information for optimization, timestamps of access events, HTTP request headers and methods, response status codes, user agents identifying browsers and devices, and referral sources when applicable.

According to Privacy Policy, Cloudflare processes this End User data on behalf of customers to operate, maintain, and improve services in performance of obligations under customer agreements. When Cloudflare is reverse proxy, Cloudflare IP addresses may appear in WHOIS and DNS records but Cloudflare is conduit for information controlled by customers—customers and their users responsible for content transmitted across Cloudflare network.

Website and Dashboard Analytics: For visitors to cloudflare.com website and users of Cloudflare dashboard, according to Privacy Policy controller processing, Cloudflare collects website usage data including pages visited and navigation paths, time spent on pages and interaction patterns, referral sources and search terms, form submissions and content provided, cookie and tracking technology data, IP addresses and approximate geographic location, browser type and operating system, and device characteristics.

Security and Abuse Monitoring Data: As part of operating secure platform, according to service security documentation, Cloudflare processes security-relevant information including IP addresses and access patterns for anomaly detection, failed authentication attempts and credential stuffing patterns, API abuse signals (excessive request rates, policy violations), DDoS attack traffic patterns, suspicious file access patterns, malware scanning results if enabled on customer content, and threat intelligence indicators.

According to Privacy Policy purposes, Cloudflare uses information to detect and protect against security incidents, malicious activity, deceptive activity, fraudulent activity, illegal activity, and to prosecute same. This processing serves legitimate interests in maintaining platform security and protecting customers.

Data Cloudflare Does NOT Collect or Access: According to privacy commitments and processor relationship, Cloudflare does not access customer object contents for Cloudflare's purposes (R2 is encrypted storage—Cloudflare provides infrastructure but does not read stored files), does not perform content analysis on stored objects for advertising or marketing, does not use customer data to train machine learning models without explicit customer opt-in for specific services, does not sell or rent customer data or customer content to third parties, does not share customer content with other Cloudflare customers, and does not disclose customer content to governmental authorities except as legally required with appropriate legal process.

According to CCPA compliance statement, Cloudflare does not sell, rent, or share personal information processed on behalf of customers as service provider or processor including as terms 'sell' or 'share' defined in California Consumer Privacy Act. For website visitors to cloudflare.com, making personal information available to third-party advertising partners may be considered 'sale' or 'sharing' under state privacy laws with opt-out available via Privacy Policy and Cookie Policy.

Data Retention: According to EU Privacy Notice and service documentation, in principle Cloudflare does not store personal data longer than strictly necessary for processing purposes. For customer content in R2, retention determined entirely by customer—objects remain in storage until customer deletes them. According to R2 operational model, customers maintain complete control over data lifecycle through bucket policies, API operations for deletion, and lifecycle rules for automatic transitions or deletions.

For Customer Account Information where Cloudflare is controller, according to data protection framework, information retained for duration of customer account relationship plus period necessary for legal obligations (tax records, financial reporting, regulatory compliance, fraud prevention, legal defense). For End User log data processed as processor, retention periods follow customer agreements and service configuration—customers can configure log retention through Cloudflare dashboard or API.

Encryption and Key Management: According to security implementation, all objects stored in R2 encrypted at rest with encryption keys managed by Cloudflare in secure key management systems used across Cloudflare internally. Customers do not directly manage encryption keys for R2—encryption handled automatically by platform. Unlike AWS S3 which offers customer-managed keys options (SSE-KMS, SSE-C), R2 encryption currently utilizes Cloudflare-managed keys exclusively.

Metadata Processing for Consistency: According to Metadata Service architecture, object metadata (keys, checksums, version information) processed through distributed Durable Objects layer to ensure strong consistency. This metadata processing enables R2's consistency guarantees—reads immediately reflect writes across all locations. Metadata stored separately from object data with both encrypted and replicated for durability.

Cloudflare R2's legal basis for processing personal data varies significantly depending on whether Cloudflare acts as processor (for Customer Content stored in R2) or controller (for Account Information and website operations), and differs by jurisdiction. According to Data Processing Addendum and Privacy Policy, following legal bases apply.

Contractual Necessity for Processor Role: When customers store data containing personal information in R2 buckets, Cloudflare acts as data processor on behalf of customer controllers. According to Data Processing Addendum Section 4 (Processing of Personal Data), Cloudflare's processing as processor occurs to fulfill contractual obligation to provide R2 storage services to customers.

This processing includes accepting and storing objects uploaded to R2 buckets, maintaining object metadata for retrieval and integrity verification, executing customer instructions for data handling (access controls, deletion, replication), providing API interfaces for object operations, encrypting data at rest and in transit, maintaining durability and availability as specified in service documentation, processing End User requests to access customer content, and generating usage metrics and billing data.

According to DPA framework, Cloudflare shall only process Customer Personal Data on documented instructions from Customer (including with regard to data transfers) unless required to do so by applicable law. Customer instructions implemented through R2 API calls, dashboard configurations, bucket policies, and service settings. Customers as controllers determine purposes and means of processing personal data stored in R2.

