“Create custom, responsive websites with the power of code — visually.”
Webflow is a visual platform for creating, managing, and hosting websites and web-based experiences.
Its features include, among other things, a visual builder, CMS, hosting, collaboration, APIs, localization, Analyze/Optimize, as well as Webflow AI for site generation, copy, CMS content, and SEO/AEO support. For classification as an “AI tool,” it is important to note: AI is a growing part of the product, but not its sole core.
Webflow
Build, manage, optimize — all with Webflow AI
Location: USA ⓘ Webflow, Inc., 398 11th Street, Floor 2, San Francisco, CA 94103, USA
CMS For blogs, content websites, and dynamic content with CMS features.
Business For larger marketing and business websites with higher capacity and more traffic.
Standard / Plus / Advanced For online stores with increasing e-commerce features and capacities.
Starter / Core / Growth / Freelancer / Agency Workspace plans for individuals, teams, freelancers, and agencies with collaboration, roles, and client access. Other Enterprise Custom Enterprise offering with advanced security, support, governance, and scalability features.
Webflow AI AI Site Builder and AI Assistant for website creation, pages, CMS Collection Items, SEO/AEO, and help in the Editor.
Target audience
Webflow is aimed primarily at marketers, designers, content teams, freelancers, agencies, and in-house web teams that want to launch websites faster without a traditional frontend handoff. It is interesting for developers when visual creation, CMS, APIs, Webflow Cloud, or controlled collaboration with non-developers are important. Webflow also addresses larger companies with Enterprise security, governance, and support features.
Outstanding features
Webflow is particularly strong in the combination of visual builder, structured CMS, managed hosting, team collaboration, and now AI-powered features. These include AI Site Builder, AI-supported copy/CMS creation, SEO/AEO support, Localization, website analytics with Analyze, and conversion/personalization features with Optimize. For Enterprise, governance mechanisms such as workspace-wide AI control, role-based access, audit/identity features, and SLA-like characteristics are added.
Key use cases
Typical use cases include marketing websites, campaign and product landing pages, corporate websites, content hubs, blogs, SEO-driven websites, and—with Ecommerce plans—custom online stores as well. In addition, Webflow is suitable for multilingual websites, AI/search-optimized content, lead generation, and web teams that want testing, analytics, and personalization as close to the website stack as possible.
Usage & notes
Webflow is easily accessible, but not “trivial”: Anyone who only wants a very simple website may quickly feel overwhelmed by the scope, plan logic, and learning curve. From a data protection perspective, users should pay particular attention to consent management, forms, embedded third-party providers, international data transfers, and US data processing. Also technically important: a paid Site Plan is required for productive custom domain publishing, code export does not cover dynamic CMS content, and Localization is not compatible with Ecommerce.
| Target audience | Assessment |
|---|---|
| Designers / web designers | Very suitable – for visual website design with a high degree of creative freedom and clean hosting. |
| Freelancers / agencies | Very suitable – for client websites, landing pages, CMS websites, SEO/AEO, and faster creation with AI Site Builder. |
| SMEs / marketing teams | Very suitable – for marketing pages, CMS, blogs, campaign pages, and website operations without a traditional developer team. |
| Large enterprises | Suitable to very suitable – Enterprise offers governance, scalability, security, and team features. |
| Private individuals | Suitable – for portfolios and simple websites, but more complex than Wix or Hostinger. |
| Pure app builders | Conditionally suitable – Webflow is primarily a website/CMS platform, not a full-fledged app backend builder like Bubble. |
Hosting & Data
1) On-prem / local hosting
Meaning: The company operates the solution on its own hardware or within its own infrastructure. In the strictest sense, not only the application runs locally, but ideally the model as well.
2) Private cloud / data center
Meaning: The solution runs in a dedicated or more clearly separated cloud environment, often with a hosting provider or hyperscaler, but in a German data center or in a particularly controlled environment.
3) EU SaaS / managed
Meaning: The provider operates the solution itself as a service. The company uses the tool as a ready-made cloud service, ideally with EU data residency.
4) Hybrid
Meaning: One part of the processing remains internal / local / in a private cloud, while another part runs in an external cloud or EU SaaS.
5) AVV / DPA
Meaning: This is the data processing agreement or Data Processing Addendum. It governs that the provider processes personal data on behalf of the customer and is bound by the customer's instructions.
6) No training
Meaning: The provider does not use your prompts, uploads, attachments, chat histories, or outputs for training or improving the general model — ideally excluded by contract.
