Knowledge
GDPR and CMS, what you need to know when choosing a platform
Where your data is stored is not a technical detail. It is a business risk. We break down what GDPR means for your CMS choice, why the CLOUD Act matters, and how to make a confident decision.
GDPR, or the General Data Protection Regulation, is the EU's framework for how personal data is collected, stored, and processed. The regulation applies to every organization that handles data about EU citizens, wherever in the world the organization is based. For you, choosing a CMS, that means the platform choice directly affects your ability to comply with the law.
The term data sovereignty comes up more and more often in these conversations. It means your data is stored and handled within the jurisdiction where your organization operates, without foreign authorities being able to demand access. For a long time it was seen as a technical question. Today it is a business-critical one.
Your CMS handles more personal data than you think
Every time a visitor fills in a contact form, logs into a customer account, or interacts with your site, your CMS collects personal data. Names, email addresses, IP addresses, behavioral data. All of it is governed by GDPR.
Your choice of CMS therefore affects your organization's ability to meet the requirements. Not just on paper, but day to day: where the data is stored, who can access it, and what happens if something goes wrong.
Most organizations ask these questions too late. Often only when a procurement requires it, or after an incident.
Why US cloud providers are a legal risk
The CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) gives US authorities the right to request data from US cloud providers. The law applies regardless of where in the world the data is physically stored.
In practice, that means if your CMS runs on infrastructure from a US provider, such as AWS, Azure, or Google Cloud, your data can be requested by US authorities. It doesn't matter whether the servers are in Frankfurt or Stockholm. What matters is who owns the infrastructure. This applies whether you use a headless CMS or a traditional platform.
The Schrems II ruling (C-311/18) from the EU Court of Justice in July 2020 confirmed that this is a real problem. European organizations have a responsibility to ensure that personal data does not end up under jurisdictions with a lower level of protection.
In 2023 the EU and the US adopted a new framework for data transfer, the Data Privacy Framework (DPF). The framework makes things easier for US companies that self-certify, but it does not change the CLOUD Act. The two laws are separate. The DPF can also be invalidated by the EU Court of Justice, just like its predecessors Privacy Shield and Safe Harbor.
Legal risk
What the CLOUD Act means in practice
No matter where your servers are located geographically, the provider's legal domicile decides whether the data can be requested by US authorities.
CMS platforms headquartered in the US fall under the CLOUD Act.
Storing the data "in the EU" is not enough if the provider is American.
The Data Privacy Framework does not eliminate the risk.
European providers with European infrastructure offer the strongest protection.
Legal risk
Three questions for your CMS provider
These questions quickly reveal whether a platform takes data protection seriously.
Where is our data stored, and under which jurisdiction? Don't settle for "in the EU". Ask which legal entity owns the infrastructure. If the answer is a US company, the CLOUD Act applies, regardless of the server's physical location.
Who has technical access to our data? Which people and systems can reach personal data? Are there access controls, logging, and the ability to audit? Can the provider show documentation?
What happens in a security incident? Is there a documented incident-handling process? How quickly are you notified? What measures are taken? GDPR requires notification within 72 hours.
Questions and answers
Frequently asked questions about GDPR and CMS
We often get questions about what GDPR means in practice when choosing, switching, or evaluating a CMS. Here we've gathered the most common ones, with straight answers.
Is it enough that the data is stored in the EU?
No. If the CMS provider is a US company, or uses infrastructure from a US company, the CLOUD Act applies regardless of where the data is physically stored. What matters is the jurisdiction, not the geography.
We use WordPress, is it GDPR-compliant?
WordPress as open source software can be hosted anywhere. WordPress.com, that is, Automattic's cloud service, is American, however. Self-hosted WordPress can be GDPR-compliant, but you are responsible yourself for plugins, hosting, and security.
Which industries should be extra careful?
Public sector, healthcare, the financial sector, and any organization that handles sensitive personal data have stricter requirements. But fundamentally, GDPR applies to everyone who handles personal data about EU citizens.