Customer's Legal Basis Responsibility: While Cloudflare as processor relies on contractual necessity with customers, customers themselves must establish appropriate legal bases as controllers for storing personal data in R2. According to data protection principles and customer responsibilities, customers typically rely on consent (where data subjects explicitly agreed to data storage in cloud infrastructure), contractual necessity (where data storage required to provide services users requested), legal obligations (where data retention mandated by applicable laws or regulations), or legitimate interests (where data storage serves legitimate business purposes that do not override data subject rights).

According to DPA Section 5 (Customer Responsibilities), Customer warrants and represents that it shall comply with its obligations as a Controller or Processor under Applicable Data Protection Laws with respect to its processing of Personal Data and any processing instructions it issues to Cloudflare, including ensuring that processing instructions comply with all applicable laws. Customers bear responsibility for obtaining necessary consents, providing privacy notices, implementing data subject rights mechanisms, conducting Data Protection Impact Assessments where required, and maintaining processing records.

Cloudflare as Controller - Contractual Necessity: For Customer Account Information, according to Privacy Policy legal basis section, Cloudflare processes data based on contractual necessity to provide R2 services including creating and maintaining customer accounts, processing subscription payments and billing, providing technical support and resolving service issues, delivering service notifications and updates, and maintaining platform security and operational integrity.

Cloudflare as Controller - Legitimate Interests: For certain operational activities, according to Privacy Policy and GDPR Article 6(1)(f), Cloudflare relies on legitimate business interests including security monitoring (detecting unauthorized access, preventing security threats, maintaining audit logs), fraud prevention (identifying fraudulent accounts, preventing abuse of service resources, protecting platform integrity), service improvement (analyzing aggregated usage patterns, identifying performance optimization opportunities, planning capacity), business operations (managing vendor relationships, conducting internal audits, maintaining financial records, defending legal claims), and marketing communications (informing customers about new features, sending relevant service updates, conducting customer surveys with opt-out options).

According to GDPR balancing requirements, these interests weighed against data subject rights through implementing data minimization in operational logs, access controls limiting personnel access to personal data, encryption protecting sensitive information, transparency through documented privacy policies, data subject rights fulfillment mechanisms, and regular reviews of processing activities for continued necessity and proportionality.

Compliance with Legal Obligations: In certain circumstances, according to Privacy Policy and DPA Section 8 (Compliance with Laws), data processing necessary to comply with legal requirements including responding to valid legal process (subpoenas, court orders issued by courts with proper jurisdiction), complying with data breach notification laws and regulations, meeting regulatory reporting obligations, cooperating with law enforcement investigations when legally mandated with appropriate legal basis, and maintaining records as required by commercial law and regulatory frameworks.

According to government access principles, when Cloudflare receives demand for customer data from governmental authority, Cloudflare will attempt to redirect governmental authority to request data directly from customer, will carefully review legal process and challenge inappropriate or overbroad demands, will provide customer with notice when legally permitted before disclosure, and publishes information about governmental requests in Cloudflare Transparency Reports.

Consent: According to Privacy Policy, consent serves as legal basis for certain processing activities including marketing communications beyond transactional emails (where opt-in required by law such as under GDPR for electronic marketing), optional analytics and tracking beyond strictly necessary functions (where ePrivacy Directive or similar laws require consent), and specific data sharing scenarios where required by applicable law.

According to consent management, where Cloudflare relies on consent, consent can be withdrawn at any time without affecting lawfulness of processing before withdrawal. Withdrawal mechanisms include unsubscribe links in marketing emails, cookie preference management tools on cloudflare.com, and account settings for optional features.

GDPR Article 6 Legal Bases: For data subjects in European Union, EEA, United Kingdom, and Switzerland, processing governed by GDPR and equivalent laws. According to Privacy Policy GDPR section, Cloudflare's legal bases under Article 6 include processing necessary for performance of contract with customer (Article 6(1)(b)) for service delivery and customer account management, processing necessary for compliance with legal obligation to which Cloudflare subject (Article 6(1)(c)) for regulatory compliance and legal process response, processing necessary for legitimate interests pursued by Cloudflare or third party except where overridden by data subject interests or fundamental rights (Article 6(1)(f)) for security, fraud prevention, business operations, and processing based on data subject consent for specific purposes (Article 6(1)(a)) for marketing and optional features.

California and US State Privacy Laws: For California residents and residents of other US states with comprehensive privacy laws (CCPA/CPRA, Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA), according to US Privacy Compliance page, Cloudflare is 'service provider' under CCPA—company that processes information on behalf of business to which business discloses consumer's personal information for business purpose pursuant to written contract.

According to CCPA service provider provisions, Cloudflare does not sell, rent, or share personal information processed on behalf of customers as service provider or processor including as terms 'sell' or 'share' defined in CCPA. Cloudflare maintains contracts with customers and service providers ensuring data use complies with applicable US state data protection laws. Cloudflare provides all users with data subject access, correction, and deletion rights.