7) Open-source / transparency path
Meaning: There is a path toward greater technical transparency and sovereignty, for example through:
- open models
- documented components
- self-hostable parts
- traceable architecture
- export / switching options
| On-prem / local hosting | ❓ |
| Private cloud / data center | ⚠️ |
| EU SaaS / Managed | ⚠️ |
| Hybrid | ❓ |
| DPA / AVV | ✅ |
| No training on customer data | ✅ |
| Open source / transparency path | ⚠️ |
On-Prem / local hosting: indirect / not available
No on-premise or local self-hosting deployment for Webflow was found on the website. Webflow describes itself as a platform/SaaS and refers to its own or cloud-based infrastructure; deployment on customer-owned hardware is not stated on the website.
Private cloud / data center: partial
The Trust Center mentions a 'Webflow Custom Hosting (WCH) Pentest Report', which indicates a special hosting offering. However, no specific statements were found in the website content indicating that customers can choose a dedicated private cloud or a clearly defined EU/EEA data center.
EU SaaS / managed: partial
Webflow clearly offers a managed SaaS service. However, for EU/EEA requirements, there is no explicit commitment to EU data residency or EU/EEA hosting, and the Privacy FAQs explicitly mention the storage of customer and end-user data in the USA.
Hybrid: indirect / not available
A hybrid operating model with partly internal/local processing and partly external processing was not described on the website. A combination of local model usage and the Webflow cloud is also not stated.
DPA / DPA: covered
A DPA is available on the website and, according to the Privacy FAQs, is available to all customers regardless of plan and is incorporated into the terms of use by default. According to the website, the DPA also contains the EU Standard Contractual Clauses and other data protection contractual mechanisms.
No training: covered
On its AI page, Webflow explicitly states that customer data is not used to train generative AI models and that third-party providers are also contractually prevented from using customer data to train their models. This means that an opt-out is not merely implicit; rather, the no-training approach itself is documented.
Open source / transparency path: partial
No open-source or self-hostable core was found on the website. However, there is a certain transparency path via the Trust Center, security documentation, subprocessor list, and contractual documents. Nothing specific is stated on the website regarding open-source components in the sense of a sovereign operating path.
Data processing
The website describes Webflow as a managed cloud service. According to the Privacy FAQs, Webflow stores customer and end-user data in the USA. According to the DPA, the infrastructure is operated via ISO 27001-certified AWS data centers in multiple regions and availability zones. Webflow publishes a subprocessor list with the locations of subcontracted processors and states that it has concluded data processing agreements with each of them, including a valid transfer mechanism. For AI features, Webflow states that customer data is not used to train generative models.
Conclusion
For a European tool directory, Webflow can only be rated conditionally positively from a data protection perspective: the contractual framework, subprocessor transparency, security certifications, and the documented exclusion of AI training with customer data speak in its favor. However, the explicitly stated storage in the USA and the lack of clearly documented EU data residency or an on-premise/self-hosting alternative on the website argue against a clear classification as fully uncomplicated GDPR-compliant.
Sources
| On-prem / local hosting | ❓ |
| Private cloud / data center | ⚠️ |
| EU SaaS / Managed | ⚠️ |
| Hybrid | ❓ |
| DPA / AVV | ✅ |
| No training on customer data | ✅ |
| Open source / transparency path | ⚠️ |
On-Prem / local hosting: indirect / not available
No on-premise or local self-hosting deployment for Webflow was found on the website. Webflow describes itself as a platform/SaaS and refers to its own or cloud-based infrastructure; deployment on customer-owned hardware is not stated on the website.
Private cloud / data center: partial
The Trust Center mentions a 'Webflow Custom Hosting (WCH) Pentest Report', which indicates a special hosting offering. However, no specific statements were found in the website content indicating that customers can choose a dedicated private cloud or a clearly defined EU/EEA data center.
EU SaaS / managed: partial
Webflow clearly offers a managed SaaS service. However, for EU/EEA requirements, there is no explicit commitment to EU data residency or EU/EEA hosting, and the Privacy FAQs explicitly mention the storage of customer and end-user data in the USA.
Hybrid: indirect / not available
A hybrid operating model with partly internal/local processing and partly external processing was not described on the website. A combination of local model usage and the Webflow cloud is also not stated.