What happens if we breach GDPR?
Fines up to 20 million euros or 4 percent of global annual revenue, depending on the nature of the violation. The real cost, however, is often lost trust among customers, partners, and the public.
Can we use US cloud services at all?
Yes, but with extra safeguards such as standard contractual clauses (SCC) and transfer impact assessments (TIA). The protection is not as strong as with a fully European solution. More and more organizations choose to move to European infrastructure to avoid the legal uncertainty.
Does the Data Privacy Framework solve the problem?
Partly. The DPF, adopted in July 2023, provides a legal basis for data transfer to US companies that self-certify. But it does not eliminate the CLOUD Act. A CMS provider that is DPF-certified can still be compelled to hand over data. The DPF's predecessors, Privacy Shield and Safe Harbor, have both been invalidated by the EU Court of Justice. Similar challenges are underway against the DPF.
What separates Sitevision and Strife from a GDPR perspective?
Both are Swedish companies. Sitevision runs on its own Swedish data centers and states that all data is handled locally. They offer AI features and integrations with European partners (Rek.ai, Ebbot, DeepL), but do not specify which AI models power the built-in features. Strife runs on European infrastructure (Hetzner, German) with the option of self-hosted database operation for full sovereignty. The AI features in Strife are opt-in and use US language models. Technically they differ: Sitevision is a traditional Java platform, Strife a headless CMS with API-first architecture.
Is my content sent to AI services like ChatGPT or Claude?
Only if you choose to enable the AI features. In Strife, all AI features are opt-in. No data is sent to external services unless the organization actively turns them on. You can use the entire platform without AI and keep full control over where your content is processed.
AI features and GDPR, a new dimension
Most modern CMS platforms today offer AI-powered features for text generation, translation, SEO optimization, and image handling. What is rarely discussed is where your content is sent when you use them.
Most AI features in a CMS rely on US language models such as OpenAI, Anthropic (Claude), and Google (Gemini). When you ask your CMS to summarize a text or suggest a headline, your content may be sent to these services for processing. That creates a separate data transfer that falls outside the usual infrastructure question.
How do the CMS platforms handle AI and data protection?
Approaches across the industry vary.
Contentful requires AI features to be enabled separately and the organization to accept supplementary terms. Their AI features are powered by Amazon Bedrock (US/Ireland), OpenAI (US), and Google Vertex AI (EU). Contentful is one of the few providers that publishes a transparent sub-processor list with specific AI vendors.
Sanity offers AI Assist and Content Agent. The features require separate activation. Which AI vendors power the features is not specified on their public pages, but customer data is stored on Google Cloud with an EU region available.
Optimizely has AI features under the Opal brand. They state that data is processed in memory and not stored persistently, and that customer data is not used to train models. Which specific AI vendors are used is not named, and it is not clear from their public documentation whether the features are opt-in or enabled by default.
Sitevision offers AI features for text generation, SEO optimization, automatic categorization, and translation, as well as AI assistants that can be trained on the organization's own content. They state that all data is handled within Swedish data centers. Sitevision also has integrations with European partners such as Rek.ai, Ebbot, and DeepL. Which AI models power the built-in features is not specified publicly.
How does Strife handle AI and data protection?
Strife offers AI features such as text generation, SEO optimization, translation, and a component builder. These features use US language models.
All AI features in Strife are opt-in. No data is sent to external AI services unless the organization actively chooses to enable them. That means an organization that needs strict data sovereignty can use Strife without the AI features and still have a fully functional platform.
It is a deliberate trade-off. We could have limited ourselves to European AI models only, but that would have meant weaker functionality for the customers who want the best language models on the market. Instead, we give each organization the ability to make that choice themselves.
The information on this page is general in nature and does not constitute legal advice. GDPR compliance depends on your organization's specific circumstances. Consult your data protection officer or a qualified lawyer for advice tailored to your situation. Legislation and case law change, and the information on this page is current as of April 2026.