Pro + Self-Serve → Enterprise Upgrade
What a customer gets beyond just the BAA
💡 Press ⌘ P to print or save as PDF. Optimized for both screen and print.
Customer profile: Currently on Pro plan + self-serve Workers, Workers AI, and Images.
Requesting Enterprise upgrade to obtain a signed BAA for HIPAA compliance.
Timeline: ~30 days. This doc lays out everything that comes with the upgrade — not just the BAA.
🔒Compliance & Legal
This is the reason they're calling. Everything else in the upgrade is bonus, but the BAA is the deal-breaker.
| Feature | Self-Serve Today | Enterprise |
| BAA (HIPAA) | ✗ Not available | ✓ Signed BAA — covers Workers, Workers AI, KV, R2, D1, DO, Queues, Hyperdrive, Vectorize, Images, Cache, LogsCloudflare legally promises to protect your patient data. Without this piece of paper, using our platform for anything HIPAA-related is off the table. |
| DPA (Data Processing Addendum) | Standard boilerplate | Negotiable, custom termsThe standard "how we handle your data" contract can be rewritten to match your legal team's requirements instead of take-it-or-leave-it. |
| Custom contract terms | ✗ Click-through TOS only | ✓ Negotiable MSA — indemnification caps, right-to-audit, breach notification SLAsYour lawyers can actually negotiate the contract instead of clicking "I agree." Includes who pays if something goes wrong and how fast we tell you about a breach. |
| Bespoke security questionnaires | Public reports only | ✓ Custom answers, audit letters, attestations on demandWhen your auditor sends a 200-question spreadsheet, a real Cloudflare person fills it out for you instead of you hunting through public docs. |
| Named legal contact for incidents | ✗ | ✓ YesIf something bad happens, you have a phone number for a real Cloudflare lawyer — not a support ticket queue. |
| Compliance reports (SOC 2, ISO 27001, PCI, FedRAMP) | Public copies only | ✓ Bespoke attestation letters for their auditorWe'll write a letter specifically addressed to your auditor with your company name on it, instead of you handing them a generic PDF. |
| Data Localization Suite | ✗ Not available | ✓ Region-lock data + compute (US-only, EU-only) — huge for HIPAA + GDPRYou can guarantee patient data never leaves the United States (or wherever). Critical if your customers or regulators demand it stays in-country. |
| Regional Services | ✗ | ✓ Route TLS termination through specific geos onlyYou can require that all decryption of your traffic only happens in specific countries — helpful for regulations that care about where data is "unlocked." |
| Customer Metadata Boundary | ✗ | ✓ Keep metadata/logs in a chosen regionEven the "who visited what page and when" log data stays in your chosen region. Not just the payload — everything. |
⚡Workers Runtime — Higher Limits
Every ceiling on self-serve becomes negotiable on Enterprise. Removes the "we hit a limit mid-migration" risk.
