Alternativa apenas UE a Cloudflare.
Cloudflare is the most US-exposed vendor in most "EU" stacks because it sits in front of the user — every visitor connects to a Cloudflare edge server before reaching your origin. The EU regions of Cloudflare are EU-located edges, but the parent company is a Delaware corporation with US-controlled key material and US-controlled traffic logs. For Schrems II purposes, Cloudflare in front of personal-data traffic is one of the most defensible problems to remove first, because the alternatives — Bunny.net (SI) and KeyCDN (CH) — have comparable feature sets and dramatically simpler legal stories.
"Região UE" não é soberania. Quatro perguntas decidem.
Residência de dados diz onde os bits ficam. Soberania diz qual sistema jurídico pode forçar o acesso. A resposta tem de valer nos quatro pontos — caso contrário a stack não é soberana.
Onde os dados estão fisicamente armazenados?
Não "na nuvem" — qual datacenter, em qual país, sob qual jurisdição.
Quem mais está no seu caminho de dados?
Cada fornecedor que toca os dados: o CDN, o relay de e-mail, o rastreador de erros, o pipeline de analytics.
Quais leis podem forçar a divulgação?
Um fornecedor com sede nos EUA está sujeito ao FISA 702 e ao CLOUD Act — mesmo quando os dados estão em Frankfurt.
Quem detém realmente as chaves de cifragem?
Se o provedor de nuvem tem tanto os dados quanto as chaves, ele pode lê-los — independentemente de qualquer DPA.
Falha em jurisdição e custódia de chaves.
Bits na UE, casa-mãe nos EUA, subprocessadores americanos no caminho predefinido, chaves geridas pelo fornecedor.
Passa nos quatro.
Hospedado na UE em infraestrutura com sede europeia. Zero subprocessadores americanos no caminho padrão. Chaves do cliente ou de KMS europeu. Nomeados no seu DPA Artigo 28.
Porque é que as equipas estão a sair Cloudflare
The pattern we see: a privacy or DPO review identifies Cloudflare as a US subprocessor that processes every visitor request including IP addresses, browser fingerprints (via Bot Management) and cookies. Under Schrems II that is a transfer that needs supplementary measures — typically encryption that Cloudflare cannot read, which defeats the WAF and Bot Management features that were the reason for using Cloudflare. The simpler answer is to swap to an EU-jurisdictional provider where the legal analysis collapses to "no transfer." Bunny.net is the standard target and the migration is genuinely a few hours of DNS and configuration work.
Cloudflare serviços e os seus equivalentes apenas na UE
Uma migração não é "trocar uma caixa por outra". O mapeamento abaixo é o que executamos para clientes que saem de Cloudflare por motivos Schrems II — plena jurisdição UE, sem casa-mãe US no caminho dos dados.
| Cloudflare serviço | Alternativa apenas UE | Nota de engenharia |
|---|---|---|
| Cloudflare CDN | Bunny.net, KeyCDN (CH) | Bunny has 110+ POPs including dense EU coverage. Per-GB pricing is roughly half Cloudflare's comparable plan. Migration is a CNAME flip plus origin pull configuration. |
| Cloudflare WAF | Bunny WAF, ModSecurity / Coraza on EU edge, OVH Anti-DDoS rules | Bunny's WAF covers OWASP Top 10 with rule-based controls. For deep custom rules, ModSecurity on a self-managed edge is the production pattern. |
| Cloudflare DDoS protection | OVH Anti-DDoS (included on most plans), Bunny DDoS protection | OVH has invested heavily in their VAC scrubbing infrastructure; for large-scale L3/L4 attacks they are demonstrably competitive with Cloudflare. |
| Cloudflare DNS | Hetzner DNS, Bunny DNS, deSEC (DE non-profit) | For most use cases Hetzner or Bunny is sufficient. deSEC is privacy-first with mandatory DNSSEC. |
| Cloudflare R2 (storage) | Bunny Storage, OVH Object Storage, Wasabi EU, self-hosted MinIO | R2's zero-egress story is unique; on EU providers, egress is also typically free or very low, so the cost argument transfers. |
| Cloudflare Workers | Bunny Edge Scripting, self-hosted edge functions on Knative, EU-based serverless platforms | Workers is the hardest single Cloudflare product to replace. For most use cases (request rewriting, A/B testing, simple APIs), Bunny Edge Scripting covers it. For complex Workers (Durable Objects), self-hosted is the pattern. |
| Cloudflare Pages | Bunny CDN + EU object storage, GitLab Pages (EU instance), self-hosted Coolify | Pages' main value is the build pipeline; that piece moves to your CI provider. |
| Cloudflare Tunnel (Argo) | Tailscale (US — flag), Twingate (US — flag), Wireguard self-managed, Netbird (DE) | Netbird is DE-headquartered and provides the "no-public-IP" pattern with EU jurisdiction. Wireguard self-managed is the standard sovereign answer. |
| Cloudflare Access (zero trust) | Pomerium self-hosted, Authelia self-hosted, Boundary by Hashicorp on EU infra | For internal-only applications, an OIDC-protected reverse proxy on EU infrastructure is functionally equivalent. |
| Cloudflare Stream (video) | Bunny Stream, OVH Streaming, self-hosted Mediamtx with EU-only POPs | Bunny Stream offers comparable HLS/DASH delivery with EU-only edge option. |
| Cloudflare Bot Management | CrowdSec (FR), DataDome (FR), Cloudflare → Bunny + custom rules | CrowdSec is FR-headquartered and increasingly capable. For high-traffic e-commerce, DataDome (also FR) is the enterprise alternative. |
Como migramos de Cloudflare
Uma migração típica de mid-market decorre em três fases. Os números abaixo assumem uma equipa de engenharia de 6 a 10 pessoas e uma stack de aplicação moderadamente complexa.