Cross-Border Transfer Legal Basis: For international transfers from EU/EEA/UK to United States, according to Data Processing Addendum and transfer mechanisms, Cloudflare certified under EU-US Data Privacy Framework established by US Department of Commerce and European Commission providing adequacy decision for transatlantic personal data transfers. According to DPF certification, Cloudflare commits to DPF Principles regarding processing of personal data received from EU in reliance on DPF.

As additional safeguard, according to DPA Annex II, Standard Contractual Clauses (EU SCCs) incorporated as Module Two (Controller to Processor) and Module Three (Processor to Processor) transfers under European Commission Decision 2021/914. SCCs serve as fallback mechanism if DPF adequacy challenged or invalidated. For UK transfers, UK Addendum to EU SCCs applies. For Swiss transfers, Swiss-specific requirements addressed through SCCs adaptation.

Special Categories and Sensitive Data: According to Privacy Policy and customer guidance, R2 is general-purpose object storage capable of storing any data type customers choose including special categories of personal data under GDPR Article 9. However, customers storing special category data (racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for unique identification, health data, sex life or sexual orientation) must ensure appropriate legal bases under Article 9 (explicit consent, substantial public interest, etc.), implement enhanced security measures, conduct Data Protection Impact Assessments, and meet jurisdiction-specific requirements for sensitive data.

According to HIPAA alignment, although HHS does not recognize HIPAA 'certification,' Cloudflare's network, management infrastructure, processes, and procedures consistent with HIPAA security requirements. Customers storing Protected Health Information should execute Business Associate Agreement if required by HIPAA regulations, implement appropriate HIPAA-compliant configurations, maintain required documentation, and conduct HIPAA risk assessments.

Cloudflare R2's subprocessor framework reflects Cloudflare's integrated infrastructure model where most R2 functionality delivered through Cloudflare's own global network rather than extensive third-party service integration. According to Data Processing Addendum Section 4.4 and public subprocessor list, Cloudflare maintains transparency about subprocessors engaged to deliver services.

Publicly Maintained Subprocessor List: According to DPA commitment, Cloudflare maintains list of subprocessors at https://www.cloudflare.com/gdpr/subprocessors/ and will add names of new and replacement subprocessors to list at least thirty (30) days prior to date on which those subprocessors first process Personal Data. Customers can subscribe to RSS feed at https://www.cloudflare.com/gdpr/subprocessors/cloudflare-services/ to receive alerts whenever changes made to subprocessor list.

According to subprocessor transparency framework, for each subprocessor Cloudflare discloses subprocessor name and corporate affiliation, services provided and processing purposes, locations where processing may occur, and effective dates when subprocessor engagement begins. Any subprocessor that processes customers' personal data undergoes thorough information security and privacy review process before engagement.

Cloudflare Infrastructure Entities: According to service architecture, R2 operates primarily on Cloudflare's own global network infrastructure rather than third-party cloud providers. Cloudflare operates data centers in 300+ cities worldwide providing physical infrastructure for R2's Distributed Storage Infrastructure, networking equipment for R2 Gateway deployment, and compute resources for Metadata Service via Durable Objects.

Unlike typical cloud storage services built atop AWS, Azure, or GCP infrastructure, Cloudflare owns and operates its network hardware, reducing reliance on third-party subprocessors for core storage functionality. This infrastructure ownership means customer data stored in R2 remains within Cloudflare-controlled infrastructure rather than being subprocessed through external cloud providers.

Service Provider Subprocessors: According to DPA framework and typical SaaS operations, Cloudflare engages subprocessors for specific business functions supporting R2 operations including payment processing (for R2 subscription billing, payment method validation, transaction processing, fraud detection), customer support platforms (for support ticket management, customer communication, knowledge base, though specific platforms not disclosed in R2-specific documentation), email delivery services (for transactional emails including account notifications, billing receipts, security alerts), analytics and monitoring (for platform performance monitoring, usage analytics, security information and event management), and identity and access management (for authentication services, credential management, multi-factor authentication).

Specific subprocessors and their roles disclosed in comprehensive subprocessor list maintained at cloudflare.com/gdpr/subprocessors with regular updates. Cloudflare does not disclose complete subprocessor list within Privacy Policy or DPA documents themselves but maintains separate public registry accessible to customers and prospective customers for due diligence.

Regional and Jurisdictional Subprocessors: For R2 buckets created with Jurisdictional Restrictions, according to data localization framework, subprocessor engagement may be restricted to ensure data remains within specified jurisdiction. For EU Jurisdiction buckets, subprocessors processing Customer Personal Data must either be located within EU/EEA or have appropriate transfer mechanisms (SCCs, adequacy decisions). For FedRAMP Jurisdiction buckets available to Enterprise customers, subprocessor engagement follows FedRAMP authorization requirements and US government data handling standards.

Subprocessor Change Management: According to DPA Section 4.4, Customer may object in writing to Cloudflare's appointment of new subprocessor on reasonable data protection grounds within thirty (30) days of being informed of the change. If Customer objects, Cloudflare and Customer will work together in good faith to find commercially reasonable alternative solution. If no alternative solution can be found within reasonable time period, either party may terminate Services with respect to those Services which cannot be provided without use of objected-to subprocessor.

