How Cloudflare handles privacy certifications (and why Containers matter to developers)
Presented by: João Tomé, Emily Hancock, Rory Malone, Confidence Okoghenun
Originally aired on Today @ 12:00 PM - 12:30 PM EDT
In this episode, host João Tomé is joined by Emily Hancock, Chief Privacy Officer at Cloudflare, Rory Malone, Principal Privacy Compliance Specialist at Cloudflare.They discuss Cloudflare's new privacy certifications. At the end, there's also Confidence Okoghenun, Senior Systems Engineer at Cloudflare, sharing the innovative Cloudflare Containers for developers.
Emily Hancock and Rory Malone discuss Cloudflare's new Global Cross-Border Privacy Rules (CBPR) and Global Privacy Recognition for Processors (PRP) certifications, highlighting their role in building trust and ensuring secure data transfers globally. They explain how Cloudflare applies the highest privacy standards consistently across its network, regardless of user location, and the rigorous audit process involved.
Confidence Okoghenun then introduces the public beta of Containers on Cloudflare Workers, a significant development for developers. He explains how containers package applications with all dependencies, allowing almost any application to run reliably on Workers. Confidence also does two demos, demonstrating a full Linux desktop in a browser and a video-to-GIF converter, showcasing the newfound flexibility and integration with other Cloudflare services.
Mentioned blog posts:
- Cloudflare Earns New Landmark Global Privacy Certifications, Building Trust Worldwide
- Containers are available in public beta for simple, global, and programmable compute
- Building agents with OpenAI and Cloudflare’s Agents SDK
- Celebrate Micro-Small, and Medium-sized Enterprises Day with Cloudflare
- Russian Internet users are unable to access the open Internet
- Orange Me2eets: We made an end-to-end encrypted video calling app and it was easy
English
Transcript (Beta)
And I'll just note too that the 27701 and 27018 and the EU Cloud Code of Conduct, those are more geared towards saying Cloudflare's privacy program meets certain standards that are compliant with the GDPR.
The global cross-border privacy rules or the PRP rules, that certification is more about how we transfer data when we take it out of certain countries and take it to the United States or another country.
And that actually is very similar in some respects to other standards called the EU-US Data Privacy Framework, which is a method for transferring data from the EU to the US.
There's also one for Switzerland and the UK and we're self -certified to those.
The difference there is for those we say, yes, we meet the check mark items that you have to do, but nobody audits you against them.
The global CBPRs, we actually were audited and a third party did say that, yes, indeed we do the things that we say we do when it comes to transferring data.
So containers was a technology developed to ensure that I have everything I need for this application to run.
And then when I send it off somewhere, it has all of the dependencies for it to go.
So we've brought that technology into Cloudflare workers.
And this means that applications you could not run on workers before is now possible because we're giving you access to Docker containers, and then you can bring those applications or workloads to be run on Cloudflare.
Hello everyone, and welcome to This Week in Net.
It's the June 27, 2025 edition. The summer is here, at least in the Northern Hemisphere, quite hot in Portugal these days.
I'm Jean Toumet, based in Lisbon, Portugal. And this is an episode where we're going to talk about privacy, certifications, appliance, but also about developers and something called containers.
But before we go into the conversations with our three guests based in San Francisco and London, first let's go to our blog.
In our blog this week, we just published a blog post called Celebrate Micro, Small, and Medium-sized Enterprise Day.
So it's about Cloudflare sharing success stories of small businesses building and growing on our platform and providing security guides to help protect their digital presence worldwide.
Also in our blog yesterday, on Thursday, Russian Internet users are unable to access the open Internet.
So since June 9th, Russian Internet users have been struggling to access the open Internet.
Cloudflare Radar, our Internet tool, shows a major spike in connection errors across all protocols due to throttling by Russian ISPs.
So it's outside of Cloudflare's control, and the impact is visible in traffic drops, also TCP resets, and packet loss from Russian data centers.
If you operate sites with Russian users, there's unfortunately no fix on our side right now.
So that's an important blog post as well. Also this week, more on the product side, Orange meets end-to-end encryption made simple.
Encryption is really important for the security of the Internet, and Cloudflare's open source video calling app now supports MLS-based end-to-end encryption.
And it was surprisingly easy to build, so you can read the blog post to learn more about it.
And now it's time to talk about certifications, the importance of privacy certifications globally.
Cloudflare just announced a few weeks ago two new certifications, and we're going to discuss the importance of certifications with Emily Hancock, Chief Privacy Officer of Cloudflare, and Rory Malone, Principal Privacy Compliance Specialist.
So here's my conversation with Emily in San Francisco and Rory in London.
Hello, Rory. Hello, Emily. Welcome to this Good to see you.
How are you? Hi. Hi, I'm good. Actually, Emily, you've been in the show before, twice, if I'm not mistaken.
Last year, actually, we were speaking about privacy in general.
Rory, it's your first time. For those who don't know, can you tell us where are you based, both you, Emily, and Rory?
Yeah, go for it, Rory. So my name is Rory.
I work in Cloudflare's security team. I'm based out of a London office, and I've been with Cloudflare just under six years.
And I'm Chief Privacy Officer here at Cloudflare.
