Skip to content
StackPatrol
All vendors
Security / Bot Protection

Amazon AWS WAF

US-ownedUnited StatesVerified June 2026
Vendor site

Amazon Web Services Web Application Firewall. *.token.awswaf.com endpoints issue CAPTCHA / challenge tokens for bot-mitigation rules.

Detected by domain patterns

awswaf.com

European alternatives

Cloudflare Turnstile (US, but EU data option)Friendly Captcha (DE)

GDPR & Data Residency

Amazon AWS WAF is owned by a US company. Under GDPR Chapter V, transferring personal data to the US requires an appropriate safeguard (typically Standard Contractual Clauses or adequacy decisions. The 2020 Schrems II ruling invalidated Privacy Shield and increased scrutiny on US data transfers, requiring case-by-case Transfer Impact Assessments (TIAs).

If your website loads Amazon AWS WAF scripts or sends user data to their servers, your users' data may be processed in the United States. Review Amazon AWS WAF's DPA (Data Processing Agreement) and ensure it covers SCCs.

Tip: Consider replacing Amazon AWS WAF with one of the EU-based alternatives listed above to simplify GDPR compliance and remove cross-border transfer obligations.

Does your website use Amazon AWS WAF?

Run a free StackPatrol scan to see all third-party services on your front page.

Need a full site audit?

More in Security / Bot Protection

reCAPTCHA
US-owned
United States
hCaptcha
US-owned
United States
Imperva (Incapsula)
US-owned
United States
Sucuri
US-owned
United States
DataDome
EU
France
Cloudflare Turnstile
US-owned
United States