This 30-day notice period enables customers to conduct subprocessor due diligence, assess data protection implications, determine whether objection warranted based on specific circumstances, and either accept new subprocessor or initiate termination if objection cannot be resolved. Unlike some enterprise services offering immediate notification with shorter objection windows, Cloudflare's 30-day period provides reasonable time for evaluation.

Subprocessor Obligations: According to DPA Section 4.5, when Cloudflare engages subprocessor, Cloudflare will impose contractual obligations on subprocessor ensuring at least same level of data protection as provided by DPA. These obligations include processing personal data only on instructions of Cloudflare (acting on Customer instructions), implementing appropriate technical and organizational security measures, assisting with data subject rights requests, notifying Cloudflare of security incidents affecting personal data, deleting or returning personal data upon termination, and allowing audits and inspections as required by data protection regulations.

No Customer Content Subprocessing for Core Storage: According to R2 architecture, core object storage functionality—accepting uploads, storing encrypted objects, retrieving objects on request, maintaining metadata consistency—occurs entirely within Cloudflare-owned infrastructure without subprocessing customer content through third-party storage providers. This differs fundamentally from services built atop AWS S3 or Google Cloud Storage where customer data subprocessed through those platforms.

Subprocessors engaged by Cloudflare for R2 primarily support business operations (billing, support, analytics) rather than processing customer content stored in buckets. End User log data (IP addresses, request patterns processed through Cloudflare network as requests transit to R2) may be subprocessed for security and performance optimization but stored object contents remain within Cloudflare infrastructure.

Comparison to Traditional Cloud Storage Subprocessing: Cloudflare's minimal external subprocessor reliance for R2 core storage contrasts with typical SaaS applications integrating numerous third-party services. Traditional cloud storage SaaS might subprocess data through AWS for hosting, SendGrid for email, Stripe for payments, Google Analytics for usage tracking, Zendesk for support, and Datadog for monitoring—creating extensive subprocessor chains. R2's infrastructure ownership reduces subprocessor proliferation though business functions still require some third-party services.

Customer Verification: Customers can verify current subprocessors by reviewing official list at https://www.cloudflare.com/gdpr/subprocessors/, subscribing to RSS feed for automatic change notifications, and reviewing DPA Annex III (List of Subprocessors) incorporated in customer agreements. For Enterprise customers requiring detailed subprocessor processing descriptions or specific subprocessor due diligence materials, requests can be directed to Cloudflare account teams.

Cloudflare R2's approach to international data transfer combines global network operations with jurisdictional data residency options, enabling customers to balance performance and compliance requirements. According to Data Processing Addendum and service documentation, comprehensive framework addresses transfers from EU/EEA to US and other jurisdictions.

EU-US Data Privacy Framework Certification: According to DPA Section 7.1 and transfer mechanism documentation, Cloudflare Inc. certified under EU-US Data Privacy Framework established by US Department of Commerce and European Commission. DPF provides adequacy decision under GDPR Article 45 for transfers of personal data from EU to certified US companies, eliminating need for additional transfer mechanisms like Standard Contractual Clauses for DPF-covered transfers.

According to DPF commitments, Cloudflare adheres to DPF Principles regarding processing of personal data received from EU in reliance on framework including Notice (informing individuals about data processing), Choice (providing opt-out for certain uses), Accountability for Onward Transfer (ensuring third parties provide same level of protection), Security (protecting personal data), Data Integrity and Purpose Limitation (ensuring data relevant and not excessive), Access (providing individuals access to personal information), and Recourse, Enforcement, and Liability (mechanisms for enforcing compliance and addressing violations).

DPF certification supplemented by Executive Order 14086 protections introduced October 2022 providing safeguards ensuring signals intelligence activities conducted only where 'necessary' to advance validated intelligence priority and only to extent and manner 'proportionate' to validated intelligence priority. EO14086 provides multi-layer redress mechanism for individuals to obtain independent and binding review of claims that personal information collected through US signals intelligence processed in ways violating privacy rights.

Standard Contractual Clauses as Fallback: According to DPA Annex II, European Commission Standard Contractual Clauses (Decision 2021/914) incorporated as additional safeguard and fallback mechanism. SCCs apply as Module Two (Controller to Processor transfers) where Customer is controller and Cloudflare is processor, and Module Three (Processor to Processor transfers) where Customer acts as processor for another controller and engages Cloudflare as subprocessor.

According to SCC implementation, SCCs provide contractual framework addressing data exporter and importer obligations, technical and organizational security measures, subprocessor engagement rules, data subject rights assistance, audit and inspection rights, liability and indemnification provisions, and dispute resolution mechanisms. SCCs serve as legally enforceable contract between Cloudflare and customers ensuring appropriate safeguards for international transfers even if DPF adequacy challenged or revoked.