I head up the product privacy and IP legal team, and I'm based in San Francisco, and I've been at Cloudflare for a little over seven years.
Welcome.
In this case, we have a specific topic in this episode. It's about privacy, of course, but about a very specific part of privacy, which is certifications.
Just to get things going, why are those certifications really important?
And we recently disclosed two new certifications, very specific certifications.
So why not try to figure out first why certifications are important and why these in particular are important?
Sure. Certifications in general help us to really demonstrate that we're doing what we say we do when it comes to privacy.
Rory is actually the person at Cloudflare who oversees all of our privacy certifications.
So it's an incredibly important job, and we rely on him a great deal.
So Rory, why don't you take us into a couple of very specific ones, and you can introduce our new one, the CBPRs that we're very excited about.
Yeah, absolutely. Thank you, Emily. So the first thing to say with certifications and privacy is that these aren't individual certifications for an individual.
There are many of those out there in the market. Someone can go and study and pass the exam, and they personally get certified.
That's what these are.
These are organizational certifications. So Cloudflare now has our fourth and fifth privacy certifications, the one that we mentioned.
And these two new ones are really interesting for us because they are the scope, the regions, the areas that they cover are global.
One of them is called the Global Cross-Border Privacy Rules certification, the Global CBPRs.
And the other one is the Global Privacy Recognition for Processes, the Global PRP.
We already have three certifications, I should say, by way of introduction.
The first one is an ISO standard called ISO 27701.
It's about having a privacy management system at your company.
We obtained that about four or five years ago.
It was our first privacy certification. We then went on to obtain a standard called ISO 27018.
It's around cloud privacy, and it builds upon our longstanding and very well-known security certification, which is ISO 27001.
And don't forget.
I was going to say, yeah, don't forget the EU Cloud Code of Conduct. Yeah.
And the EU Cloud Code of Conduct, exactly. Particularly for our European customers and people in European markets, privacy is something that they really care about, they really talk to us about, and it really comes up in conversation.
So we decided to obtain something called a Code of Conduct.
It's something that's actually put there in the GDPR, Article 40 Codes of Conduct.
And it took a few years for them to get going, but they finally got going.
So what Cloudflare did is we went through an audit.
We demonstrated to that external auditor that we met all the requirements that we had to, and we were declared compliant with that GDPR Code of Conduct, which is great.
So those are the three that we have today. And the two new ones that we've added are the Global CBPRs and the Global PRP.
And I'll just note too that the 27701 and 27018 and the EU Cloud Code of Conduct, those are more geared towards saying Cloudflare's privacy program meets certain standards that are compliant with the GDPR.
The Global Cross -Border Privacy Rules or the PRP rules, that certification is more about how we transfer data when we take it out of certain countries and take it to the United States or to another country.
And that actually is very similar in some respects to other standards called the EU -US Data Privacy Framework, which is a method for transferring data from the EU to the US.
There's also one for Switzerland and the UK, and we're self -certified to those.
The difference there is for those we say, yes, we meet the check mark items that you have to do, but nobody audits you against them.
The Global CBPRs, we actually were audited and a third party did say that, yes, indeed, we do the things that we say we do when it comes to transferring data.
This topic is actually close to heart.
As a journalist, I covered a bit of this in terms of technology, in terms of Europe being trying to protect its own data.
It's a topic that in the last few years grew, especially the data localization, countries or regions want to have control of their own data.
How certifications in a way help us certify specifically that we do, as you were saying, what we say we do.
In terms of trust, do you feel that these certifications bring trust to first the ecosystem, the tech ecosystem, but also to customers, to even users?
What is the trust element to these certifications in this topic specific?
I hope they do. I hope they bring trust.
That's the goal. The idea is to set a level playing field. Some of this started with the, well, it even predated the GDPR, but in Europe, the idea was if you're going to take European data out of Europe, you want it to be protected against the same privacy protections as it would be if it still was in Europe.
That's generally the idea. The APEC cross-border privacy rules were introduced not long after that.
That was the same idea, was that there's a set of privacy rules and privacy protections for data that need to be met if you're going to be certified to these rules.
The idea is everybody's playing by the same rules. Everybody's following the same protections for data.
You know that if your data is being handled according to these rules, whether it's a data privacy framework in Europe or the global CBPRs for Asia and a number of other countries, you know that the data is protected at a certain level.
That's a high level of trust, especially when you're dealing with a situation with bringing data to the United States where the United States does not yet have federal privacy legislation.
We have a number of state laws that offer that protection, but they're different and they're not as comprehensive as a lot of the laws in countries like Singapore or the EU or Japan or Korea.
And so because we don't have a federal privacy law here in the United States, these certifications also help kind of say, even if we're bringing the data to the United States and processing in the United States, we're still respecting the laws of the country where the data originated.
So yeah, hopefully that should bring a consumers and to businesses who use our services.
And I think that's there.
That's the benefit of the certification, because without a certification, it's an organization that's just saying, this is how we do it.
It's the difference between compliance, complying with the law and demonstrating, being able to show to an auditor that you're compliant with the law.
The example I like to give is many jurisdictions around the world, there's a requirement to respond to people if they have questions about privacy.
What data do you have of mine?
How can I access it? Can I delete it? All those kinds of questions. Many organizations might have someone who does that, and that's really important for a number of jurisdictions.
