Umbraco

GDPR FAQ

The answers to your GDPR questions

Yes, we are.

Two of our values are Trust and Respect – This also sets the foundation for how we handle your personal data.

We have taken these new rules and regulations very seriously and therefore we are GDPR compliant  – for more information about this visit the GDPR and Umbraco Page

If you attended Codegarden 2018, you might have had the opportunity to attend the presentation about GDPR by Frederik Raabye and our very own Umbraco CEO, Kim Sneum Madsen – if not, you can watch it here.

In the presentation, Kim is talking about what is changing after GDPR was introduced. And really nothing had changed! – you as a data subject should still enjoy the rights you had pre-GDPR. The biggest change is that companies like Umbraco have to document that we are following the rules a bit like a tachometer in truck shows whether the driver is within the speeding limits or not.

If you want to read more about how we handle your data you can find the info here

“Personal data” is quite a lot of things when you first start thinking about it. To clarify what it is, we will have a look at this sentence which explains it to some degree:

Personal data means any information relating to an identified or identifiable natural person or “data subject”

But if you are not sure yet, here we have tried to explain it more in-depth:


In general, there are two kinds of data on a person:

  • The personal data would be something like your bank account, salary or social security number.
  • The sensitive data would be ethnic origin, political and religious orientation or sexual relations.

At Umbraco we do store some of your personal data, an example is your email address for Umbraco Cloud. If you are a paying user, we also do store bank information so that we can create invoices.

We do not store any sensitive data on our customers – the data we store is handled with Respect and Trust!

Yes, we do. The Umbraco DPA is relevant for our customers. You can find more information about the DPA here 

No, we do not share your data with anyone or sell them to others. 

We, like many other companies, use cookies which gives us the possibility to show you more relevant content and information. When you visit our site for the first time you will be notified with a “We use cookies”-pop-up.

For more specific information about this, we have a dedicated "Cookie Information" page.

For more information about this topic, we would recommend reading about Umbraco as a Processor.

A data controller decides ‘why’ and ‘how’ the personal data should be processed. 

Whereas a data processor processes personal data on behalf of the controller. The data processor is usually a third party external to the company. Read more about the relationship between a data controller and processor on the European Commission website.

Umbraco is a “Data processor” because we process your data - this would be the data you have inside your Umbraco Cloud project e.g. Email.

Here's an illustration of the different relationships and responsibilities: 

Gdpr Chart

At Umbraco we have third party suppliers. You can see them all here.

Here you can also get an overview of what we use them for and where they're located in the world and what their legal grounds are for processing data.

Yes, we do. 

Do not hesitate to contact , if you have any questions.

At Umbraco we do GDPR revisions twice a year - in May and November. This is to ensure we follow the regulations and e.g. get rid of any data we're not using or is no longer allowed to store. 

GDPR (General Data Protection Regulation) was implemented in Denmark in May 2018 and we, therefore, find it suitable to do our audit in May every year and then again 6 months later. 

At the 16th of July 2020. The Schrems II judgment, the Court of Justice of the European Union (CJEU) declared the European Commission's Privacy Shield, invalid on account of invasive US surveillance, thereby making transfers of personal data based on the Privacy Shield illegal.


Umbraco responded to this by reaching out to all third-party suppliers who were affected by this and by getting an updated DPA with an SCC incorporated or a stand-alone SCC. Umbraco is also aware that the SCC is not the final step in this process, and we are monitoring closely what the European Data Protection Board and the European Commissions response to this is.

Updated November 2020

If you want your personal data deleted, we can help you with this. Please reach out to our friendly supporters at contact@umbraco.dk and they will contact the Compliance Team who is responsible for this action.

Find more information about the right to be forgotten here. 

Yes we do! Underneath are some of them:

  •         Automated Security updates (Umbraco Cloud) ✔️
  •         Automated HTTPS certificate (Umbraco Cloud) ✔️
  •         Hashed passwords ✔️
  •         Support for HTTPS ✔️
  •         Support for OAuth login system ✔️
  •         Possible to set-up password rules ✔️
  •         Possible to implement two-factor authentication ✔️ 
  •         Default log-out of backoffice due to inactivity ✔️ 
  •         Built-in security Heath-check ✔️ 

For more information on how we deal with security, please visit our dedicated Security page.

If you through your internal use and testing of Umbraco come across a vulnerability, we would like to hear about it.

In order to take care of the vulnerability in the most responsible manner, we ask you to follow the guidelines for how to report a vulnerability.

If you have a GDPR related question, and you can't find the answer here in the FAQ, please reach out to our friendly Fish Tank at GDPR@umbraco.com

In response to the Schrems II case - Umbraco developed a Transfer Impact Assessment (TIA) for all our third-party suppliers, where data transfer of personally identifiable information takes place in non-EU/EØS countries. The development of the Transfer Impact Assessments (TIA) has happened in close collaboration with our law firm and are reviewed twice a year.