UK and Swiss Transfer Mechanisms: For transfers from United Kingdom, according to UK GDPR requirements, UK Addendum to EU Standard Contractual Clauses applies providing lawful transfer mechanism post-Brexit. For transfers from Switzerland, Swiss Federal Act on Data Protection requires appropriate safeguards implemented through adaptation of EU SCCs with Swiss-specific provisions. Cloudflare's DPA addresses these jurisdictions' requirements ensuring compliant transfers from UK and Switzerland to US and other countries.

Jurisdictional Restrictions for Data Residency: According to R2 data location documentation, Jurisdictional Restrictions guarantee objects in bucket stored within specific jurisdiction to meet data residency requirements including local regulations such as GDPR or FedRAMP. Available jurisdictions include EU (European Union—objects guaranteed stored within EU member states, not transferred outside EU/EEA), FedRAMP (US federal government workloads requiring FedRAMP authorization, Enterprise customers only).

According to jurisdiction implementation, when bucket created with Jurisdictional Restriction, all object data and metadata remain within specified jurisdiction throughout object lifecycle. Jurisdiction setting immutable after bucket creation—cannot be changed later. Customers requiring strict data residency select appropriate jurisdiction during bucket creation ensuring compliance with regulations requiring in-region data storage.

For EU Jurisdiction buckets, according to data localization framework, data stored exclusively in Cloudflare data centers located within EU member states, replication for durability occurs only within EU regions, Metadata Service processing for EU jurisdiction buckets occurs within EU infrastructure, and R2 Gateway handles requests globally but object storage remains in EU. This provides compliance with regulations requiring EU-only processing while maintaining Cloudflare's global network benefits for request routing and DDoS protection.

Location Hints Without Jurisdictional Guarantee: According to data location documentation, Location Hints are optional parameters provided during bucket creation indicating primary geographical location from which data will be accessed. Location Hints optimize performance by suggesting where Cloudflare should preferentially store data but do not provide jurisdictional guarantees. With Location Hint but no Jurisdictional Restriction, R2 may replicate data globally for performance and durability while respecting location preference.

Location Hints appropriate for customers prioritizing performance over strict data residency, wanting to optimize for primary access region without regulatory requirement for data confinement, or seeking performance benefits without operational constraints of jurisdiction restrictions.

Local Uploads and Cross-Region Data Flow: According to Local Uploads feature documentation (February 2026), for non-jurisdiction-restricted buckets, when client uploads object from region distant from bucket location, R2 writes object data to storage infrastructure close to client, then asynchronously copies to bucket region via replication tasks. This creates temporary cross-region data flow improving upload performance but incompatible with Jurisdictional Restrictions.

According to implementation, Local Uploads not available for jurisdiction-restricted buckets (EU, FedRAMP) where data must remain within jurisdiction boundaries throughout processing. Customers requiring strict data residency disable Local Uploads or create jurisdiction-restricted buckets ensuring data never leaves specified region.

Cloudflare Global Network Operations: According to network architecture, Cloudflare operates in 300+ cities worldwide with R2 Gateway deployed across global network via Cloudflare Workers. Request routing, authentication, and initial processing occur at edge locations close to users globally, but customer content storage respects bucket location configuration. For jurisdiction-restricted buckets, while request may route through edge locations outside jurisdiction, object data storage and processing occur exclusively within specified jurisdiction.

Supplementary Transfer Measures: Following Schrems II decision requiring supplementary measures beyond SCCs, according to Cloudflare implementation, measures include encryption in transit via TLS/SSL for all communications, encryption at rest using AES-256 for all stored objects, access controls limiting personnel access based on need-to-know principle, mandatory multi-factor authentication using physical hard tokens for privileged access, zero-trust network architecture requiring continuous authentication, EU-US Data Privacy Framework certification with EO14086 protections, Jurisdictional Restrictions enabling EU-only processing for strict compliance scenarios, regular security audits (ISO 27001, SOC 2 Type II) providing independent verification, and documented incident response procedures for security events.

No Data Localization for Non-Restricted Buckets: For buckets created without Jurisdictional Restrictions, according to service architecture, R2 may store and process data across Cloudflare's global infrastructure optimizing for performance, durability, and availability. Customers without specific data residency requirements benefit from global distribution improving access speeds worldwide while accepting data may be processed in multiple countries.

Customer Responsibilities for Transfers: According to DPA and data protection principles, customers using R2 bear responsibility for international transfer compliance including selecting appropriate bucket configuration (Location Hint, Jurisdictional Restriction, or default), conducting Transfer Impact Assessments evaluating risks for data transfers to assess SCCs and supplementary measures adequacy, disclosing in privacy policies where data stored geographically, understanding that storing personal data of EU data subjects in non-EU R2 buckets constitutes international transfer requiring appropriate legal basis, implementing application-layer encryption if additional protection beyond Cloudflare encryption desired for highly sensitive data, and monitoring regulatory developments affecting international transfers in relevant jurisdictions.

Transparency and Auditing: According to transfer transparency commitments, Cloudflare publishes locations of data processing in subprocessor list and data center presence disclosures, provides audit rights in DPA enabling customers to verify data handling practices, publishes transparency reports about governmental data requests including jurisdiction breakdowns, and maintains open documentation about data location features and implementation.