And maybe for a small or medium sized business, that's all they have.
But when you get bigger, you need to put those things down in a document.
You need to document how you do it. You need to document who's responsible.
You need to document all those sort of edge cases. And that's the sort of thing an auditor looks for in one of these privacy certifications.
And that's why we can say we're not just compliant with these standards or with the various laws and different jurisdictions, we can demonstrate that we're compliant.
Someone external to us has gone and audited us.
Exactly. And a company like Cloudflare, we have so many customers that depend on us for a specific use case of privacy.
Those certifications also bring ease of mind to the customers, right? Yeah, exactly.
I mean, we buy services too. And when we look at other third parties, we want to look at those services, we do exactly that.
We look at the data, we look at the certifications, we look at the security standards, we look at the privacy standards.
We do the same thing as a buyer of services, as our customers do when they buy stuff from Cloudflare.
I'm also curious, we have in the blog post that we published in January, we have a map that shows some of the jurisdictions of these specific certifications.
One of the things that, and we spoke about this, about GDPR last year, Emily, the rules that some areas, regions, countries do help the others as well.
It's like an ecosystem that if we comply to once, it's global.
So we're actually giving, even to countries that don't ask for specific certifications, that peace, ease of mind, potentially.
How is this one region influencing the other's situation also at use here?
Yeah, I mean, it works in a couple of different ways.
I mean, so at Cloudflare, we generally don't distinguish between regions in terms of how we process data.
So just because somebody lives in Europe and their data is protected by the GDPR, does not mean that we're treating their data with more privacy or more privacy protecting treatment than we would if it was somebody from the United States.
Everybody gets that same level of protection, and it meets the GDPR, and it also meets Singapore, and it also meets Japan, and it also meets Korea.
Because the way we approach our privacy program is to look at where that high watermark is, who's got the most comprehensive privacy law, and we benchmark to that.
And then if somebody, one of the countries has another requirement that's slightly different, because every country likes to have their own rules, then we fold that in.
And for the most part, when it comes to processing data, we're handling all of that data the same way.
And so when our customers use us, they know that it's a consistent experience for their data, no matter where it is in the world, and no matter where their customers are in the world.
So if you're a multinational company, and you're using our services, and you've got end users visiting your website from 50 different countries, all of those end users are getting the same high level of privacy protection, regardless of where.
And so I think that that's one of the things that's just really important from a trust perspective, is making sure that we're giving everybody that same benefit of protection.
And I think that the reason that a number of these different standards have common themes is because there's a lot of things that underlie a lot of the different standards and the laws we see around the world.
Europe's GDPR is, in a way, an evolution of the privacy laws and regulations and standards and agreements and treaties that have been around in Europe for actually quite a long time, you know, 60, 70 years.
And the new ones we're talking about today, the global CBPR and the global PRP, the jurisdictions that are covered in kind of an orange color on the map here, those have developed similarly from those core privacy principles.
Let me go through the nine that are covered by the global CBPRs.
It's accountability, prevention of harm, notice, choice, collection limitation, the use of personal information, the integrity of personal information, and then finally security safeguards, and then access and correction.
Those are common things that everyone in Europe will know and understand, because it's stuff that is ultimately in the GDPR from the previous generations of laws and regulations and treaties that the GDPRs developed from.
Makes sense.
Also, I'm interested, maybe you, Rory, have a perspective here on the process.
Like, to get the certifications, what is the process? Like, what is the timeline?
Does it take too long? How is that? Yeah. I mean, I think there's for us and there's for other organizations.
So the most important thing actually is agreement between parties.
You know, I sat down with Emily, I think over two years ago, and we're like, okay, we think the CBPRs is going to be something for Cloudflare.
It's something that we chose to look at it line by line. And you say, are we doing this?
Are we doing the next one? Are we doing the next one? So you need to look at all those requirements in detail, whether it gaps or there are things that you may be compliant with, but you don't have the paperwork to show it.
You have to go and do a way and do that, either develop a new process or develop a new document or a procedure or something.
Once you think you're ready, you then work with an external auditor.
So you contract with the auditor, just like we did. They will perform an audit to validate all those requirements that you're meeting all the requirements.
And then finally they'll certify you. So in this case, Cloudflare was certified, I think just two, two and a half weeks ago.
And actually these were new certifications that were launching the global CBPR and the global PRP.
And I think we're really proud that on the first day possible, Cloudflare was there and certified.
And that's something we're really proud about as a business, but also to the privacy program that Emily has built over the years.
And as we mentioned, this specific certification is important in this day and age.
It has a real application in terms of what countries and regions really want right now.
So it also has that importance, right?
Yeah, exactly. I mean, one of the interesting things for this certification is you could have showed on the, actually I should say both certifications because there's two new ones, is the way they really dovetail well.
They really match up well with our existing certifications, which, and there are some international standards, as I said, there's also certification or a standard that particularly focuses on Europe.
And so the markets are involved here, Japan, South Korea, the United States, Singapore, the Philippines, Australia and Canada.
Canada is talking about joining as well. Those are really aligned with where we have offices.
We have offices in those locations as well. So really what we did two years ago is we looked and thought, we need to think about more support for our customers in this particular part of the world.
