Skip to content
Independently verified · Quarterly re-audit
EU VETTED

Cookiebot

VERIFIED
Cookie consent · Denmark
Founded 2012 · cookiebot.com ↗

Danish cookie consent (Cybot A/S, est. 2012); ISO 27001 + ISO 27701; acquired by Usercentrics 2022 (now Vista Equity-owned).

In short

Cookiebot, in the Cookie consent category, offers EU hosting with Denmark as its hosting location, but a US parent or sub-processor leaves material CLOUD Act exposure.

Assessment notes

Cookiebot by Cybot A/S (Copenhagen DK, founded 2012) is ISO 27001 + ISO 27701 certified with own Danish infrastructure, 600K+ customers, 2.4M sites; acquired by Usercentrics in 2022, and Usercentrics in turn was acquired by Vista Equity Partners (US private equity) in 2024, flipping the ownership chain to eu_hq_us_funded with material CLOUD Act exposure via the US-PE ultimate parent.

CLOUD ACT
OWNERSHIP
SUB-PROCS
not disclosed
Verified signals
Jurisdiction
  • EU / adequacy hosting
  • EU / adequacy operator
  • No US CLOUD Act exposure
Transparency
  • Public DPA
  • Sub-processors disclosed
  • Open-source clients
  • Third-party certification
JUMP TO
OVERVIEW

About Cookiebot

Cookiebot (operated by Cybot A/S, Copenhagen, founded 2012) is one of the largest consent management platforms in Europe: 2.4M websites, 8.8B monthly consents, 600K+ customers, Google-certified Gold-tier CMP partner, ISO 27001 + ISO 27701 certified, own Danish infrastructure. The procurement-grade caveat is the ownership chain: Cybot was acquired by Usercentrics in 2022 for ~€100M+; Usercentrics was then acquired by Vista Equity Partners (US private equity) in 2024. So Cookiebot today is German-owned at the operating-group level but US-PE-controlled at the ultimate-beneficial-ownership level. For procurement teams evaluating DACH cookie-consent vendors this is a critical fact rarely surfaced in marketing material.

SUB-PROCESSORS

Sub-processor map · not disclosed

Vendor does not publish a sub-processors list. Schrems II compliance and CLOUD Act exposure cannot be independently verified without it.
CERTIFICATIONS

Frameworks & certifications

ISO/IEC 27001
ACTIVE
ISO27701
ACTIVE
FEATURES

Capability matrix

White-label Yes
IAB TCF v2 Yes
Google Consent Mode Yes
Auto cookie scan Yes
Geo-targeting Yes
Consent logging Yes
Multilingual Yes
Free tier Yes
INTEGRATION & ACCESS
REST API Yes
SSO (SAML / OIDC) Yes
COMPLIANCE & GOVERNANCE
Audit log Yes
Self-host / on-prem option No
PRICING

Pricing & tiers

FREEMIUM
from €11/mo
View pricing page ↗
PUBLIC DOCUMENTS

Public documents

  • Data Processing Addendum (DPA)
    www.cookiebot.com/en…
    Open ↗
  • Sub-processors list
    www.cookiebot.com/en…
    Open ↗
  • Terms of Service
    www.cookiebot.com/en…
    Open ↗
ALTERNATIVES

Alternatives in this category

ConsentManager
Germany · Founded 2017
EU-SOVEREIGN

German-owned CMP with own EU data centres (not hyperscaler); ISO 27001, IAB TCF v2 ID 31, 100K+ websites, from €23/mo.

Public DPA Sub-processors Open source
FROM
€23/mo
CLOUD ACT
NONE
Didomi
France · Founded 2017
EU-BASED

Paris-based enterprise CMP (founded 2017); ISO 27001, Google-certified CMP; clients include Volvo, Michelin, Yahoo.

Public DPA Sub-processors Open source
FROM
€19/mo
CLOUD ACT
MINOR
Iubenda
Italy · Founded 2010
EU-BASED

Italian privacy-compliance toolkit (Milan, est. 2010); 150K+ customers; subject to direction of Team.blue NV (Belgium).

Public DPA Sub-processors Open source
FROM
€2/mo
CLOUD ACT
MINOR