Discuss and eventually include other key points

[smileBeda]

• No analytics tracking
• Self hosted content with no images or video served from 3rd party sources
• No CDN like CloudFlare (why?)
• No social media sharing (why?)
• Only using self hosted fonts
• Only using web hosts that are GPDR ready and PCI-DSS compliant. Not even considering web hosts that inject code into web pages for monitoring like GoDaddy a while back.
• Refusing to use page builders like Wix, Squarespace or others that inject tracking code
• Must use SSL and preferably with HSTS preload enabled.
• Mail sent over contact forms should not be routed to third party services like Office 365. This would be tricky, because a lot of end users (website owners) may want that.
• A declaration that the website is checked regularly for any virus etc and updated regularly to in light of current security practices and technologies.
• No clever heat maps. (what is meant with this)

[smileBeda]

No CDN like CloudFlare (why?)

One of the issues of DNS in general may be something like this:

The problem with this is that your connection to Cloudflare is encrypted via TLS, however once it reaches Cloudflare servers, it gets decrypted. This means Cloudflare, a US based company, can read your passwords, private messages and everything else. The government can repeat what they did with Lavabit to extract this information. To make it worse, using Cloudflares “flexible SSL”, the connection from Cloudflare to the destination may not even be encrypted, leaving all the information completely in the open to be read by anyone. Just to top it off, because the encryption from you to Cloudflare is encrypted, you will always be presented with a green padlock in your browser, making you none the wiser to how safe you actually are.

See also http://cryto.net/~joepie91/blog/2016/07/14/cloudflare-we-have-a-problem/

Wether or not that is an issue needs to be seen. Technically, "matching" the requester (website visitor) with the other side of the request (between CloudFlare and the server) shouldn't be possible, since both sides are encrypted, and hence both sides are secure, it doesnt matter if in the middle there is a listener, since that listener would only receive un-connected bits of data, and wouldn't know who sent it, or who receives it. At leats, from my narrow knowledge this is what I would say. But seems there are concerns so this must be checked. A privacy policy is worthless if at the end all it needs is a CDN to knock it out.

[smileBeda]

No social media sharing (why?)

I agree with no social media tracking
But does the social media also infringe privacy if we share our websites on the socmed?

[smileBeda]

We can use CloudFlare but we have to disable the orange Cloud (proxying)
The CloudFlare support confirmed this:

Hi again,

Yes. If you disable Orange clouding, HTTP/HTTPS traffic will not go to Cloudflare. Instead, customers will go directly to your origin IP, and get the SSL certificate of your origin.

As your customers will be given your SSL certificate Cloudflare has no way to read your traffic even if we tried.

If your site was GDPR compliment without Cloudflare CDN, then disabling Cloudflare, and only using Cloudflare DNS should allow you to be GDPR compliant again as we would not see any website traffic.

Please let me know if you have any further issues or questions.

Thanks,

Shiyang | Cloudflare Support

This is good news. We can use reliable and cheap service of CloudFlare (however without protection service)
They won't be able to read in, and GDPR is granted again. As well TukuToi Zero Tracking got a step further since now all the tracking done by CF would not be blocking us.

What the real bummer is that you cannot use a CDN if you want to be GDPR compliant, no matter if it is CloudFlare or else.
Neither a DDOS protection (external) nor a (external) cache service.
This is plain simply because to deliver optimised files, or block an attack the service would need to read the SSL request which is only possible by decrypting it.