And this is why it came up for us.
Quite interesting to see, especially us being there from the get-go.
In what way, if I'm a Colfer customer, what should I know about these? Like just Colfer has them, are some that we are pursuing to gather to this bunch?
Well, I think Rory kind of went through some of the key points.
So I think to know, yes.
So to know that we have them, but what it means is that we do have certain privacy protections in place.
And I don't know, Rory, if you want to list out a couple of the things, you know, when you talked about like the accountability principle, for example, there's a couple of different principles.
If you want to mention a couple of those, that might be helpful.
Yeah, I think I've gone through nine.
In addition, there's the two in the PRP, the privacy recognition for processes, which are security safeguards and accountability measures.
So something I would say actually as well is, I say this to our new hires.
I teach a class where people join in Cloudflare to introduce them to security at Cloudflare.
But I say that while security is really important for its own sake, you can't have privacy unless you have good cybersecurity.
Because part of privacy is making sure that this data is accessible to those people, but not by the other people.
And that's where security comes in. And so actually underlying each one of these privacy certifications, we have each one of these privacy, you know, the privacy program overall, there's a huge amount of cybersecurity.
There's a huge amount of work that goes on to secure personal data.
Yeah, I think a couple, so not really to your question, but a couple of important things to mention about the CBPRs and the PRPs.
So one is, there's this idea of companies serving as controllers and as processors.
And Cloudflare is both. We are a controller when we're handling the data of a customer when they sign up.
So widget company signs up for our services.
John at widget.com is the email address of the contact there. That kind of information, we're a controller of that because it helps us maintain the customer relationship.
But then John sets up his widget website. He has a lot of end users who want to buy those widgets.
All of that data that flows behind the Cloudflare network, because we're the proxy keeping that website safe and reliable.
All of that data is data that we process on behalf of the widget company.
And so that makes us a processor. And that's why there's two certifications here.
So I just wanted to kind of point that out because Rory had been mentioning the two.
And so we do act in both of those roles. Now, other certifications don't make that distinction.
The CBPR and PRPs do. Things like the US-EU data privacy framework don't make a distinction there.
The other thing I really want to mention that I think is really important to understand is the reason that certifications like the data privacy framework and the global CBPRs and PRPs are important is because it allows for the flow of data across international borders.
And one of the things that Rory just kind of hit on about security.
So one of the benefits of the Cloudflare network is that we are able to see and detect threats to websites globally.
We see a threat happening against a site in Japan. We can block that threat before it hits them.
And then we can also block that threat for sites in Europe.
There's an increasing tendency of a lot of governments now to start saying, you know, actually, I think my data is going to be safer if I keep it in my country.
I don't want it to leave the borders of my country or in the case of the EU, this region.
And there are some reasons for that. And you can kind of understand that there's tensions that governments have around why they want to have control over their data.
And it makes some sense. But also there's a point at which the flow of this data is so important because if you don't have the flow across these borders, you end up with siloed Internets.
You're going to end up with an Internet of Europe, an Internet of Japan, of Korea.
And the data, not only is it going to make it harder for, I mean, Joao, you're in Portugal, Rory's in the UK, I'm in the United States.
We wouldn't be able to have this conversation. We're in three different political regimes because of Brexit.
And so we wouldn't be able to even really have this conversation as effectively if we didn't allow for the cross-border transfer of data, let alone the idea that we could protect against threats that we see in one region of the globe, you know, and so they don't happen in another region.
And that's critically important. And so having these different paradigms for how you transfer data and allow it to be processed in places like the United States where, you know, let's face it, that's where a lot of the big companies, the hyperscalers that offer some of these storage services.
And then there's a company like ours that offers this network connectivity platform.
You have to allow for the flow of data.
And these certification paradigms allow you to say, when we're transferring that data, we're doing it in a safe and secure way that meets privacy standards that have been established by the governments of the places that the end users live.
And Rory, you have a better count of this. It's something like 30 some countries now that we're covered by between DPF and CBPRs and EU Code of Conduct.
How many countries is it now? I think we're 39. And there's a few people that are associate members of the global CBPR.
So they're expected to join at some point in the future.
Yeah. I mean, you know, there's a lot of countries in the world, but that's a pretty big chunk where we say in all of these countries, we're meeting some really, really good standards for protecting data.
It's been interesting to see, especially that, okay, there's this new trend of countries trying to protect their own data.
But as you said, we need the Internet to be the Internet, not several Internets.
And that's important. And this certification is also allowed to try to, okay, let's give protections and data protections, but also let's make the Internet continuing to be the Internet for all, the global Internet that where countries, continents can connect quickly, easily.
And let's not go back to the silos era of telecommunications where long distance calls were really expensive, things like that.
So it's a different paradigm.
It really is. And I think, you know, you compare it to some of the data we see on the Internet, especially in the last few weeks where regions or countries have lost connectivity.
And you realize how difficult that is for people, right? There's the human aspect for it.
This is the complete opposite. This is saying data should freely flow between different parts of the world, but with protections, protections that are necessary and justified, et cetera.
And it really emphasizes, it hits home the human aspect of this.
On the one hand, if you really don't have Internet access, on the other hand is as these certifications do, they're pro having a free flow of data subject to certain controls.
