Data Localization Suite
The Data Localization Suite (DLS) is a set of products that helps customers who want to maintain local control over their traffic while retaining the security benefits of a global network.
DLS is currently available for customers on the Enterprise plan. Reach out to your Customer Success Manager for more information about purchasing DLS.
The Data Localization Suite consists of the following products:
Support by product and region is summarized in the following table:
Region | Geo Key Manager | Regional Services | Customer Metadata Boundary |
---|---|---|---|
US | ✅ | ✅ | ✅ |
EU | ✅ | ✅ | ✅ |
UK | ✅1 | ✅ | Can use EU metadata boundary. |
Canada | ✅1 | ✅ | ✘ |
Australia | ✅1 | ✅ | ✘ |
Japan | ✅1 | ✅ | ✘ |
India | ✅1 | ✅ | ✘ |
ISO 27001 Certified European Union | ✅1 | ✅ | Can use EU metadata boundary. |
Germany | ✅1 | ✅ | Can use EU metadata boundary. |
Singapore | ✅1 | ✅ | ✘ |
Overview by product-behavior is summarized in the following table. Below you can find the table legend to help you read the table:
✅ Product works with no caveats
🚧 Product can be used with some caveats
✘ Product cannot be used
⚫️ Not applicable
Suite/Category | Product | Geo Key Manager | Regional Services | Customer Metadata Boundary |
---|---|---|---|---|
Application Performance | Caching/CDN | ✅ | ✅ | ✅ |
Cache Reserve | ⚫️ | 🚧2 | 🚧3 | |
DNS | ⚫️ | ⚫️ | 🚧3 | |
Image Resizing | ✅ | ✅ | 🚧3 | |
Load Balancing | ✅ | ✅ | 🚧3 | |
Stream Delivery | ✅ | ✅ | ✅ | |
Tiered Caching | ✅ | 🚧4 | 🚧4 | |
Waiting Room | ⚫️ | ✅ | 🚧3 | |
Zaraz | ✅ | ✅ | 🚧3 | |
Application Security | Advanced Certificate Manager | ⚫️ | ⚫️ | ⚫️ |
Advanced DDoS Protection | ✅ | ✅ | 🚧5 | |
API Shield | ✅ | ✅ | ✘6 | |
Bot Management | ✅ | ✅ | 🚧7 | |
DNS Firewall | ⚫️ | ⚫️ | 🚧3 | |
Page Shield | ✅ | ✅ | ✘8 | |
Rate Limiting | ✅ | ✅ | 🚧3 | |
SSL | ✅ | ✅ | ✅ | |
Cloudflare for SaaS | ✘ | ✅ | ✅ | |
Turnstile | ⚫️ | ✘ | ✘ | |
WAF/L7 Firewall | ✅ | ✅ | ✅ | |
Developer Platform | Cloudflare Images | ⚫️ | ✘ | ✘ |
Cloudflare Pages | ✘ | ✘ | ✘ | |
Durable Objects | ⚫️ | ✅9 | 🚧3 | |
R2 | ⚫️ | 🚧2 | 🚧3 | |
Stream | ⚫️ | ✘ | ✘ | |
Workers (deployed on a Zone) | ✅ | ✅ | 🚧3 | |
Workers KV | ⚫️ | ✘ | ✘ | |
Workers.dev | ✘ | ✘ | ✘ | |
Network Services | Argo Smart Routing | ✅ | ✘10 | ✘11 |
BYOIP | ⚫️ | ✘12 | ⚫️ | |
Magic Firewall | ⚫️ | ⚫️ | 🚧3 | |
Magic Transit | ⚫️ | ⚫️ | 🚧3 | |
Magic WAN | ⚫️ | ⚫️ | 🚧3 | |
Spectrum | ✅ | ✅ | 🚧3 | |
Platform | Logpull | ⚫️ | ✅ | 🚧13 |
Logpush | ⚫️ | ✅ | 🚧14 | |
Zero Trust | Access | 🚧15 | 🚧16 | 🚧17 |
Area 1 | ⚫️ | ✅18 | 🚧19 | |
Browser Isolation | ⚫️ | 🚧20 | ✅ | |
CASB | ⚫️ | ⚫️ | ✘ | |
Cloudflare Tunnel | ⚫️ | 🚧21 | ⚫️ | |
DLP | ⚫️22 | ⚫️22 | ✘ | |
Gateway | 🚧23 | 🚧24 | 🚧25 | |
WARP | ⚫️ | ⚫️ | 🚧3 |
Only supported in Geo Key Manager v2. ↩︎
You can not yet specify region location for object storage; this is expected in 2023. ↩︎
Logs / Analytics not available outside US region when using Customer Metadata Boundary. ↩︎
Regular and Custom Tiered Cache works; Smart Tiered Caching not available with Regional Services. ↩︎
Network Analytics (including DoS analytics) will not be sent outside the region. However, these are only viewable today in US region. ↩︎
API shield will not yet work with Customer Metadata Boundary enabled outside of US region. ↩︎
Some advanced Enterprise features, including the Anomaly Detection engine, are not available. ↩︎
Cannot be used with Customer Metadata Boundary outside of US region. ↩︎
Argo cannot be used with Regional Services. ↩︎
Argo cannot be used with Customer Metadata Boundary. ↩︎
BYOIP cannot be used with Regional Services. ↩︎
Logpull not available when using Customer Metadata Boundary outside US region. Logs may be stored and retrieved with Logs Engine which is adding region support in 2023. ↩︎
Logpush available with Customer Metadata Boundary for HTTP requests and Firewall events. Please contact your Customer Success Manager if you need to push another dataset. ↩︎
Access App SSL keys can use Geo Key Manager. Access JWT is not yet localized. ↩︎
Can be localized to US FedRAMP region only. More regions coming in 2023. ↩︎
Customer Metadata Boundary can be used to limit data transfer outside region, but Access User Logs will not be available outside US region. ↩︎
US and EU region only.
For Area 1, this is called the Processing & Inspection Boundary. ↩︎Email metadata (
subject
,from:
,to:
) can only be stored in US.
Customers have the option to obfuscate metadata from being viewed by Cloudflare.
Email message bodies are only stored for emails that are marked with a disposition (likeMALICIOUS
orSPAM
). ↩︎Currently may only be used with US FedRAMP region. ↩︎
Only US FedRAMP region. ↩︎
Uses Gateway and CASB. ↩︎
You can bring your own certificate to Gateway but these cannot yet be restricted to a specific region. ↩︎
Gateway HTTP supports Regional Services. Gateway DNS does not yet support regionalization.
ICMP proxy and WARP-to-WARP proxy are not available to Regional Services users. ↩︎Gateway HTTP and Gateway Network can be used with Customer Metadata Boundary and logs are available via Logpush (logs and analytics are still not available in the dashboard when setting the region to the EU). ↩︎