When developers integrate Cloudflare R2 for object storage, they assume extensive privacy compliance responsibilities as data controllers for data they store. According to Self-Serve Subscription Agreement, Data Processing Addendum, and Privacy Policy, following developer responsibilities apply.

Selecting Appropriate Bucket Configuration: Developers' first major responsibility is configuring R2 buckets appropriately for compliance requirements. According to data location framework, this involves evaluating data residency requirements based on jurisdictions where data subjects located, selecting Jurisdictional Restriction (EU, FedRAMP) if regulations mandate in-region storage (GDPR Article 45-46 for EU data subjects, FedRAMP requirements for US government workloads), configuring Location Hint to optimize performance when jurisdiction restriction not required, understanding that buckets without jurisdiction restrictions may store data globally across Cloudflare network, and documenting bucket configuration decisions for compliance records and Data Protection Impact Assessments.

According to irreversibility principle, jurisdiction cannot be changed after bucket creation. If bucket created without EU Jurisdiction but later determined necessary for compliance, objects must be migrated to new jurisdiction-restricted bucket. Developers should carefully assess requirements before bucket creation avoiding costly migrations.

Implementing Appropriate Access Controls: According to security best practices, developers must implement proper access controls including generating R2 API tokens with minimum necessary permissions (principle of least privilege), creating bucket-scoped tokens limiting access to specific buckets rather than account-wide access, implementing bucket policies restricting operations based on IP addresses, authentication credentials, request conditions, using presigned URLs for temporary access grants with appropriate expiration times, avoiding public bucket access unless genuinely required for use case (static website hosting, public downloads), enabling CORS only for necessary origins when building browser-based applications, and rotating API tokens periodically reducing risk from compromised credentials.

According to authentication architecture, R2 supports API token authentication (generated via Cloudflare dashboard with configurable permissions) and Workers Binding authentication (Cloudflare Workers accessing R2 without tokens using Wrangler bindings). For production applications, bucket-scoped tokens recommended over account-wide tokens limiting blast radius if credentials compromised.

Privacy Policy Requirements: Developers must maintain comprehensive privacy policies explaining R2 storage and data handling. According to privacy law requirements and GDPR transparency obligations, policies should identify Cloudflare R2 as object storage infrastructure provider, disclose Cloudflare Data Processing Addendum governs processor relationship, explain what data stored in R2 (user uploads, application data, backups, analytics data), disclose data storage locations (EU if using EU Jurisdiction, multiple regions if using Location Hints or default configuration, global distribution for non-restricted buckets), reference international data transfers with Standard Contractual Clauses and EU-US Data Privacy Framework for non-EU storage, explain retention periods (how long data kept, deletion process), describe security measures (AES-256 encryption at rest, TLS/SSL in transit, access controls), detail how users exercise rights (access, deletion, rectification, portability, objection), provide contact information for privacy inquiries and complaints, and specify applicable supervisory authority for GDPR complaints if serving European users.

Executing Data Processing Addendum: For developers subject to GDPR or serving European users, understanding Cloudflare Data Processing Addendum essential. According to Self-Serve Subscription Agreement Section governing personal data, if Customer Content includes personal data of European data subjects or personal information under CCPA, Cloudflare is data processor or subprocessor and will handle such Personal Data in compliance with Cloudflare Data Processing Addendum which is incorporated by reference into Agreement.

Developers should review DPA to understand Cloudflare's role as processor and developer's role as controller, confirm Standard Contractual Clauses coverage for international transfers, review processing scope and permitted purposes (providing R2 storage services per customer instructions), understand security obligations and breach notification procedures, review subprocessor list and objection rights, document DPA acceptance in compliance records, and for enterprise contracts, negotiate specific terms if needed through Cloudflare account team.

Implementing User Rights Fulfillment: Under GDPR, CCPA, and similar laws, data subjects have various rights developers must implement. According to compliance obligations, developers must establish processes for access requests (retrieving user data from R2 and providing in accessible format), deletion requests (using R2 API to permanently delete objects containing user data, understanding deletion is immediate and irreversible), rectification requests (updating objects with corrected data), portability requests (exporting user data in machine-readable format like JSON, CSV), objection to processing (honoring user objection to data storage in R2 for certain purposes), and documenting all rights requests and fulfillment actions for audit trail.

According to R2 capabilities, developers can use S3 API for programmatic object operations enabling bulk deletion for erasure requests, bucket lifecycle policies for automated deletion based on age if appropriate for retention periods, listing operations to identify objects containing user data for rights request fulfillment, and presigned URLs for enabling users to directly download their data for portability requests.

Data Minimization and Purpose Limitation: Developers should implement data minimization principles. According to GDPR Article 5 and privacy best practices, this involves storing only personal data necessary for specified purposes, avoiding collecting excessive data 'just in case' future use, implementing data classification to identify sensitivity levels, using separate buckets for different data categories or sensitivity levels (user-generated content vs. application backups vs. analytics data), regularly reviewing stored data for continued necessity, and implementing automated deletion for data no longer needed for legitimate purposes.

