Cloudflare earns global cross-border data privacy certification

Cloudflare has become one of the first organisations globally to be certified under the Global Cross-Border Privacy Rules (CBPR) and Global Privacy Recognition for Processors (PRP) systems.

The certifications, launched by a forum of nine governments, provide a framework for organisations to demonstrate adherence to internationally recognised data protection and privacy standards when transferring personal data across borders.

The Global CBPR and Global PRP frameworks were established by government authorities in Australia, Canada, Japan, Mexico, the Republic of Korea, the Philippines, Singapore, Chinese Taipei, and the United States. The United Kingdom, Bermuda, Mauritius, and the Dubai International Financial Centre are CBPR Associate Members.

"Running a global business is getting more and more complex. Global standards like the CBPR and PRP are important because they can establish clear, consistent guidelines around data privacy, and make it easier for organisations to scale and do business across borders. Cloudflare has a long history of putting privacy first – helping build new industry protocols, building it into our products by default, and now we're one of the first organisations to achieve these new global certifications," Matthew Prince, Co-Founder and Chief Executive Officer at Cloudflare, said.

With the addition of the CBPR and PRP certifications, Cloudflare now meets privacy standards in 39 jurisdictions. The frameworks are intended to bridge varying data protection laws across countries and offer organisations a way to confirm their compliance through a set of unified principles and requirements.

The Global CBPR and Global PRP standards are based on nine guiding principles: preventing harm, notice, collection limitation, uses of personal information, choice, integrity of personal information, security safeguards, access and correction, and accountability. In practice, the certifications require organisations to demonstrate compliance with 50 specific requirements for collecting, managing, and safeguarding personal data.

The milestone follows Cloudflare's previous achievements in privacy and data protection compliance, including ISO 27701 and ISO 27018 certifications, which focus on processing personally identifiable information in public cloud environments. The company is also verified as compliant with the EU Cloud Code of Conduct, recognised under the European Union's General Data Protection Regulation (GDPR) across the 30 countries of the European Economic Area.

The CBPR and PRP certifications offer assurances to organisations operating internationally that customer data is protected, and that the company has implemented audited controls around data management. This is expected to facilitate more straightforward cross-border data transfers, in line with evolving global expectations for data protection and consumer privacy.

The frameworks also aim to address the practical needs of organisations by establishing clear and repeatable guidelines across multiple jurisdictions. Cloudflare's acquisition of these certifications reflects ongoing adjustments businesses are required to make as they respond to increasing regulatory complexity in data privacy.