Is Umbraco GDPR compliant?
Yes, we are.
Two of our values are Trust and Respect – This also sets the foundation for how we handle your personal data.
We have taken these new rules and regulations very seriously and therefore we are GDPR compliant – for more information about this visit the GDPR and Umbraco Page
What are the key changes with GDPR?
If you attended Codegarden 2018, you might have had the opportunity to attend the presentation about GDPR by Frederik Raabye and our very own Umbraco CEO, Kim Sneum Madsen – if not, you can watch it here.
In the presentation, Kim is talking about what is changing after GDPR was introduced. And really nothing had changed! – you as a data subject should still enjoy the rights you had pre-GDPR. The biggest change is that companies like Umbraco have to document that we are following the rules a bit like a tachometer in truck shows whether the driver is within the speeding limits or not.
If you want to read more about how we handle your data you can find the info here
What is personal and sensitive data, and do we store it?
“Personal data” is quite a lot of things when you first start thinking about it. To clarify what it is, we will have a look at this sentence which explains it to some degree:
“Personal data means any information relating to an identified or identifiable natural person or “data subject”
But if you are not sure yet, here we have tried to explain it more in-depth:
In general, there are two kinds of data on a person:
- The personal data would be something like your bank account, salary or social security number.
- The sensitive data would be ethnic origin, political and religious orientation or sexual relations.
At Umbraco we do store some of your personal data, an example is your email address for Umbraco Cloud. If you are a paying user, we also do store bank information so that we can create invoices.
We do not store any sensitive data on our customers – the data we store is handled with Respect and Trust!
Does Umbraco have a Data Processing Agreement?
Yes, we do. It is relevant for our Umbraco Cloud customers. You can find more information about the DPA here
Is Umbraco sharing any of my personal data?
No, we do not share your data with anyone or sell them to others.
For more specific information about this, we have a dedicated "Cookie Information" page.
For more information about this topic, we would recommend reading about Umbraco as a Processor.
What is a data processor and a data controller?
A data controller decides ‘why’ and ‘how’ the personal data should be processed.
Whereas a data processor processes personal data on behalf of the controller. The data processor is usually a third party external to the company. Read more about the relationship between a data controller and processor on the European Commission website.
Umbraco is a “Data processor” because we process your data - this would be the data you have inside your Umbraco Cloud project e.g. Email.
Here's an illustration of the different relationships and responsibilities:
What third party suppliers do you have?
At Umbraco we have third party suppliers. You can see them all here.
Here you can also get an overview of what we use them for and where they're located in the world and what their legal grounds are for processing data.
Does Umbraco have a Data Protection Officer?
Yes, we absolutely do! He makes sure that Umbraco keeps following the GDPR.
Reach out to our support or contact us at email@example.com if you have a question for our DPO.
Do Umbraco do regular GDPR revisions?
At Umbraco we do GDPR revisions twice a year - in May and November. This is to ensure we follow the regulations and e.g. get rid of any data we're not using or is no longer allowed to store.
GDPR (General Data Protection Regulation) was implemented in Denmark in May 2018 and we, therefore, find it suitable to do our audit in May every year and then again 6 months later.
What about GDPR and the US?
For the data we may transfer to the US we are required to have a Privacy Shield agreement.
EU-US Privacy Shield is a framework for adherence to European Union data protection laws for companies that deal with the private data of E.U. citizens that is transferred to the United States.
For the US services we use, we do have a privacy shield contract and DPA. You can see the list here. We are by law required to have this to be able to transfer data to the services.
How can I have my personal data deleted?
If you want your personal data deleted, we can help you with this. Please reach out to our friendly supporters at firstname.lastname@example.org and they will contact the Data Protection Officer who is responsible for this action.
Does Umbraco have any security features?
Yes we do! Underneath are some of them:
- Automated Security updates (Umbraco Cloud) ✔️
- Automated HTTPS certificate (Umbraco Cloud) ✔️
- Hashed passwords ✔️
- Support for HTTPS ✔️
- Support for OAuth login system ✔️
- Possible to set-up password rules ✔️
- Possible to implement two-factor authentication ✔️
- Default log-out of backoffice due to inactivity ✔️
- Built-in security Heath-check ✔️
For more information on how we deal with security, please visit our dedicated Security page.
I found a vulnerability in Umbraco. What should I do?
If you through your internal use and testing of Umbraco come across a vulnerability, we would like to hear about it.
In order to take care of the vulnerability in the most responsible manner, we ask you to follow the guidelines for how to report a vulnerability.