Consent Management Platforms: who runs where
A reference table comparing European CMP vendors by actual infrastructure provider. Which ones run on AWS or GCP — and what that means for CLOUD Act and FISA 702 exposure.
Consent Management Platforms sit at the boundary between user consent and data collection. They see every page load, every consent signal, and in many implementations they initialise or gate all other tags. Infrastructure sovereignty matters here as much as anywhere in the stack.
The table below compares European CMP vendors by who actually hosts their infrastructure — not where they are incorporated.
The data
| Vendor | Legal entity | Infra provider | DC regions | CLOUD Act | FISA 702 | Self-hostable | DPA | Verified |
|---|---|---|---|---|---|---|---|---|
| Cookiebot (Cybot) | DK | Cloudflare | global CDN (US-owned) | yes | yes | no | yes | 2026-04-12 |
| Usercentrics | DE | GCP | europe-west1 (Belgium) | yes | yes | no | yes | 2026-04-12 |
| Didomi | FR | AWS | eu-central-1 (Frankfurt) | yes | yes | no | yes | 2026-04-12 |
| Axeptio | FR | AWS | eu-west (Warsaw CloudFront POP) | yes | yes | no | yes | 2026-04-12 |
| iubenda | IT | AWS | global | yes | yes | no | yes | 2026-04-12 |
| Consentmanager | SE | PlusServer GmbH | DE (North Rhine-Westphalia) | no | no | no | yes | 2026-04-12 |
| CookieYes | IN | Cloudflare | global CDN (US-owned) | yes | yes | no | yes | 2026-04-12 |
| Klaro (KIProtect) | DE | Hetzner | DE (Bavaria) | no | no | yes | yes | 2026-04-12 |
Data sourced from the eu-martech-sovereignty public repo. Found an error? Open a PR.
What the data shows
Six of eight vendors in this table run on US-owned infrastructure — AWS, GCP, or Cloudflare. The two exceptions are Consentmanager, hosted on PlusServer GmbH (a German company with no US parent), and Klaro’s hosted version, run by KIProtect GmbH on Hetzner in Bavaria.
Klaro is also the only entry that is fully open source, making genuine self-hosting straightforward. Every other CMP in this table requires using the vendor’s cloud service, and in six of seven cloud cases that service runs on infrastructure subject to US law.
One entry worth flagging separately: CookieYes is incorporated in India, not the EU. It appears here because it is widely deployed across European sites, but the “European CMP” framing does not apply to it.
The pattern across AWS, GCP, and Cloudflare deployments is consistent with the broader martech industry: EU data center location (Frankfurt, Belgium, Warsaw) does not change the legal jurisdiction of the infrastructure provider. All three are US-incorporated companies subject to CLOUD Act and FISA 702.
Methodology
Each entry is verified through at least one of: IP/whois lookup, DNS/ASN check, official documentation, direct support inquiry, or community contribution. Full methodology: methodology.md.
Last full review: 2026-04-12. Data may be outdated — open a PR with corrections.
Help keep this accurate
This table is backed by a public Codeberg repo. If you work at one of these vendors, have done your own infrastructure audit, or received a support response worth documenting — open a PR.
See also: European company ≠ European infrastructure · sGTM hosting comparison · Analytics alternatives