Skip to content
Independently verified · Quarterly re-audit
EU VETTED

Storyblok

VERIFIED
Headless CMS · Austria
Founded 2017 · storyblok.com ↗

Austrian headless CMS (Linz, est. 2017); ISO 27001, enterprise customers (Disney, Netflix); Brighton Park US-PE led Series C.

Why this score?

Storyblok (Linz AT, founded 2017) is ISO 27001 certified with enterprise customer base (Disney, Netflix, Adidas, Renault); $47M Series B 2022 (Mubadala UAE + HV Capital DE + 3VC + firstminute) and $80M Series C led by Brighton Park Capital (US private equity) — US-PE-led Series C flips signal to eu_hq_us_funded with material CLOUD Act exposure.

SCORE
3.0/5
CLOUD ACT
OWNERSHIP
SUB-PROCS
not disclosed
JUMP TO
OVERVIEW

About Storyblok

**Storyblok** (Linz, Austria, founded 2017) positions itself as the "#1 Enterprise Headless CMS" with a visual-editor differentiator (rather than pure-developer-tool positioning). Customers include **Disney, Netflix, Oatly, Adidas, Renault, Marc O'Polo, Autodesk, Virgin Media O2**. ISO 27001 certified, 99.99% uptime SLA, framework support for Next.js, Astro, Nuxt, React, Vue, Eleventy, Symfony. Funding history: **$47M Series B in 2022** led by Mubadala Capital (UAE) and HV Capital (DE) with 3VC and firstminute; **$80M Series C** subsequently led by **Brighton Park Capital** (US private equity, Greenwich CT). The US-PE-led Series C is the procurement-grade caveat — flipping ownership_signal from eu_owned to eu_hq_us_funded.
SUB-PROCESSORS

Sub-processor map · not disclosed

Vendor does not publish a sub-processors list. Schrems II compliance and CLOUD Act exposure cannot be independently verified without it.
CERTIFICATIONS

Frameworks & certifications

ISO/IEC 27001
ACTIVE
FEATURES

Capability matrix

INTEGRATION & ACCESS
REST API Yes
SSO (SAML / OIDC) Yes
COMPLIANCE & GOVERNANCE
Audit log Yes
Self-host / on-prem option No
PRICING

Pricing & tiers

FREEMIUM
Custom pricing

Contact vendor for tier or volume pricing.

View pricing page ↗
PUBLIC DOCUMENTS

Public documents

Vendor does not publish a public DPA. Without a publicly accessible Data Processing Addendum, small EU customers cannot self-serve the processor agreement — this caps the compliance score (see How we score).
Vendor does not publish a sub-processors list. Schrems II compliance and CLOUD Act exposure cannot be independently verified without it.
  • Data Processing Addendum (DPA)
    — missing
    missing
  • Sub-processors list
    — missing
    missing
ALTERNATIVES

Alternatives in this category

DatoCMS
Italy

Italian developer-friendly headless CMS (Milan); 25K+ businesses; bootstrapped feel, no US PE.
Hygraph
Germany

Berlin GraphQL-native headless CMS (formerly GraphCMS, founded 2017); enterprise clients incl. Samsung, LEGO; mostly EU-funded.
Prismic
France

Paris headless CMS / page-builder (founded 2013); Slice Machine + Next.js / Nuxt / SvelteKit focus; from €7/mo.
See all headless cms alternatives →