Is Umbraco GDPR compliant?
Yes, we are.
Two of our values are Trust and Respect – This also sets the foundation for how we handle your personal data.
We have taken these new rules and regulations very seriously and therefore we are GDPR compliant – for more information about this visit the GDPR and Umbraco Page
What are the key changes with GDPR?
If you attended Codegarden 2018, you might have had the opportunity to attend the presentation about GDPR by Frederik Raabye and our very own Umbraco CEO, Kim Sneum Madsen – if not, you can watch it here.
In the presentation, Kim is talking about what is changing after GDPR was introduced. And really nothing had changed! – you as a data subject should still enjoy the rights you had pre-GDPR. The biggest change is that companies like Umbraco have to document that we are following the rules a bit like a tachometer in truck shows whether the driver is within the speeding limits or not.
If you want to read more about how we handle your data you can find the info here
What is personal and sensitive data, and do we store it?
“Personal data” is quite a lot of things when you first start thinking about it. To clarify what it is, we will have a look at this sentence which explains it to some degree:
“Personal data means any information relating to an identified or identifiable natural person or “data subject”
But if you are not sure yet, here we have tried to explain it more in-depth:
In general, there are two kinds of data on a person:
- The personal data would be something like your bank account, salary or social security number.
- The sensitive data would be ethnic origin, political and religious orientation or sexual relations.
At Umbraco we do store some of your personal data, an example is your email address for Umbraco Cloud. If you are a paying user, we also do store bank information so that we can create invoices.
We do not store any sensitive data on our customers – the data we store is handled with Respect and Trust!
Does Umbraco have a Data Processing Agreement?
Yes, we do. The Umbraco DPA is relevant for our customers. You can find more information about the DPA here
Is Umbraco sharing any of my personal data?
No, we do not share your data with anyone or sell them to others.
For more specific information about this, we have a dedicated "Cookie Information" page.
For more information about this topic, we would recommend reading about Umbraco as a Processor.
What is a data processor and a data controller?
A data controller decides ‘why’ and ‘how’ the personal data should be processed.
Whereas a data processor processes personal data on behalf of the controller. The data processor is usually a third party external to the company. Read more about the relationship between a data controller and processor on the European Commission website.
Umbraco is a “Data processor” because we process your data - this would be the data you have inside your Umbraco Cloud project e.g. Email.
Here's an illustration of the different relationships and responsibilities:
What third party suppliers do you have?
At Umbraco we have third party suppliers. You can see them all here.
Here you can also get an overview of what we use them for and where they're located in the world and what their legal grounds are for processing data.
Does Umbraco have a Data Protection Officer?
Yes, we absolutely do! He makes sure that Umbraco keeps following the GDPR.
Reach out to GDPR@umbraco.com if you have a question for our DPO.
Do Umbraco do regular GDPR revisions?
At Umbraco we do GDPR revisions twice a year - in May and November. This is to ensure we follow the regulations and e.g. get rid of any data we're not using or is no longer allowed to store.
GDPR (General Data Protection Regulation) was implemented in Denmark in May 2018 and we, therefore, find it suitable to do our audit in May every year and then again 6 months later.
What about GDPR and the US?
At the 16th of July 2020. The Schrems II judgment, the Court of Justice of the European Union (CJEU) declared the European Commission's Privacy Shield, invalid on account of invasive US surveillance, thereby making transfers of personal data based on the Privacy Shield illegal.
Umbraco responded to this by reaching out to all third-party suppliers who were affected by this and by getting an updated DPA with an SCC incorporated or a stand-alone SCC. Umbraco is also aware that the SCC is not the final step in this process, and we are monitoring closely what the European Data Protection Board and the European Commissions response to this is.
Updated November 2020
How can I have my personal data deleted?
If you want your personal data deleted, we can help you with this. Please reach out to our friendly supporters at firstname.lastname@example.org and they will contact the Data Protection Officer who is responsible for this action.
Does Umbraco have any security features?
Yes we do! Underneath are some of them:
- Automated Security updates (Umbraco Cloud) ✔️
- Automated HTTPS certificate (Umbraco Cloud) ✔️
- Hashed passwords ✔️
- Support for HTTPS ✔️
- Support for OAuth login system ✔️
- Possible to set-up password rules ✔️
- Possible to implement two-factor authentication ✔️
- Default log-out of backoffice due to inactivity ✔️
- Built-in security Heath-check ✔️
For more information on how we deal with security, please visit our dedicated Security page.
I found a vulnerability in Umbraco. What should I do?
If you through your internal use and testing of Umbraco come across a vulnerability, we would like to hear about it.
In order to take care of the vulnerability in the most responsible manner, we ask you to follow the guidelines for how to report a vulnerability.
In case there is no-deal Brexit, does Umbraco A/S have an appropriate contractual provision in place to allow personal data to continue to flow from the EU to the UK, if the hosting is in the EU?
Let’s start with the conclusion: we do have the appropriate contractual provision in place to allow personal data to continue to flow from the EU to the UK - also after 31. December 2020.
The Data Controller is the party controlling the data. In the case of Umbraco Cloud, it is the charity client who decides what data (if any at all) to put into their Umbraco Cloud project.
The data processor is in the case of Umbraco Cloud, Umbraco A/S. We process the data stored with the purpose of running Umbraco Cloud. We have therefore made a Data Processor Agreement, ensuring that the Data Controller knows what we do, why we do it, and where your data is stored. We are allowed to use external suppliers (Sub Processors) for this purpose provided. If we do,we tell you beforehand.
Sub Processors or third party suppliers, in the case of Umbraco Cloud, is Microsoft Azure etc. Data is stored at the NW Europe data centre within the EU. We, as the main Data Processor, are obliged to ensure the same level of security and diligence from our suppliers as we promise you, and as we are obliged to by the GDPR. Therefore, we need to have a DPA with Microsoft, which we have.
If there is no-deal Brexit, the UK will be an “unsecure third party country”, which would demand SCC (Standard Contractual Clauses) towards our suppliers in the UK. The rules under Privacy Shield are now a no go.
Our third party suppliers can be found here.
Please note, that we do not have any suppliers in the UK.
To conclude, we do have the appropriate contractual provision in place to allow personal data to continue to flow from the EU to the UK - also after 31. December 2020.
Who do I contact if I have a GDPR related question?
If you have a GDPR related question, and you can't find the answer here in the FAQ, please reach out to our friendly Fish Tank at GDPR@umbraco.com.
Does Umbraco have a Transfer Impact Assessment (TIA)?
With the response to the Schrems II case - Umbraco developed a Transfer Impact Assessment (TIA) for all our third-party suppliers, where data transfer of personally identifiable information takes place in non-EU/EØS countries. The development of the Transfer Impact Assessment (TIA) has happened in close collaboration with our law firm.
Every one of our third-party suppliers ensures that they encrypt data to industry standard, and don’t have access to the encryption keys.
All third-party suppliers are also, as a minimum, SOC2 Type II-certified, and are also ISO27001 certified.
Umbraco has ensured that we have appropriate safeguards for transferring data to non-EU/EØS countries with all of our third-party suppliers.
Every one of our third-party suppliers has a procedure for handling requests from the respective authorities.