ComplyJet's Cloudflare integration gives you always-on visibility into your edge security posture, from WAF and DDoS protection to TLS enforcement and Workers KV encryption. The moment you connect your Cloudflare account, ComplyJet begins pulling configuration directly from the Cloudflare API, mapping every signal to 20+ security and privacy frameworks including SOC 2, ISO 27001, HIPAA, and GDPR, and surfacing drift the instant it appears.
Whether Cloudflare fronts a single marketing site or your entire production edge, ComplyJet turns every domain, protection setting, and account into a live compliance signal, so your team ships fast without audit surprises.
24/7
Continuous monitoring
Compliance automation
How ComplyJet automates SOC 2 / ISO 27001 for Cloudflare
Proving your Cloudflare configuration is secure used to mean clicking through dashboard settings for every zone, screenshotting WAF and TLS configuration, and hoping nothing changed before the auditor looked. Most teams repeat this every quarter, and the evidence is stale the moment it is captured.
1
Connect once
Provide ComplyJet with a read-only Cloudflare API token scoped to the zones and account settings we monitor. No write access, takes under 10 minutes.
2
Monitor continuously
ComplyJet polls your Cloudflare account around the clock, tracking domain protection, TLS enforcement, encryption, and account access settings.
3
Collect evidence automatically
Every passing and failing check is timestamped and stored as audit evidence, with no screenshots, no spreadsheets, no last-minute prep.
4
Get alerted on drift
The moment WAF is disabled on a domain, TLS drops below policy, or an account loses MFA, ComplyJet flags it in real time so your team can remediate before it becomes an audit finding.
The result: your SOC 2 and ISO 27001 evidence is always current, your auditor gets a clean documented trail, and your engineers never have to stop shipping to prepare for a review.
See the Cloudflare integration live
30 minutes. We'll walk through exactly how ComplyJet monitors your Cloudflare environment, collects evidence, and maps checks to SOC 2, ISO 27001, and HIPAA.
Cloudflare resources
What Resources does ComplyJet sync from Cloudflare?
ComplyJet pulls and monitors the following Cloudflare resources in real time. Click any resource to see what's tracked.
Cloudflare Domains & Zones
WAF, bot management, and DDoS protection settings, plus TLS mode and HTTP to HTTPS redirect configuration per zone.
Cloudflare Workers KV
Encryption-at-rest configuration for Workers KV namespaces.
Cloudflare Accounts
User accounts, MFA status, notification configuration, and account-to-employee mapping for access reviews.
Continuous checks
What automated tests does ComplyJet run on Cloudflare?
ComplyJet covers every critical security dimension of your Cloudflare environment, from domain protection to access control, continuously, with every result stored as audit evidence. Click any area to see the checks.
Identity & Access
MFA, account lifecycle, account linking
Admin accounts protected with multi-factor authentication: Verifies MFA is enforced on all Cloudflare user accounts.
Cloud access revoked on employee departure: Verifies no active Cloudflare accounts are mapped to former employees.
Every account linked to an identified individual: Ensures each Cloudflare account is associated with a known user, so access can be reviewed and attributed.
Domain Protection
WAF, bot management, DDoS, alerting
Web application firewall enabled on protected domains: Confirms WAF protection is active so application-layer attacks are filtered at the edge.
Bot management active on protected domains: Verifies automated bot traffic is detected and managed.
DDoS protection enabled on protected domains: Confirms distributed denial-of-service protection is active.
Security notifications enabled: Verifies account notifications are configured so security-relevant events are surfaced to your team.
Encryption & TLS
TLS enforcement, HTTPS serving, Workers KV encryption
Strong TLS encryption mode enforced: Verifies the SSL/TLS mode is set to a secure configuration so traffic is encrypted end to end.
HTTP traffic automatically redirected to HTTPS: Confirms HTTP requests are redirected to HTTPS so content is never served unencrypted.
HTTPS serving enabled on protected domains: Verifies domains serve content over HTTPS.
Edge key-value storage encrypted at rest: Confirms Workers KV namespaces are encrypted at rest.
Setup
How to Integrate Cloudflare with ComplyJet
Takes under 10 minutes. No code required, just a read-only API token.
1
Log in to ComplyJet and go to Integrations
Find Cloudflare in the integrations list and click Connect.
2
Create a read-only Cloudflare API token
In the Cloudflare dashboard, create an API token with read scope for zone settings and account membership. No write permissions are required.
3
Paste the token into ComplyJet
ComplyJet validates the connection and confirms which zones and accounts are in scope.
4
ComplyJet begins syncing immediately
Your domains, Workers KV namespaces, and accounts appear in the inventory within minutes, automated checks start running, and evidence collection begins.
Need help connecting multiple Cloudflare accounts or zones? Reach out to our support team.
Framework coverage
What Controls Are Automated Across SOC 2 / ISO 27001 / HIPAA
ComplyJet maps every Cloudflare check to the relevant framework controls and maintains an always-current evidence record for your auditor.
SOC 2
Logical access, network security, monitoring, audit trail, availability
CC6.1
Logical access security: MFA enforcement across Cloudflare accounts, access revocation on termination, account-to-user attribution.
CC6.6
Network access restrictions: WAF, bot management, and DDoS protection enforced at the edge.
CC6.7
Encryption in transit: strong TLS mode enforced, HTTP to HTTPS redirect, HTTPS serving.
CC6.8
Detection and prevention of unauthorized access: edge protection settings and security notifications.
CC7.2
Security event evaluation: notifications enabled so security events are surfaced in real time.
ISO 27001
Access control, authentication, logging, network security, cryptography, backup
A.5.15
Access control: MFA enforcement, account attribution, access revocation on departure.
A.8.20
Network security: WAF, bot management, and DDoS protection at the edge.
A.8.24
Use of cryptography: strong TLS enforced, HTTPS serving, Workers KV encrypted at rest.
A.8.16
Monitoring activities: security notifications configured for the account.
HIPAA
Access control, encryption, audit controls, integrity, transmission security
§164.312(a)(1)
Access control: MFA enforcement and account attribution on Cloudflare accounts.
§164.312(e)(2)(ii)
Transmission security: strong TLS mode, HTTP to HTTPS redirect, HTTPS serving enforced.
§164.312(a)(2)(iv)
Encryption: Workers KV encrypted at rest.
.svg){kind=logo}