True. It makes sense.
Another thing is we in the show have talked several times, especially more than ever this year about developers, developers using our platform.
May that be related to workers, our platform, AI building, R2, our storage, how these certifications help them build compliance services more confidently.
It also helps them, right?
Not only like a typical big company using Cloudflare, but also those developers building the new AI tool that's around.
Yeah. I mean, look, everybody who's building their tools, their Internet applications, their websites, I mean, everybody has their own responsibility to make sure they're compliant with laws.
So I just want to make sure we put that out there, right?
But the idea is that if you do use a network like ours, then you know you have a leg up because certain boxes for that compliance have already been checked.
And so then that will help you in your representations to your end users and in terms of how you tell them how their data is handled.
So yeah, I think it's a great help to them, but yeah, my little, got to do the PSA of we can't offer legal advice and you have to do your own legal leg work.
The other comparison I quite like to make is we expect our platform to be out there with the newest features, the newest privacy technologies, the newest standards.
We expect the developer platform, we push to make sure we do that because we know that's what our audience, our customers, we know what they want.
They want the latest AI models.
They want the latest fastest platforms. What we're doing is we're doing the same thing for our privacy compliance program.
We're looking at what is kind of new, what is out there that people, and we're trying to think ahead for our customers so that we can basically lead by example.
So whether you're a developer, whether you're a massive organization, you can see that Cloudflare is not just developing new privacy technologies, not just cooperating with international standards bodies and technologies to kind of lead the way, but also with privacy certifications.
We're doing the same thing here. I'm also interested in the privacy strategy and philosophy.
We already touched this a bit, but in what way do certifications also help us be better?
Following all of those guidelines in terms of not only are we doing this, but how can we prove it, as you mentioned before, Rory, but in what way those certifications also help our ecosystem in terms of privacy strategy philosophy?
Yeah. So, well, I think our philosophy has always been, don't just say you care about privacy, show it.
And so this follows right in with that.
And I also, I think there is a certain level of, you know, these, I don't want to say these certifications set a floor because they are not the bare minimum.
They certainly go much beyond that, but they also are, they're like I said, kind of a level playing field.
Everybody's playing by the same set of rules when you certify to these programs, but that doesn't mean that that's all we're doing.
That's kind of the other thing. So these are just a part of our overall strategy and philosophy when it comes to protecting data.
And there's a number of other aspects to it, including the way we handle, for example, law enforcement requests and push back on those.
If we believe that there's conflict of laws, the security safeguards, as Rory mentioned, you don't really have privacy without security.
And so the security protocols and the additional safeguards that we put in place around the data.
So it's kind of a complimentary part of this overall strategy to keeping data private and secure.
I don't know, Rory, if you've got anything you wanted to add to that?
No, absolutely. Yeah. So there are many things that we do, as in the past I've mentioned in this show, security by design.
There's also privacy by design for sure in companies. There's a lot of things that we do that are not certified.
There's not certification for those, but we do it because we know it's necessary.
It's important. We learned from there specifically.
Yeah, exactly. And that's where I think there's an entire product team that is dedicated to privacy enhancing technologies.
And for example, things like the way we use technologies to underlay Apple's private relay, for example.
There's a number of technologies, and I should, one, public resolver. I can't believe I forgot to mention that and warp.
I mean, we do those things. We launched 1.1 for free for everyone, not because we thought it was going to be something that was going to make us money, but because we believe that you surfing the Internet have the right to not have your IP address connected to the websites you visit.
So they can't follow you around the Internet to monetize your Internet browsing habits, for example.
So there's a number of things that we do as a company that are sort of for the greater good of privacy and security.
And that is a huge part of where we stand as a company.
And again, yeah, that's why kind of certifications like these are one component of an overall approach to how we want to keep personal data to a minimum as much as we can on the Internet.
Related to thinking about learnings from these certification processes, how do we keep the momentum going?
What's next in terms of the privacy roadmap? More certifications, new frameworks, journal tooling, all of the above.
Can we share something on that regard?
I don't know, Roy, what do you have in your toolkit? I think it's all to play for.
I think we are always interested in what certifications, be they privacy or not, actually are helpful to our customers.
So if you're a Cloudflare customer today and we don't have a certification that you'd like us to have, talk to your account team.
Ask them. We have a system for recording what our customers request internally at Cloudflare and your account manager or your account team, or even the customer support team if you don't have a dedicated account person, we'll be able to help you.
So we're in listening mode. We'd love to hear what our customers are interested in.
There's some new emerging standards we're hearing about that are kind of not necessarily related directly to privacy, but also in the AI area.
Some of them are interesting. That's what I was going to say. Some of them are interesting.
Nothing seems to be the one thing that's leading yet. There's a lot of new things in the market.
AI as a certification or as a compliance program is relatively new, at least generative AI especially.
So we'd love to hear from customers.
Yeah, no, that's exactly right. I mean, AI is the big new thing, right? And everybody's talking about it.
And there are a number of things where we have customers asking about responsible AI.
We've got something on our trust hub that talks about that.
But yeah, and then there's other, as Rory mentioned, there are country-specific types of certifications.
There are sector-specific types of certifications around health data, for example.
So there are a number of things we're looking at, but it's probably a little too soon to say that we're committing to one particular thing in the coming year.