According to purpose limitation principle, personal data collected for one purpose should not be repurposed without additional legal basis. Data stored in R2 for backup purposes should not be repurposed for marketing analytics without appropriate consent or legal basis adjustment.

Security Configuration and Monitoring: While Cloudflare provides infrastructure security (encryption at rest, network protection), developers must implement application-level security including ensuring HTTPS/TLS used for all R2 API communications, validating API responses for tampering or replay attacks, implementing request signing for additional security where appropriate, monitoring access logs for suspicious patterns (unusual download volumes, unauthorized access attempts, geographic anomalies), setting up alerts for security events (failed authentication, excessive requests from single IP, large data exfiltration), conducting security testing including penetration testing of R2 integration, and maintaining incident response plan for R2-related security incidents.

Encryption Key Management: According to R2 encryption model, Cloudflare manages encryption keys internally. For applications requiring customer-managed encryption keys (defense-in-depth, compliance requirements mandating customer key control, separation of duties between storage provider and key manager), developers should implement client-side encryption where objects encrypted before uploading to R2 using customer-managed keys, decrypted after retrieving from R2, with encryption keys never transmitted to or accessible by Cloudflare.

Client-side encryption provides additional protection ensuring even Cloudflare with infrastructure access cannot decrypt object contents without customer's encryption keys. However, this adds complexity including key management responsibility falling entirely on customer, inability to use server-side features requiring content access (server-side filtering, transformation), and performance overhead for encryption/decryption operations.

Backup and Disaster Recovery: Developers should implement appropriate backup strategies. According to operational best practices, this involves understanding R2's 11-9s durability means object loss extremely unlikely but not impossible, implementing cross-bucket replication for critical data (replicate to separate bucket in different location as disaster recovery), considering cross-cloud backup for highest-criticality data (store copies in different provider like AWS S3 as ultimate failsafe), testing restoration procedures regularly verifying backups recoverable, documenting backup retention periods aligning with compliance requirements, and maintaining offline or immutable backups for ransomware protection where appropriate.

Cost Management and Optimization: Developers should manage R2 costs through appropriate architecture. According to pricing model, costs include storage volume (Class A operations—write, list at $4.50 per million, Class B operations—read at $0.36 per million), with zero egress fees regardless of data retrieval volume. Cost optimization strategies include implementing object lifecycle policies for data no longer frequently accessed, using appropriate storage classes when made available, monitoring operation counts to identify optimization opportunities, caching frequently accessed objects when possible to reduce Class B operations, and comparing total cost including operations vs. competitors where egress fees may dominate.

Zero egress fees represent R2's major cost advantage—applications with high data retrieval rates (media streaming, content distribution, machine learning inference) can save substantially compared to traditional cloud storage where egress costs $0.08-$0.12 per GB.

Regulatory Change Monitoring: Developers should maintain ongoing awareness of privacy law developments including monitoring data protection law changes in jurisdictions with significant user populations, reviewing regulatory guidance from supervisory authorities (EDPB for GDPR, CNIL for France, ICO for UK), staying informed about Cloudflare service updates and DPA modifications, subscribing to Cloudflare subprocessor change notifications via RSS feed, monitoring court decisions affecting international transfers (Schrems decisions, DPF challenges), and engaging legal counsel for complex compliance questions or high-risk processing scenarios.

Content Liability and Illegal Content: Developers bear responsibility for content stored in R2 buckets. According to Terms of Service and legal frameworks, this includes ensuring stored content does not violate intellectual property rights (copyright infringement, trademark violations, piracy), does not contain illegal material (child sexual abuse material, terrorist content, regulated items where prohibited), complies with content regulations in jurisdictions where application operates, implements appropriate content moderation for user-generated content applications, and responds to DMCA takedown notices or equivalent legal processes for infringing content.

According to Cloudflare's position as infrastructure provider, Cloudflare is conduit for information controlled by developers—developers and their users responsible for content transmitted across Cloudflare network including objects stored in R2.

Core Documentation:

GDPR and Compliance:

R2 Documentation:

Transparency:

This Privacy & Data Handling Profile provides comprehensive overview of Cloudflare R2's data processing practices as documented in Privacy Policy, Data Processing Addendum, Standard Contractual Clauses, service documentation, and compliance materials. Cloudflare R2 represents S3-compatible object storage service with distinctive zero-egress-fee model and strong data protection framework.

Critical considerations for R2 implementation include understanding that Cloudflare acts as data processor for Customer Content stored in R2 buckets while customers are data controllers bearing primary compliance responsibility. Data Processing Addendum automatically incorporated in service agreements establishing processor obligations, Standard Contractual Clauses for international transfers, and subprocessor transparency through publicly maintained list. Unlike typical consent-based relationships, processor role means Cloudflare processes data to fulfill contractual obligation to provide storage services per customer instructions.

EU-US Data Privacy Framework certification provides adequacy for transatlantic transfers eliminating need for additional mechanisms though Standard Contractual Clauses incorporated as fallback if DPF challenged. This dual-mechanism approach (DPF primary, SCCs fallback) provides robust legal foundation for international transfers while Executive Order 14086 protections address concerns raised in Schrems II decision about US surveillance laws and lack of effective redress mechanisms.