| Limit | Self-Serve | Enterprise |
| Requests per minute (RPM) | ~100,000 RPM per Worker (default cap, raiseable on request) | Millions of RPM — negotiated, effectively uncappedHow much traffic your app can handle per minute. Self-serve hits a soft ceiling around 100k requests/minute per Worker; Enterprise gets that ceiling raised into the millions so you never have to worry about a viral moment, marketing campaign, or growth spike getting throttled. |
| CPU time per request | 30 sec (Paid) | Up to 5 minutesEach user request can do 10× more work before timing out. Matters for AI processing, complex reports, or big data crunching. |
| Sub-requests per invocation | 50 (Paid) | 1,000+ negotiableOne user action can trigger 20× more downstream calls. Important if your app talks to lots of APIs or databases per request. |
| Script size | 10 MB compressed | Higher, negotiableYour code + libraries can be bigger. Matters if you're bundling ML models, large frameworks, or lots of dependencies. |
| Environment vars / secrets | Standard | Higher limits + KMS integration availableYou can store more API keys and passwords, and connect them to a proper enterprise key-management system (like AWS KMS) instead of just typing them in. |
| Concurrent Workers | Standard | Higher burst capacityWhen traffic spikes 10× on Black Friday or a viral moment, you won't hit a ceiling. |
| Workers Logs retention | 3 days | Extended (7–90 days) + Logpush to SIEMKeep application logs longer for auditors and investigations. Also ship them automatically into your security tools (Splunk, Datadog, etc.). |
| Tail Workers fan-out | Standard | Priority + higher throughputReal-time debugging and monitoring runs faster and can handle more traffic without dropping logs. |
| Custom domains / routes | Included | Unlimited, no per-domain feesYou can point unlimited websites at your app without paying per-domain surcharges. |
| Gradual deployments / version overrides | Available | Available + guidance from real SESame "ship code to 10% of users first" feature — but a Cloudflare engineer helps you set up the rollout strategy so you don't blow up production. |
🧠Workers AI Enterprise Features
Critical for HIPAA: The BAA has to explicitly cover Workers AI or they can't feed ePHI into any LLM. Self-serve doesn't get this.
| Feature | Self-Serve | Enterprise |
| BAA coverage for AI inference | ✗ | ✓ AI inference covered — huge for healthcareYou can legally send patient information to AI models. Without this, feeding any PHI through an LLM would violate HIPAA. |
| Dedicated inference capacity | Shared pool | Reserved capacity / priority queue during peakYour AI requests jump to the front of the line during busy periods. No waiting behind other Cloudflare customers. |
| Model catalog access | Public models | Early access to new models, larger context windowsYou get new AI models before the public and can send bigger inputs to them (whole documents instead of just paragraphs). |
| Custom models / fine-tuning | Limited (LoRA adapters) | Custom model deployment, dedicated fine-tuning supportBring your own AI model or train an existing one on your data. Our engineers help you tune it. |
| AI Gateway | Available | Higher rate limits, longer cache retention, custom evalsThe monitoring/caching layer in front of AI can handle more traffic, remember more answers, and score model quality against your standards. |
| Guardrails / content filtering | Public API | Custom rulesets, policy enforcementWrite your own rules for what the AI is/isn't allowed to say. Critical in healthcare — no medical advice, no PHI leakage, no off-topic answers. |
| Cost predictability | Pay-per-neuron | Commit-based pricing, locked ratesLock in one price for a year instead of getting a bill that varies wildly based on traffic. Your CFO will thank you. |
| Data isolation guarantees | Shared inference | Contractual "prompts not used for training" guaranteesWritten in the contract: your patient questions and data won't be used to train future AI models. Everyone else's model gets dumber; yours stays private. |
🖼️Cloudflare Images Enterprise
| Feature | Self-Serve | Enterprise |
| BAA coverage | ✗ | ✓ Images covered — critical if images contain ePHI (medical scans, patient photos)You can legally store X-rays, patient photos, or scanned medical records on our platform. Without BAA coverage, one X-ray = one HIPAA violation. |
| Storage / delivery pricing | Pay-per-use | Committed volume with locked pricingPay a set amount up front for a set amount of storage/delivery. Cheaper per-unit and no surprise bills. |
| Origin protection | Basic | Authenticated origins, signed URLs, custom domainsOnly your app can pull images; nobody can guess the URL and download someone's medical scan. Signed URLs expire automatically. |
| Variants | Standard | Custom variants, dynamic transforms without per-variant costResize, crop, and watermark images however you want — thumbnails, previews, print-quality — without paying extra for each size. |
| Image resizing subrequests | Counts against Worker sub-request limit | Uncounted / higher limitsResizing images doesn't eat into the "how many things can my Worker do per request" budget. Free operations instead of costly ones. |
| Delivery bandwidth | Standard CDN | Priority routingYour images load faster because they get preferred routes through the Cloudflare network during congestion. |
🌐Pro → Enterprise on the Zone Side
Often overlooked. Moving from Pro to Enterprise unlocks huge zone-level protections. For a HIPAA app, arguably more important than the Workers features.
