Cloudflare Docs
Data Localization Suite
Edit this page on GitHub
Set theme to dark (⇧+D)

Data Localization Suite

The Data Localization Suite (DLS) is a collection of tools that enable customers to choose the location where Cloudflare inspects and stores data, while maintaining the security and performance benefits of our global network.

The Data Localization Suite consists of the following products:

Support by product and region is summarized in the following table:

RegionGeo Key ManagerRegional ServicesCustomer Metadata Boundary
US
EU
UK25Can use EU metadata boundary.
Canada25
Australia25
Japan25
India25
ISO 27001 Certified European Union25Can use EU metadata boundary.
Germany25Can use EU metadata boundary.
Singapore25
South Korea25

Overview by product-behavior is summarized in the following table. Below you can find the table legend to help you read the table:

✅ Product works with no caveats
🚧 Product can be used with some caveats
✘ Product cannot be used
⚫️ Not applicable

ProductGeo Key ManagerRegional ServicesCustomer Metadata Boundary
Caching/CDN
Cache Reserve⚫️🚧29
DNS⚫️⚫️🚧1
HTTP/3 (with QUIC)⚫️⚫️
Image Resizing🚧1
Load Balancing🚧1
Onion Routing
Orange-to-Orange (O2O)
Stream Delivery
Tiered Caching🚧2🚧30
Trace
Waiting Room⚫️
Zaraz
ProductGeo Key ManagerRegional ServicesCustomer Metadata Boundary
Advanced Certificate Manager⚫️⚫️⚫️
Advanced DDoS Protection🚧3
API Shield4
Bot Management🚧5
DNS Firewall⚫️⚫️🚧1
Page Shield
Rate Limiting🚧1
SSL
Cloudflare for SaaS
Turnstile⚫️
WAF/L7 Firewall
DMARC Management⚫️⚫️
ProductGeo Key ManagerRegional ServicesCustomer Metadata Boundary
Cloudflare Images⚫️
Cloudflare Pages11🚧1
Durable Objects⚫️7🚧1
Email Routing⚫️⚫️
R227828
Stream⚫️
Workers (deployed on a Zone)🚧1
Workers KV⚫️
Workers.dev
ProductGeo Key ManagerRegional ServicesCustomer Metadata Boundary
Argo Smart Routing910
BYOIP⚫️26⚫️
Magic Firewall⚫️⚫️🚧1
Magic Transit⚫️⚫️🚧1
Magic WAN⚫️⚫️🚧1
Spectrum🚧1
ProductGeo Key ManagerRegional ServicesCustomer Metadata Boundary
Logpull⚫️⚫️🚧12
Logpush⚫️🚧13
ProductGeo Key ManagerRegional ServicesCustomer Metadata Boundary
Access🚧14🚧15🚧16
Browser Isolation⚫️🚧17
CASB⚫️⚫️
Cloudflare Tunnel⚫️🚧18⚫️
DLP⚫️19⚫️19🚧31
Gateway🚧20🚧21🚧22
WARP⚫️⚫️🚧1
  1. Logs / Analytics not available outside US region when using Customer Metadata Boundary.

  2. Regular and Custom Tiered Cache works; Smart Tiered Caching not available with Regional Services.

  3. Network Analytics (including DoS analytics) will not be sent outside the region. However, these are only viewable today in US region.

  4. API shield will not yet work with Customer Metadata Boundary enabled outside of US region.

  5. Some advanced Enterprise features, including the Anomaly Detection engine, are not available.

  6. Jurisdiction restrictions for Durable Objects.

  7. Only when using a Custom Domain set to a region and using jurisdictions with the S3 API.

  8. Argo cannot be used with Regional Services.

  9. Argo cannot be used with Customer Metadata Boundary.

  10. Only when using Custom Domain set to a region.

  11. Logpull not available when using Customer Metadata Boundary outside US region. Logs may be stored and retrieved with Logs Engine which is adding region support in 2024.

  12. Logpush available with Customer Metadata Boundary for HTTP requests and Firewall events. Please contact your Customer Success Manager if you need to push another dataset.

  13. Access App SSL keys can use Geo Key Manager. Access JWT is not yet localized.

  14. Can be localized to US FedRAMP region only. More regions coming in 2024.

  15. Customer Metadata Boundary can be used to limit data transfer outside region, but Access User Logs will not be available outside US region.

  16. Currently may only be used with US FedRAMP region.

  17. Only US FedRAMP region.

  18. Uses Gateway HTTP and CASB.

  19. You can bring your own certificate to Gateway but these cannot yet be restricted to a specific region.

  20. Gateway HTTP supports Regional Services. Gateway DNS does not yet support regionalization.
    ICMP proxy and WARP-to-WARP proxy are not available to Regional Services users.

  21. Gateway HTTP and Gateway Network can be used with Customer Metadata Boundary and logs are available via Logpush (logs are still not available in the dashboard when setting the region to the EU).

  22. Only supported in Geo Key Manager v2.

  23. BYOIP can be used with the legacy Spectrum setup.

  24. Only when using a Custom Domain and a Custom Certificate or Keyless SSL.

  25. R2 Dashboard Metrics and Analytics are populated. Additionally, Jurisdictional Restrictions guarantee objects in a bucket are stored within a specific jurisdiction.

  26. You cannot yet specify region location for object storage itself.

  27. Regular/Generic and Custom Tiered Cache works; Smart Tiered Caching does not work with Customer Metadata Boundary (CMB).
    With CMB set to EU, the Zone Dashboard Caching > Tiered Cache > Smart Tiered Caching option will not populate the Dashboard Analytics.

  28. DLP is part of Gateway HTTP, however, DLP datasets are not available outside US region when using Customer Metadata Boundary.