In the AI sector, it's quite interesting that in the show, we've talked about MCP servers, new protocols on the AI age.
Agents are coming and new things are being built and done. And you can see that there's sometimes a preferred protocol and that's like one month ago or two months ago.
So really recent. How difficult or complex is to put your chips where we know, okay, this is the new current situation.
How can we deal with this new situation regarding AI, data storage, what models and agents are doing?
What we did before also helps here specifically.
I think from a privacy perspective, I said this week actually to another audience, but you have to have your data protection and your privacy philosophy locked down before you think about going into AI.
If you try and do it the other way around and you try and develop various things and connects to AI and then think about privacy afterwards, you're going to hit some roadblocks.
You're going to make mistakes and it's going to be tricky.
So you really need a strong data protection base before you think about the AI and what you do developing AI.
The one thing I'd say is interesting at the moment is I'm seeing tension between actually, it's more at a national level with governments rather than a company level about, do they want to regulate AI too much now?
Do they want to regulate it lightly? Do they want to just stand off and let innovation and AI development happen?
And that's a real tension that we're seeing played out I think in the press, in the news cycles.
I don't know what the answers will be.
I suspect there'll be different answers all over the world, but we're also in listening mode and we're very much kind of interested in where those go.
Anything to add there? Yeah, I mean, I think to your point, to Rory's point about, it's like when you learn a sport, right?
You have to learn fundamentals before you can be out there doing all the crazy, like snowboarding, for example.
You have to learn how to go down the hill before you can do the half pipe.
So getting those things in place and getting those fundamentals in place are what allow you to do then the next and the next and the next.
So Rory's exactly right about that. And I think one of the things that we're doing is we are keeping an eye, as Rory mentioned, on a lot of the different developments in different jurisdictions.
There's a number of countries that are passing AI laws.
There are other countries like the United States that's saying, I think there's a provision right now that says we're going to prevent states from regulating AI for 10 years.
We'll see if that goes through. So there is real tension there.
And regardless of what the legislation is in these different countries, there are certain basic rules and principles around how you handle data.
And AI, yes, it's a new technology and it presents really complex questions about what happens with the data.
But at its most fundamental, it's how do you manage data, which is something that we've been thinking about for years and years and years.
And we're well positioned to be thinking about that in the scope of AI. So it's not like AI suddenly is just, oh my gosh, there's this new technology and it's going to change everything.
No, same basics about inventorying data, mapping where your data goes, understanding who's got access to your data, what your access controls are.
All of those really fundamental skillsets underlie whatever you're going to do when it comes to responding to how your data is used with AI.
So we're well prepared for that. And we're watching the political developments to kind of figure out what that means for compliance of laws.
I'm really curious on this area regarding AI.
In the last episode, a few days ago, I was speaking with Kenton Varda, our principal engineer that builds workers from the get-go.
And he was saying first, optimistic, like I think more people will be developers because of Gen AI, even if they don't know how to code.
But also he was warning, hey, if you are putting an app outside, out there, you're responsible for the code that is there.
So even if it's a model creating that code, maybe there's some dataset that is unprotected there.
And at the end, you'll be responsible for that. So there's a lot of unknowns, I would say, of what's coming there.
So curious about that area specifically.
Yeah. I mean, it's a brave new world, right? Like there's a lot, I think, that we don't know in terms of how things are going to pan out.
And that's a little bit why in some ways it's, okay, you go back to your fundamentals, go back to understanding, what is the data you're putting in?
What is the data you're getting out?
Are you checking to see if it's accurate? Have you looked for bias? All of those things that you have to remember the fundamentals.
You wouldn't jump out of a plane to go skydiving without checking to make sure your parachute is there and folded.
I've never jumped out of a plane, but I'm sure there's a number of safety checklists, right?
So you would have to still go through that checklist.
And I think it's going to be very interesting because when you talk about the big companies that are launching these things, or even small companies, they do have compliance in mind.
I think when you're talking about individuals, a lot of individuals don't because they haven't been in that environment.
And so it is kind of interesting. And that's where it comes to some place like Cloudflare, where if we're going to be empowering individuals to do these things, let's try to set up some guardrails for them, or maybe we can get some technologies in place that they can use to help make things safer and better.
There's a lot of areas to explore there.
It's something we are exploring, but it really is, it's kind of like, what's today going to bring in terms of the new challenge or the new invention?
I think it's exciting. It's really exciting to be here right now.
It is, especially because changes are coming. You can feel them in a sense.
Even if you don't know exactly where it will lead to, but changes are definitely coming.
So quite interesting to see there. Anything more than AI regarding what's coming in the privacy sector in the next year or so that we can mention?
I mean, I think we just really need to keep an eye on what happens with this idea of digital sovereignty and data sovereignty and what this means for the free flow of data.
And there's a lot, you know, India's got new rules on their privacy law that are going to be coming out.
India's a huge jurisdiction, a lot of users. So it'll be interesting to watch that.
And you know, the geopolitical situation, unfortunately in the world, all of that influences data flows.
What happens with geopolitical tensions can also impact how companies sort of react in terms of data flows.
So we'll be watching that.
Hopefully that is less exciting than AI. We hope for, we don't want to live in interesting times when it comes to that.