Jurisdictional Restrictions for EU and FedRAMP enable strict data residency compliance where regulations mandate in-region storage. EU Jurisdiction guarantees objects stored exclusively within EU member states never leaving EU/EEA throughout object lifecycle. This addresses GDPR Article 45-46 transfer requirements for organizations requiring EU-only processing. However, jurisdiction immutable after bucket creation—cannot be changed later requiring careful upfront assessment.

Location Hints provide performance optimization without jurisdictional guarantees appropriate for customers prioritizing global performance over strict data residency. Local Uploads feature improves cross-region upload performance but unavailable for jurisdiction-restricted buckets where data must never leave specified region. Developers should understand distinction between Location Hints (performance suggestion) and Jurisdictional Restrictions (compliance guarantee) selecting appropriate configuration for use case.

Zero egress fees distinguish R2 from traditional cloud storage providers charging $0.08-$0.12 per GB for data retrieval. For applications with high data retrieval rates (media streaming, content distribution, data analytics, ML model serving), R2 can deliver substantial cost savings. Enterprise customers spending six figures annually on egress from AWS S3 or Google Cloud Storage can eliminate egress component entirely with R2 while maintaining S3 API compatibility enabling straightforward migration.

Encryption at rest automatic using AES-256 with GCM requiring no user configuration. Unlike AWS S3 offering customer-managed keys (SSE-KMS) or customer-provided keys (SSE-C), R2 currently uses Cloudflare-managed encryption keys exclusively. Customers requiring customer-managed encryption should implement client-side encryption before uploading objects to R2, accepting additional complexity and performance overhead for enhanced key control.

Cloudflare's infrastructure ownership means core R2 storage operates on Cloudflare-owned network rather than built atop AWS, Azure, or GCP. This reduces subprocessor proliferation compared to typical SaaS applications—customer content stored in R2 remains within Cloudflare infrastructure without subprocessing through third-party cloud providers. Subprocessors engaged primarily for business functions (billing, support) rather than core storage operations.

Strong consistency guarantee means reads immediately reflect writes without eventual consistency delays common in distributed systems. This enables building applications requiring strict consistency (financial systems, inventory management, collaborative editing) without application-layer conflict resolution. Combined with 11-9s durability (expect losing one object per 1,000,000 stored every 100,000 years), R2 provides enterprise-grade reliability.

S3 API compatibility enables migration from existing S3 deployments with minimal code changes. Most AWS SDK clients work with R2 by changing endpoint configuration. However, not all S3 features supported—developers should review R2 documentation for feature parity before migration including unsupported features, API differences, behavior variations. Testing migration in R2 test environment recommended before production cutover.

Compliance certifications (ISO 27001, SOC 2 Type II, PCI DSS Level 1) demonstrate independent third-party validation of security controls. HIPAA-aligned procedures enable healthcare organizations to use R2 for Protected Health Information with appropriate Business Associate Agreement, HIPAA-compliant configuration, and risk assessments. However, customers bear responsibility for proper implementation—certifications validate Cloudflare infrastructure not customer deployments.

30-day subprocessor change notification via RSS feed enables proactive due diligence. Customers can object to new subprocessors on reasonable data protection grounds within 30-day window. If objection cannot be resolved through alternative solution, customers may terminate affected services. This provides meaningful control over subprocessor chain uncommon in consumer-grade cloud services.

Technical and organizational measures include mandatory multi-factor authentication using physical hard tokens for privileged access, zero-trust network architecture requiring continuous authentication, principle of least privilege access controls, encryption protecting data at rest and in transit, regular external audits and internal assessments, formal Information Security Management System (ISMS) and Privacy Information Management System (PIMS), documented incident response procedures, and annual security and privacy awareness training for all employees.

Developers must understand Cloudflare does not access object contents for Cloudflare's purposes—R2 is encrypted storage infrastructure. Unlike advertising-supported services analyzing stored content for targeting, Cloudflare processes customer content only to provide storage services. Cloudflare does not sell, rent, or share customer data or customer content to third parties. This privacy-first approach fundamental to Cloudflare's business model and value proposition.

The information presented here derives from Cloudflare official documentation including Privacy Policy, Data Processing Addendum, Standard Contractual Clauses, R2 technical documentation, and compliance materials as of May 2026. Cloudflare continuously enhances services with new features, regions, and capabilities. Developers should monitor Cloudflare announcements for service updates, review DPA modifications and subprocessor changes via RSS feed, check compliance certifications for updates, stay informed about data protection law developments affecting international transfers, and engage legal counsel for complex compliance questions specific to applications and user jurisdictions.

Document Prepared: May 2026

Primary Sources: Cloudflare Privacy Policy, Data Processing Addendum, Standard Contractual Clauses, R2 Documentation, Compliance Materials

Intended Use: Educational and informational purposes for developers implementing Cloudflare R2 object storage

Not Legal Advice: Consult qualified legal counsel for compliance guidance specific to your application and user jurisdictions