Cloudflare

Cloudflare R2 is globally distributed object storage built for teams that refuse to pay a tax on accessing their own data. Zero egress fees — period. Store unstructured data (files, media, backups, logs) at scale and retrieve it as often as you need without the unpredictable transfer costs that plague traditional cloud storage providers.

R2 was designed to break the vendor lock-in cycle. Its S3-compatible API means existing tools, libraries, and workflows plug in without modification. Combine that with Cloudflare's 330+ global data centers for low-latency access and native Workers integration for edge compute, and R2 becomes more than cheaper storage. It's the foundation for organizations building multi-cloud architectures where data moves freely — and affordably — between providers.

Cloudflare R2 + Virtru Data Security Platform

R2 gives organizations cost-effective, vendor-agnostic object storage with zero egress fees. But like all S3-compatible storage, R2 governs access at the bucket level — everyone with access to the bucket can see everything inside it. Organizations end up proliferating buckets to approximate governance, or accepting that access is coarser than it should be.

The Virtru Data Security Platform eliminates that tradeoff. With TDF encryption and attribute-based access control (ABAC) applied at the individual object level, a single R2 bucket can hold objects with entirely different governance profiles. A finance analyst and a product engineer can both access the same bucket — but each sees only the objects their entitlements authorize. Contracts, engineering specs, research data, and compliance records coexist in a single repository, each with its own access policy enforced by the data itself. No bucket proliferation. No over-provisioned access. No governance gaps. Each object is a self-governing unit — its TDF-wrapped policy travels with it, is evaluated in real time against the requesting user's attributes, and is enforceable regardless of which bucket or application is involved.

R2's zero egress model makes this architecture especially economical. Data retrieval doesn't incur transfer fees, so the overhead of policy evaluation adds no compounding cost. Cloudflare secures the network and infrastructure, the Virtru Data Security Platform secures the data itself — and organizations get the storage economics they chose R2 for, plus the ability to commingle data with different entitlements in the same repository, each object individually protected, revocable at any time, and auditable across every access event.

• Zero egress fees on all data retrieved from R2, eliminating surprise costs from traffic spikes or high-volume access patterns

• S3-compatible API enabling seamless migration from existing object storage with no application code changes

• Global distribution across 330+ Cloudflare data centers for low-latency access regardless of user location

• Native Cloudflare Workers integration (serverless edge compute) for authentication, request routing, and custom logic that runs directly alongside stored objects

• Object-level data governance when paired with the Virtru Data Security Platform — attribute-based access policies enforced transparently across every stored object, not just at the bucket level

• Apache Iceberg support (open table format) that transforms R2 buckets into queryable data warehouses for analytics without moving data

• Automated migration tooling (Super Slurper) for straightforward onboarding from AWS S3, Google Cloud Storage, or other providers

Protecting data stored in Cloudflare R2 with the Virtru Data Security Platform requires an active Cloudflare account, a Virtru Data Security Platform deployment, and an identity provider to supply the user and environmental attributes that drive access decisions.

• Active Cloudflare account with R2 storage enabled (Free tier supports up to 10 GB/month; Standard or Enterprise for production workloads)
• Virtru Data Security Platform deployment (Customer VPC, on-premises, or hybrid)
• S3-compatible API credentials generated for the target R2 bucket(s)
• Compatible OIDC/OAuth2 identity provider (e.g., Okta, Microsoft Entra ID, Ping Identity) for ABAC attribute sourcing
• Network connectivity between the Virtru Data Security Platform deployment and R2 API endpoints

Security: R2 and the Virtru Data Security Platform operate at complementary layers of the security stack. Cloudflare encrypts data at rest and in transit across its global network, with integrated DDoS protection and infrastructure-level access controls. The Virtru Data Security Platform adds a second, data-centric layer: object-level TDF encryption with ABAC policy enforcement. Every stored object is individually wrapped with cryptographic protection that travels with the data, regardless of where it moves. The result is defense in depth — R2 secures the infrastructure, Virtru secures the data itself.

Compliance: Cloudflare maintains SOC 2 Type II, ISO 27001, and GDPR compliance across its platform, including R2. The Virtru Data Security Platform holds FedRAMP Moderate authorization, SOC 2 Type II, and PCI DSS compliance certifications. Together, they support regulated environments where persistent data protection and auditability are requirements — not options. TDF-wrapped objects in R2 maintain their own audit trail of access attempts and policy decisions, providing the evidence chain that compliance programs demand.

Privacy: TDF encryption ensures that objects stored in R2 remain cryptographically protected even at rest — Cloudflare infrastructure cannot decrypt the contents. Only users whose attributes satisfy the object's ABAC policy can access the plaintext. The Virtru Data Security Platform handles key exchange and policy evaluation transparently, without exposing decryption keys to the storage layer or requiring Cloudflare to participate in access decisions. Data sovereignty stays with the data owner, not the storage provider.