That is a security and privacy compliance point of view.
We put our certifications and FAQs about them on our Trust Hub.
So if anyone wants to Google Cloudflare Trust Hub, you'll get to our Trust Hub where we have information about every single one of the many, many certifications we now have, whether privacy, security, all sorts of other things, as well as Emily mentioned, the responsible AI and other FAQs for customers.
So they're available there. Just feel free to Google Cloudflare Trust Hub.
There's a lot to explore there for sure. Thank you so much. This was great. Learn as always.
And that's a wrap. Thank you. Thank you. And we also have two topics related to developers, one about containers and the other one about building AI agents with OpenAI and Cloudflare.
And I'm going to talk about those with Confidence Okogenon, Senior Systems Engineer.
So here's my conversation with Confidence.
Hello, Confidence. Welcome to This Week In It. Hello.
Thank you. For those who don't know, can you explain to us your job at Cloudflare?
So my job essentially is teaching people how to use our developer platform.
We have loads and loads of products and sometimes it can get confusing and you don't know what to use and when to use what.
So my job is teaching people how to use this product and I do videos on YouTube and all of that stuff.
So developer advocacy, teaching people how to get the most out of Cloudflare's developer platform.
You actually did a video about the topic we're discussing today, containers, that is on our YouTube page, Cloudflare Developers, YouTube page.
People can check that out specifically there if they want a more in -depth technical perspective there.
You do great content for sure. Yeah, thank you. And you should definitely get subscribed if you haven't.
So go check out our Cloudflare Developer channel on YouTube and get subscribed.
Exactly. And where are you based?
UK? Yeah, I'm in the UK. I'm in a city called Birmingham. It's about an hour away from London.
Yeah, it's quite sunny today. It's been hot for the last couple of weeks.
Last week was super hot, but this week has been bearable for me anyway.
Some people love it when it's hot. I personally don't. I like it when it's a bit cooler.
But yeah, the weather is lovely. It's great outside today. It's really hot in Lisbon today, this Friday.
It's really hot. It's even hotter than usual.
So really summer. Do you like it when it's hot or you prefer it when it's cooler?
I prefer not too cold, not too hot. Although to be honest, I'm good with cold weather.
About containers, the blog post we had this week, containers go public in the public beta perspective.
For those who don't understand what is containers and why is containers so relevant to developers, can you explain to us a bit what that is?
Yes. Yes, I can. So if you've ever used Docker or Podman on Linux, you have used containers.
So Docker has the containerization platform. And the idea is that you have an application, you want to get deployed somewhere, but you have the application packaged with all of its dependencies, both like, like programming language libraries, and also system libraries packaged in a container that is in Linux environment in centrally.
And then that can be deployed on any computer.
And because it has everything it needs to get going, you can deploy this to any server anywhere in the world.
And it's going to run reliably because it has everything it needs in a self-contained box, so to say.
So that's, that's the problem containers solve because dependencies, especially across operating systems and hardware can lead to lots of issues when building applications.
So containers was a technology developed to ensure that I have everything I need for this application to run.
And then when I send it off somewhere, it has all of the dependencies for it to go.
So we've brought that technology into Cloudflare workers.
And this means that applications you could not run on workers before is now possible because we're giving you access to Docker containers.
And then you can bring those applications or workloads to be run on Cloudflare.
One example of this is libraries such as FFmpeg.
It's a Linux system binary, and it's going to be difficult to get that running inside of workers itself.
But we containers, this is a workload like you can run way easy.
And there's so much, much use cases, like way more use cases.
You can think about file systems, running legacy apps like Java or Go or Rust, for example.
These are some of the use cases that containers on Cloudflare Workers makes possible today.
Makes sense. And for those who are not familiar with our developer platform and what developers typically need, one of the things that surprised me was the excitement from developer community about this.
So this really unblocks a lot of things for developers, right? How do you saw like the excitement online about this?
So why are developers so excited? Oh my God, it was so heartwarming to see that people really wanted this.
It's been long coming, like developers have been requesting for this because while JavaScript is great and you write JavaScript on workers, but you are limited to only stuff that can be done in a JavaScript land.
Containers completely changes that game and opens up the landscape to any application you can possibly imagine can be run on workers.
So it's something that unlocks a wide range of use cases.
And that's why developers were excited. For example, one of the demos I was able to get running on container is a full Linux desktop environment.
So like a full Linux computer running inside of containers. And it means that you can access this environment from any web browser and have access to a full Linux desktop.
And that's, that's pretty awesome. It's just a demo, but it goes to show you that there's a lot of powerful things you can do using containers and people were just so excited about it.
I'm sure we're going to be seeing really crazy apps in the next couple of days to weeks that will be built on workers.
So I'm excited to see what people get using containers on workers.
Last week in the show, I had Kenton Varda.
He is the initial builder of workers and he talked about AI.
So people can check that episode out if they want to see coding and AI and what someone really experienced and thinks about it.
But he also talked a bit about containers and how also how the way Cloudflare is doing is bringing a lot of excitement as well, because it's a bit different from what others have been doing.
It also uses the fact that we have this global network and we are already have this ecosystem.
So that definitely makes this containers announcement from Cloudflare specific and unique in a sense, right?
