Skip to content
Independently verified · Quarterly re-audit
EU VETTED

Strapi

VERIFIED
Headless CMS · France
Founded 2017 · strapi.io ↗

Paris-based open-source headless CMS (founded 2017); MIT-licensed core, Strapi Cloud PaaS, US-VC-funded (Insight, CRV).

In short

Strapi, in the Headless CMS category, offers EU hosting with France as its hosting location, but a US parent or sub-processor leaves material CLOUD Act exposure.

Assessment notes

Strapi (Paris FR, founded 2017) is the leading open-source headless CMS (MIT license) with Strapi Cloud (PaaS) and Enterprise self-hosted editions; SOC 2 certified, GDPR compliant; but Series C 2022 was led by Insight Partners (US PE/VC) with CRV (US) and Index: material US-VC control flips signal to eu_hq_us_funded; no public ISO 27001 attestation.

CLOUD ACT
OWNERSHIP
SUB-PROCS
not disclosed
CLOUD Act by deployment

Exposure depends on how you run this product.

Hosted SaaS (default)

Vendor-operated: the sub-processors below apply.

Self-hosted (open-source)

Deploy on your own EU infrastructure and you control hosting and every sub-processor.

Verified signals
Jurisdiction
  • EU / adequacy hosting
  • EU / adequacy operator
  • No US CLOUD Act exposure
Transparency
  • Public DPA
  • Sub-processors disclosed
  • Open-source clients
  • Third-party certification
JUMP TO
OVERVIEW

About Strapi

Strapi (Paris, France, founded 2017) is the most-installed open-source headless CMS: MIT-licensed core, Strapi Cloud PaaS-hosted offering, and Enterprise Edition self-hosted with extended features. The OSS community is significant (>60K GitHub stars). Compliance: SOC 2 certified, GDPR compliant (no public ISO 27001 attestation surfaced at time of research). The procurement-grade caveat is funding: Series C 2022 was led by Insight Partners (US growth-PE, $90B AUM, New York) with CRV and Index. So the company is French-operated but US-PE-controlled at cap-table level. Effective story when self-hosted (MIT) on EU infra: customer data never reaches Strapi, so cap-table US influence is moot for that deployment.

SUB-PROCESSORS

Sub-processor map · not disclosed

Vendor does not publish a sub-processors list. Schrems II compliance and CLOUD Act exposure cannot be independently verified without it.
CERTIFICATIONS

Frameworks & certifications

SOC 2
ACTIVE
Informational · US framework
FEATURES

Capability matrix

Self-hostable Yes
Version history Yes
GraphQL API Yes
REST API Yes
Visual editor Yes
Localization (i18n) Yes
Media library Yes
API / webhooks Yes
INTEGRATION & ACCESS
REST API Yes
SSO (SAML / OIDC) Yes
COMPLIANCE & GOVERNANCE
Audit log Yes
Self-host / on-prem option Yes
PRICING

Pricing & tiers

FREEMIUM
from €15/mo
View pricing page ↗
PUBLIC DOCUMENTS

Public documents

Vendor does not publish a public DPA. Without a publicly accessible Data Processing Addendum, small EU customers cannot self-serve the processor agreement. This is recorded as no public DPA (see How we assess).
Vendor does not publish a sub-processors list. Schrems II compliance and CLOUD Act exposure cannot be independently verified without it.
  • Data Processing Addendum (DPA)
    — missing
    missing
  • Sub-processors list
    — missing
    missing
ALTERNATIVES

Alternatives in this category

DatoCMS
Italy · Founded 2015
EU-BASED

Italian developer-friendly headless CMS (Milan); 25K+ businesses; bootstrapped feel, no US PE.

Public DPA Sub-processors Open source
FROM
€39/mo
CLOUD ACT
MINOR
Enonic
Norway · Founded 2000
EU-HOSTED

Norwegian headless/hybrid CMS (Oslo, est. 2000); founder-owned, ISO 27001 + 9001 certified; but managed Enonic Cloud runs on Google Cloud + Azure + Fastly.

Public DPA Sub-processors Open source
FROM
CLOUD ACT
MATERIAL
Hygraph
Germany · Founded 2017
EU-BASED

Berlin GraphQL-native headless CMS (formerly GraphCMS, founded 2017); enterprise clients incl. Samsung, LEGO; mostly EU-funded.

Public DPA Sub-processors Open source
FROM
€39/mo
CLOUD ACT
MINOR