| Feature | Pro Today | Enterprise |
| DDoS protection | Unmetered L3/4/7 (standard) | Priority DDoS + engineer engagement + Advanced DDoS Protection tuningWhen someone attacks you, real Cloudflare humans get involved to help — not just automated systems. Your attack traffic also gets processed first. |
| WAF | Managed Ruleset | Custom rules, Advanced Rate Limiting, Exposed Credential Check, Payload Logging, ML Attack ScoreWrite your own security rules. AI scores every request as "safe" or "attack-like." Auto-block logins using leaked passwords. Save request bodies for forensics. |
| Bot Management | ✗ (Super Bot Fight Mode only) | ✓ Full ML-driven scoring, JS challenges, mobile SDK, per-request bot scoresMachine learning tells you whether each visitor is a human, a search engine, or a scraper/attacker — and lets you treat them differently. |
| Page Shield | ✗ | ✓ Client-side security — critical for healthcare portals (Magecart, formjacking)Watches your website's JavaScript in the user's browser and alerts you if a hacker injects code to steal form data (like patient info being typed in). |
| API Shield | ✗ | ✓ Schema validation, JWT validation, mTLS, sequence analytics, endpoint discoveryLocks down your APIs so only legit apps talking the right "language" can call them. Finds shadow APIs you forgot existed. |
| Rate Limiting | Basic (10 rules max) | Advanced — complex characteristics, higher rule counts, sub-second responseSet fine-grained "no more than X requests per minute" rules — e.g., "only 5 login attempts per user per minute." Reacts in milliseconds. |
| Argo Smart Routing | Add-on ($5/mo + traffic) | Included, no traffic surchargeCloudflare picks the fastest internet path in real time — like Waze for network traffic. Cuts latency ~30%. Included, no metered charges. |
| Tiered Cache | Basic | Advanced tiered caching topologySmarter caching layout so your origin server gets hit way less often, lowering your infrastructure costs. |
| Cache Reserve | Add-on | Included capacityCache stays warm forever instead of expiring — your origin barely gets touched. Included instead of an add-on line item. |
| Load Balancing | Add-on | Included pool capacity, dynamic steeringAutomatically spread traffic across multiple servers/regions and route around outages. Included instead of paying per pool. |
| Analytics retention | 7 days | Extended (30+ days), Logpush to SIEM / data lakeSee a month+ of traffic history instead of just a week. Ship raw logs into your security tools automatically. |
| Custom SSL / BYO cert | Available | Dedicated custom certs, keyless SSL, geo-key managerBring your own SSL certificates. "Keyless SSL" lets you keep the actual private key on your own hardware — huge for banks and regulated industries. |
🛡️Zero Trust (bundled or negotiable)
For employees needing access to internal admin panels, dev environments, or PHI-facing tools. Not always bundled — depends on the contract — but it's on the table.
