Sucuri and Data Protection – What Belongs in Your Privacy Policy

If a website operator uses Sucuri, all requests to its website are routed via the Sucuri Website Firewall (WAF), which inspects requests for attacks and bot behaviour, blocks suspicious requests and forwards legitimate requests to the origin server. This page shows website operators in Germany what data Sucuri processes according to the publicly available information from the provider, which purposes and legal bases are typically applicable and which mandatory disclosures on Sucuri belong in the privacy policy.

A. Purpose and Functionality of Sucuri

Sucuri is a US provider of website security services, in particular a Web Application Firewall (WAF), DDoS protection, malware scanning and incident response. The Sucuri Website Firewall is typically embedded as a reverse proxy: the website operator configures its DNS records so that all requests to its website are first routed via the Sucuri cloud infrastructure. Sucuri inspects the requests, blocks suspicious requests, accelerates delivery via CDN functions and forwards legitimate requests to the origin server.

This page focuses on the integration function Sucuri Website Firewall as a reverse proxy (WAF, DDoS protection, CDN). Other Sucuri functions (server-side malware scanner, incident response, Sucuri SiteCheck) are not within the scope of this article and must be examined separately by the website operator.

B. Mandatory Disclosures in the Privacy Policy when Using Sucuri

The GDPR requires the privacy policy to set out tool-specific minimum content in addition to general information about the website operator, data subject rights and the supervisory authority. For the use of Sucuri this includes in particular:

• the purposes of the processing (Art. 13 para. 1 lit. c GDPR),
• the legal bases (Art. 13 para. 1 lit. c GDPR),
• where based on legitimate interests, the specific interests pursued (Art. 13 para. 1 lit. d GDPR),
• the recipients or categories of recipients (Art. 13 para. 1 lit. e GDPR),
• whether data is transferred to an insecure third country (Art. 13 para. 1 lit. f GDPR),
• the storage duration or the criteria used to determine it (Art. 13 para. 2 lit. a GDPR),
• where data is not collected directly, additionally the categories of personal data (Art. 14 para. 1 lit. d GDPR).

It is not necessary to list Sucuri with its own boilerplate text in the privacy policy, even though that practice is widespread. The "one boilerplate per tool" approach has become poor practice: it leads to long, redundant texts, makes the privacy policy hard to maintain and tends to run counter to the transparency requirement of Art. 12 para. 1 GDPR. A topic-oriented approach is more appropriate – describing processing across topics (server operations, CDN, web application firewall, etc.) and naming Sucuri only in an annex of recipients. This is exactly the methodology that the matterius generator follows.

C. Provider of Sucuri

According to the publicly available information from the provider, the contracting party for German website operators is Sucuri, Inc., based at 100 South Charles Street, Suite 1100, Baltimore, MD 21201, USA. Sucuri is part of the GoDaddy group; the corporate parent company is GoDaddy Inc.

According to the publicly available information, Sucuri, Inc. and the GoDaddy group entities are certified under the EU-US Data Privacy Framework (DPF); the status can be verified at https://www.dataprivacyframework.gov/s/participant-search. EU Standard Contractual Clauses are used as additional safeguards.

Sucuri's privacy notice is available at https://sucuri.net/privacy/, GoDaddy's privacy notice at https://www.godaddy.com/legal/agreements/privacy-policy. Information on the Data Processing Addendum and on subprocessors is provided by Sucuri / GoDaddy in the compliance/trust area.

D. Data Processing by Sucuri – Step by Step

E. Data Collected when Using Sucuri

In connection with Sucuri, the data processed according to the provider's publicly available information typically includes IP address, timestamp, requested URL, referrer, user-agent, status code of the server response, transmitted data volume and security and abuse-relevant signals.

The data can be classified into the following standardised data categories:

• Web server log data: IP address, timestamp, URL, referrer, user-agent, status code of the server response, transmitted data volume.
• Device data: device type and operating system, where derivable from the user-agent.
• Browser information: browser name and version.
• Coarse location data: location derived from the IP address at city or municipality level.
• Technical telemetry data: load times, data volume, technical error messages.

F. Purposes when Using Sucuri

Website operators typically use Sucuri to secure the website against attacks (in particular DDoS, SQL injection, cross-site scripting), for bot detection and filtering, to accelerate content delivery via CDN functions and to detect compromised server content (malware).

These purposes can be classified into the following standardised purpose categories:

• Provision of functionality: technical delivery of the website, caching and performance optimisation.
• Security and abuse prevention: detecting, preventing and ending attacks (e.g. DDoS), bot and spam defence, web application firewall, detection of malware.
• General product improvement: evaluation of aggregated performance and security data to optimise own infrastructure.
• Compliance: compliance with statutory security requirements.

G. Legal Bases when Using Sucuri

In a first step, Sucuri must be assigned to a tool category: it is mainly a tool from the Server operations/Hosting and CDN categories, complemented by functions of a web application firewall.

In a second step, the following legal bases typically come into consideration:

• For WAF, DDoS protection and CDN functions: legitimate interests in provision of functionality, security, abuse prevention, efficiency and legal defence under Art. 6 para. 1 lit. f GDPR.
• For technically necessary cookies or storage accesses for security and session control: typically § 25 para. 2 no. 2 TDDDG (necessity exception), insofar as the storage access is strictly necessary to provide the service explicitly requested by the user (a secure website).

Which legal basis is specifically applicable depends on the configuration and the Sucuri functions used and must be examined by the website operator on a case-by-case basis.

H. Particularities and Notes on Sucuri

• DPA: Sucuri / GoDaddy provides a Data Processing Addendum; concluding it is generally mandatory when used by website operators in Germany.
• Third-country transfer / DPF: According to the publicly available information, Sucuri, Inc. and the GoDaddy group entities are certified under the EU-US Data Privacy Framework; EU Standard Contractual Clauses are used as additional safeguards. The fact that Sucuri operates a globally distributed network may lead to data processing in third countries.
• Subprocessors: A list follows from the Sucuri / GoDaddy compliance documents.
• Captcha and challenge functions: With activated captcha or challenge functions, Sucuri may additionally collect click and interaction data; the legal classification must be examined on a case-by-case basis.
• Settings for the website operator: Recommended is concluding the DPA, deliberately configuring the activated Sucuri functions and including Sucuri in the recipients annex of the privacy policy.
• Source note: The information is based on the provider's publicly available publications and does not replace a case-by-case assessment.

I. Frequently Asked Questions on Sucuri and Data Protection

J. Conclusion on Sucuri

When using Sucuri, the website operator routes all requests to its website via the Sucuri Website Firewall, which defends against attacks and accelerates content delivery. The contracting party is Sucuri, Inc., based in the USA; the parent company (GoDaddy group) is certified under the EU-US Data Privacy Framework according to the publicly available information. Key obligations are concluding a data processing agreement, deliberately configuring the Sucuri functions used and including Sucuri in the recipients annex of the privacy policy.

It is generally not advisable for the website operator to include a dedicated boilerplate text for Sucuri in the privacy policy. A structured, topic-oriented approach is recommended that explains tools across topical blocks (server operations, CDN, web application firewall) and only names individual service providers such as Sucuri in an annex of recipients. This is exactly the methodology that the matterius generator follows.

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com