DPA / DPA: covered
A DPA is available on the website and, according to the Privacy FAQs, is available to all customers regardless of plan and is incorporated into the terms of use by default. According to the website, the DPA also contains the EU Standard Contractual Clauses and other data protection contractual mechanisms.
No training: covered
On its AI page, Webflow explicitly states that customer data is not used to train generative AI models and that third-party providers are also contractually prevented from using customer data to train their models. This means that an opt-out is not merely implicit; rather, the no-training approach itself is documented.
Open source / transparency path: partial
No open-source or self-hostable core was found on the website. However, there is a certain transparency path via the Trust Center, security documentation, subprocessor list, and contractual documents. Nothing specific is stated on the website regarding open-source components in the sense of a sovereign operating path.
Data processing
The website describes Webflow as a managed cloud service. According to the Privacy FAQs, Webflow stores customer and end-user data in the USA. According to the DPA, the infrastructure is operated via ISO 27001-certified AWS data centers in multiple regions and availability zones. Webflow publishes a subprocessor list with the locations of subcontracted processors and states that it has concluded data processing agreements with each of them, including a valid transfer mechanism. For AI features, Webflow states that customer data is not used to train generative models.
Conclusion
For a European tool directory, Webflow can only be rated conditionally positively from a data protection perspective: the contractual framework, subprocessor transparency, security certifications, and the documented exclusion of AI training with customer data speak in its favor. However, the explicitly stated storage in the USA and the lack of clearly documented EU data residency or an on-premise/self-hosting alternative on the website argue against a clear classification as fully uncomplicated GDPR-compliant.
Sources
Strengths & weaknesses at a glance
| Strengths | Weaknesses |
|---|---|
| - Very strong combination of visual design, CMS, and hosting from a single source. | - Problematic for strict EU data residency requirements, because Webflow is US-based and, according to its Privacy FAQ, stores customer/end-user data in the USA. |
| - Suitable for marketing, content, and web teams with little dependency on developers. | - A paid Site plan is required for live operation; Free is primarily suitable for prototyping/staging. |
| - Strong AI extensions: Site Builder, copy, CMS generation, SEO/AEO support. | - The Basic Site plan does not include CMS features. |
| - Strong team and enterprise features such as roles, approvals, SSO/SCIM/audit options depending on the plan. | - Code export is only a partial workaround, as dynamic content/CMS pages cannot be exported. |
| - Mature security/compliance signals through SOC 2 Type II and ISO certifications. | - According to Webflow, Localization is not compatible with Ecommerce. |
| 6) Several advanced features are add-ons or Enterprise-/sales-led. |
Reviews
0 reviews in total
There are no confirmed reviews for this tool yet.
Submit review
Your review will only become visible after email confirmation. This protects the portal against abuse.
Report review
Please select the reason why this review should be checked.
GDPR-compliant usage possible?
Webflow documents several important building blocks for GDPR-compliant use for customers in the EU/EEA region: a privacy policy, a Data Processing Addendum as a data processing agreement, a subprocessor list, standard contractual clauses in the DPA, certifications, as well as statements that customer data is not used to train generative AI models. At the same time, Webflow explicitly states the storage of customer and end-user data in the USA and refers to data transfers to the USA or other countries. Explicit EU data residency or clearly documented EU/EEA hosting as a standard or simple option is not specified on the website. For the EU/EEA as a whole, use is therefore only viable under certain conditions and following the user's own legal review, not as clearly and comprehensively demonstrated standard compliance.
Positive
Positively documented are a DPA/data processing agreement, the inclusion of the EU Standard Contractual Clauses and the UK transfer mechanism in the DPA, a published subprocessor list, contractual obligations toward subprocessors, statements excluding AI training on customer data, as well as certifications such as SOC 2 Type II, ISO 27001, ISO 27017, and ISO 27018.
Negative
Negative from an EU/EEA perspective is above all that Webflow itself states that it stores customer and end-user data in the USA, and that the website does not indicate clear EU data residency, no exclusive EU/EEA data center for SaaS use, and no on-premise/self-hosting option. This means that a third-country transfer risk remains, and fully uncomplicated GDPR use is not demonstrated on the basis of the website.
Server location
The website states that Webflow stores customer and end-user data in the USA. The DPA additionally describes that the infrastructure is operated via ISO 27001-certified Amazon Web Services data centers in multiple regions and Availability Zones; however, specific EU/EEA server locations for customer data are not named. The subprocessor list lists the locations of individual subcontracted processors, including the USA, the United Kingdom, and Ireland.