Yeah. And you just reminded me about something.
So speaking of which, lots of people are building AI-powered applications or experiences for the already existing applications using agents and MCB clients and servers.
And Cloudflare is like the perfect place to build MCP or AI-powered experiences.
One of the things that AI agents can do is generate code or build apps and containers is just like a no-brainer place to run those applications that have been generated.
So we're going to start seeing a lot of integrations.
Back last week, sandbox, like container sandboxes were was also announced in addition to containers where you can get your agents connected to the sandbox and tell it to go run the application it has generated inside of a sandbox.
And it has like the full environments to do everything it needs to get done.
So as we see more of these AI -powered experiences or agents or coding assistants being developed, containers is like a great place to have those applications running because it provides all of the sandboxing.
And I'm sure that's why lots of people are excited about it because it makes it so much easier to get this kind of applications built.
Do you have a demo to show us? I don't have an AI demo but I do have a couple demos to show you.
This is the first application I was telling you about and it's the first demo I'll be sharing.
It's called webtop and the idea is that you're running a desktop environment but on the browser.
But this is powered by containers because the actual backend is running inside of a container instance.
Okay, so this is loaded up. It is a in browser VNC clients because we're doing everything over the Internet.
So let's connect to the container instance.
Okay. And here we are connected to the Linux environment. And this is a full Linux desktop.
So you can go open up a terminal. This is a terminal window, I can drag this place this anywhere I want and let's do a quick cut.
Okay, it is an issue.
So we're running DB and Linux DB and 11. And whatever it is you can do in Linux desktop can be done here because this is a full desktop.
So for instance, I am going to go open up a browser, the browser installed on this instance by default is Firefox.
So this is Firefox is the first time Firefox has been opened.
And oh, we can go open up YouTube. This is YouTube. Yeah, you're asking to accept.
And you can watch YouTube video if you want to. Okay. Okay, qualified developers.
Okay, I don't think I typed that correctly. But you get the idea that this is a full Linux environment.
And whatever it is that you can do in a Linux desktop can be done here.
And this is running over the web inside of a container instance.
So it does show how powerful the container architecture is. And it works really well with workers.
Okay, should I go on to show you the other demo I have prepared, which is a bit more practical?
Sure. All right, cool. We need to close this window.
And let's go open up. Okay, I call this with ski. It is a web version of Jif ski.
So if you create lots of gifs, you may have heard of the application just gets available on macOS and Windows.
And the idea is to give it a video. And you can get that video trimmed and converted into a gif.
So this does the exact same thing, but it's running inside of a container as its backend.
So let me go select a video file.
I'm just going to go here. I think I have some of the videos I downloaded.
Yeah, this. So this is a video I got from YouTube. And it's, it's about, I think it's really cool.
So it doesn't read the video. So I trim the end of the video.
Okay. You can leave all of the options as default, we're able to change the speeds to make it go to x faster, resize the output Jif, change the FPS, change the quality, change the loop.
But I'm just going to hit the create button so that that gets created.
So what's happening here is that the client, which is the web client we're seeing here takes the video we have selected from the computer, sends it to a worker, the worker forwards that to my container, the container I have here is running rust.
This is something you could not do previously inside of a worker.
It's running a rust web service that receives the video file and sends it to FFmpeg, which is a binary that you could not run on workers.
FFmpeg converts that video into Jif and returns it back to the worker which returns it back to the client.
And you can see we have the Jif here and I can go download this and we have that Jif downloaded.
So all of this is all of this was not possible on workers before but with containers it makes all of this possible and there's so much more awesome things you can do using containers now.
We can definitely see a use case there but as you said there's many more and there's many more videos as we start this conversation explaining some technical details that people can follow if they want to go more deeper into this area, right?
Yes, definitely. Definitely. If you want to run powerful applications that you could not go server rust server, please reach out to containers.
That's why we created it to make it such that all of the workloads you could not run on workers for one reason or the other, it's now all possible using containers.
And I think the best part of containers is that it integrates really well into the workers platform.
So if you need to use KV for example, to store data because it's also still running in worker, you can connect it to KV, you can connect it to R2.
If you need AI processing, you can connect it to workers AI and you have all of these other integrations on the tip of your fingers for you to build really cool experiences with too.
Yeah, really, really awesome product. And using all of this in the Cloudflare ecosystem of all of what that means and today it's many things but all of that in the Cloudflare ecosystem, Yes, yes.
And if you need a service somewhere else that Cloudflare doesn't provide, containers has access to the Internet.
So you can call a HTTP, like you can you can use it, you can call the HTTP service to server somewhere to get the resources you need.
If it's a service we don't provide, but I'm sure we cover all of the services you may need to use.
But if not, you have integration to other services as well.
One of the other announcements we did regarding developers this week, it's about building AI agents with OpenAI and Cloudflare.
Cloudflare's agents SDK provides a seamless execution layer for agents focusing on where they run, not how they think.
Also a good addition, right? Well, yes, I have that blog post opened up because I plan to read it just after this call.
I have something I'm building on agents which will not be announced on this call, but hopefully next week on Twitter.
Yeah, so it's a really exciting announcement as well.
For sure. Thank you so much, Confidence. This was great. Thank you.
And that's a wrap.