Inventory & risk-rank
List every Cloudflare product in use: CDN, DNS, WAF rules, Workers, Pages, R2, Tunnel, Access. Map each to a personal-data exposure (does it touch PII?) and migration complexity. Output: priority list, usually CDN/DNS first.
Soft swap (CDN, DNS, R2)
Provision Bunny pull zones for the same hostnames. Test with a staging hostname. Cut DNS over with low TTL pre-stage. R2 → Bunny Storage migration via parallel-write. WAF rules ported manually to Bunny WAF.
Hard pieces (Workers, Tunnel, Access)
Worker code reviewed and either ported to Bunny Edge Scripting, rewritten as origin-side middleware, or self-hosted on Knative. Tunnel replaced with Netbird or self-managed Wireguard. Access replaced with Pomerium or Authelia. Pages workloads moved to GitLab Pages or self-hosted.
Cloudflare-to-Bunny migrations almost always reduce monthly spend by 40–70% at typical mid-market volumes. The exceptions are Workers-heavy stacks (where the equivalent self-hosted infrastructure has higher fixed cost) and high-traffic Pages stacks (where Cloudflare's aggressive free tier is hard to match).
Perguntas frequentes
Cloudflare has EU-only data plans now — does that solve it?
Cloudflare's "Data Localization Suite" can keep EU traffic on EU edges and EU keys, which addresses residency. It does not address jurisdiction: Cloudflare Inc. remains a US corporation subject to the CLOUD Act. For most Schrems II analyses, the data-localization product is an improvement but not full sovereignty.
Will switching CDN affect performance for European visitors?
For European users specifically, Bunny.net often performs equal or better than Cloudflare because their EU POP density is higher per-traffic. Real-world tests on e-commerce migrations have shown TTFB improvements of 10–30ms for EU-specific traffic. For global users (US, APAC), Cloudflare's POP count is larger.
How do we handle Cloudflare Workers replacement?
Three patterns depending on the Worker: (1) trivial request rewrites move to Bunny Edge Scripting unchanged, (2) Workers that talk to KV / Durable Objects need a re-architect — typically the logic moves to the origin and uses Redis or Postgres, (3) Workers acting as API endpoints become small Knative services on EU infrastructure.
Is Bunny.net a real Schrems II–safe alternative?
Bunny.net is BunnyWay d.o.o., headquartered in Ljubljana, Slovenia (EU member). The legal entity is fully under EU jurisdiction. Their published subprocessor list is short and EU-focused. For Schrems II, the analysis collapses to "no third-country transfer" which is materially easier than Cloudflare's data-localization story.
What about Fastly or Akamai?
Both US-headquartered. Fastly is San Francisco; Akamai is Cambridge, MA. Same CLOUD Act analysis as Cloudflare. They are not Schrems II–easier than Cloudflare; they are different US providers with different feature sets.
How long does a Cloudflare migration take?
For a typical workload (CDN, DNS, basic WAF, no Workers): 1–2 weeks elapsed. For a Workers-heavy or Tunnel-dependent setup: 4–8 weeks. We can run the whole thing as a managed migration if you want it done without burning your team's capacity.
Planeie a sua saída de Cloudflare.
Chamada de scoping de 30 minutos. Mapeamos a sua stack contra alternativas apenas UE, estimamos o esforço de migração e dizemos-lhe se é a decisão certa.