| Product | What It Does |
| Cloudflare Access | SSO in front of internal apps (replaces VPN for a lot of use cases)Employees log in with Google/Okta and immediately reach internal tools — no VPN client, no VPN outages, no VPN passwords to steal. |
| Cloudflare Tunnel | Private origin, no inbound firewall holesYour servers can stay completely hidden from the internet — no open ports, no exposed IPs. They reach out to Cloudflare instead of the internet reaching them. |
| Gateway | DNS filtering, HTTP filtering for employeesBlock employees from accidentally visiting malware, phishing, or inappropriate sites. Corporate parental controls, basically. |
| CASB | SaaS misconfiguration scanning (Google Workspace, M365, GitHub)Continuously scans your cloud apps for "oops, that Google Drive folder is public" mistakes and alerts you to fix them. |
| DLP | Detect ePHI in outbound trafficWatches for patient data leaving your network — someone emailing a spreadsheet of SSNs, uploading records to Dropbox, etc. — and blocks it. |
| Browser Isolation | Remote browser for risky sitesSketchy websites open in a virtual browser far away from your computer — even if the site has malware, it can't touch your laptop. |
| Email Security (Area 1) | Phishing protectionCatches phishing emails before they hit your inbox. Healthcare is the #1 phishing target — this is table stakes for HIPAA. |
🚦Traffic & Reliability
| Feature | Self-Serve | Enterprise |
| SLA | Best effort | 99.99% uptime SLA with financial creditsIf Cloudflare is down more than ~52 minutes per year, you get money back. On self-serve, you get an apology. |
| Priority network routing | ✗ | ✓ Enterprise traffic prioritized during network eventsWhen Cloudflare's network is congested (rare, but happens), Enterprise customers' traffic gets processed first. |
| Incident postmortems | Public status page only | Private incident reports for anything affecting their trafficWhen something breaks, you get a private report explaining what happened, why, and what we're doing so it doesn't happen again — not just a public tweet. |
| DDoS SLA | Best effort | Guaranteed mitigation timeContractual promise that attacks will be blocked within a specific time window. If we miss it, you get money back. |
🛠️Support & Success
Often what actually justifies the price jump for teams like Puneet's.
| Feature | Self-Serve | Enterprise |
| Support channel | Community + tickets | 24/7 support, phone + chat + emailActual humans on the phone, any time, day or night. Not a community forum where you hope someone answers. |
| P1 response SLA | Best effort | 1-hour P1 responseWhen your production is on fire, an engineer responds within 60 minutes. Guaranteed in the contract. |
| Named Account Executive | ✗ | ✓ YesA specific Cloudflare salesperson who knows your account and your name. Not a general 1-800 number. |
| Named Customer Success Manager | ✗ | ✓ QBRs, roadmap sessionsSomeone whose job is making sure you're getting value. Quarterly check-ins, planning meetings, and a direct line for questions. |
| Solutions Engineer | ✗ | ✓ Dedicated for architecture reviewsA technical Cloudflare engineer you can call to help design your setup, review your code, and answer deep technical questions. |
| Technical Account Manager (TAM) | ✗ | ✓ Available at higher tiersA senior Cloudflare engineer effectively embedded on your team — knows your stack inside and out, joins your standups if you want. |
| Architecture reviews | ✗ | ✓ Regular, proactiveCloudflare engineers periodically review your setup and flag improvements — before things break, not after. |
| Roadmap briefings | Public blog | NDA'd roadmap access, EA / private beta accessSee what's coming 6-12 months out before the public does. Get access to test features early so you can plan around them. |
| Migration assistance | Self-service docs | Cloudflare engineers assist with migration planningCloudflare engineers help plan and execute the migration to their platform — you're not doing it alone off a wiki page. |
| Training | Community | Custom training sessions for their teamCloudflare experts train your engineers on the specific products you use, tailored to your setup. |
💰Commercial Wrapper
| Feature | Self-Serve | Enterprise |
| Billing | Credit card, monthly | Invoice, NET-30, purchase ordersPay by invoice on 30-day terms like a real business relationship — no maxing out credit cards or scrambling to update payment info. |
| Committed spend | ✗ | ✓ Annual commit with locked pricing across all productsCommit to a year of spend up front and lock in your price. Predictable budget instead of a variable monthly bill. |
| Multi-year discount | ✗ | ✓ YesSign a 2- or 3-year deal, get a better price. Standard enterprise procurement. |
| True-up terms | Auto-scaled, surprise bills | Custom overage terms, burst allowances, no bill shockIf you go over your committed usage, it's handled by pre-agreed terms — not a random $50k bill in your inbox. |
| Bundled discounts | ✗ | ✓ Cross-product pricing — Workers + Images + AI + Zone + ZT as bundleBuy multiple Cloudflare products together and get a better deal than paying for each one separately. Usually offsets a chunk of the price jump. |
| Renewal negotiation | ✗ | ✓ StandardWhen your contract renews, you can negotiate new terms and pricing — not just accept whatever the auto-renew charges. |
🎯How to Frame It in the Conversation
Group into four buckets so it doesn't feel overwhelming:
Bucket 1: What you came for
"The BAA — signed, covering Workers, Workers AI, Images, and every data-plane product you're touching. Plus Data Localization if you need to prove ePHI stays in the US."
Bucket 2: Room to grow
"Every ceiling on self-serve goes away — CPU time up to 5 minutes, subrequests to 1000+, reserved AI inference capacity, committed image volume. You'll never hit a wall mid-migration."
Bucket 3: Real support
"You get an AE, CSM, Solutions Engineer, 24/7 support with 1-hour P1 SLA, private incident reports, architecture reviews. Right now if your Worker breaks at 2am, you file a community ticket. On Enterprise, someone's phone rings."
Bucket 4: The zone bonus
"Moving your zone from Pro to Enterprise unlocks Bot Management, API Shield, Page Shield, and full WAF — which for a healthcare app is honestly more important than the Workers features. Your audit will thank you."
📊One-Slide Summary (forwardable to CFO / Compliance)
| Category | Pro + Self-Serve Today | Enterprise |
| HIPAA BAA | ✗ | ✓ Signed, all data productsLegal permission to handle patient data on our platform. |
| Data residency | Global | US-only (or region-lock)Guarantee patient data never leaves the country. |
| Workers limits | 30s CPU, 50 subrequests | 5min CPU, 1000+ subrequestsYour app can do 10× more work per user request before hitting limits. |
| Workers AI | Shared, no BAA | Reserved capacity, BAA-coveredLegally send patient data to AI, and jump the queue during peak times. |
| Images | Pay-per-use, no BAA | Committed, BAA-coveredLegally store medical images, at a predictable price. |
| Bot Management | ✗ | ✓ Full ML-basedAI-powered detection of scrapers, credential stuffers, and fake traffic. |
| API Shield | ✗ | ✓ Full schema validationLocks down APIs so only legit apps can call them correctly. |
| Page Shield | ✗ | ✓ Client-side script monitoringWatches your website in users' browsers for hackers stealing form data. |
| WAF | Managed only | Custom rules + Attack ScoreWrite your own security rules and let AI grade every request for you. |
| DDoS | Standard | Priority + engineer engagementReal humans help defend you during attacks, not just automation. |
| SLA | Best effort | 99.99% with creditsMoney back if we're down more than ~52 minutes a year. |
| Support | Tickets | 24/7 + named teamActual humans on the phone any time, and a team that knows your account. |
| Billing | Credit card, monthly | Invoice, annual commitPay like a normal business — invoice with 30-day terms. |
| Pricing | Pay-per-use, surprise bills | Locked, negotiated commitPredictable annual budget with no bill shock. |
⚠️ Risks to Navigate
"Just give me the BAA."
Push back gently — the BAA is a legal artifact requiring the whole Enterprise contract wrapper (SLA, support, negotiated liability). Not sold à la carte.
They balk at the price jump.
The offset: bundle-pricing across Workers + AI + Images + Zone + ZT usually shows a net-neutral or cheaper picture than paying for each Enterprise-tier product individually. Get your AE to model this.
"What about just Workers Enterprise, not Zone Enterprise?"
You can do that, but they'd miss out on Bot Management, Page Shield, API Shield, and healthcare-relevant zone protections. For a HIPAA app, usually a mistake.
Timeline pressure ("we need it in 30 days").
BAA + Legal review + Enterprise contract typically runs 3–6 weeks on our side. Start the paperwork on day 1, in parallel with the technical discovery. Don't wait.
They discover a feature limit mid-migration.
Schedule an architecture review in Week 2 specifically to catch these. The whole point of having an SE.
Built as a personal reference — not a customer-shareable document. For Dustin Burke's Cloudflare pre-sales work.