What Is GDPR?
GDPR is an acronym for the General Data Protection Regulation that was created to bring as much uniformity to data protection as possible. The new legislation will replace an existing EU 1995 Directive, which was implemented into national data protection laws. However, there could still be significant differences between states. Now that it is a regulation, it is directly applicable. It also means that if someone wants to do business in Ireland, for instance, they can now be sure that a similar legal regime exists in other member states too. This new regulation is better suited to the challenges our current digital world poses.
The GDPR legislation comes into effect on May 25, 2018.
For more information about the GDPR, see the Official Journal of the European Union.
Our Commitment to the GDPR
Kentico is very committed to achieving full compliance with GDPR before May 25, 2018. We value the privacy and security of our customers above anything else, and that's why we had already started dedicating resources in 2017 to make sure we have everything ready before the legislation comes into effect. All necessary changes to the product and across the company were consulted with several legal and security domain experts, and we're building tools that will help you to satisfy the extended rights of your customers that come with the new legislation (such as right of access the information or right to be forgotten).
We also produced large numbers of articles on GDPR readiness in our blog, so don't miss those. We also already delivered several features in our other product—Kentico EMS —that should help data controllers with their GDPR compliance. You can be assured we take GDPR compliance very seriously.
If you have any questions regarding Kentico's GDPR compliance, please do not hesitate to contact us at any time.
The Personal Data We Collect
If you want to know more about the personal data we collect in Kentico Cloud, please visit our documentation where you can find the complete list for both user and visitor data.
Kentico Cloud stores the data in Microsoft Azure storage. You can choose to store your project data in a data center in Europe (the Netherlands) or the United States (West Coast). By choosing the location of the data center, your project data and tracked visitor data are stored in the selected area. Project data represents all your content created within the Kentico Cloud application. You can find more information about the data centers here.
This does not include the user (meta)data required for the Kentico Cloud service to work, which will always be stored in the data center located in West Europe. The reason behind this is that users in Kentico Cloud can work on different projects across multiple data centers.
Kentico Cloud uses a global Content Delivery Network (CDN) powered by Fastly to deliver content from your website. The CDN has edge nodes all around the world, ensuring fast content delivery no matter the destination.
We believe in security by design. That's why all our developers have to attend security training and we have a dedicated security team that reqularly performs security code reviews and website security scans. Moreover, Kentico Cloud data is stored in secure Microsoft Azure data centers and all encrypted by default.
We also have a vulnerability management program in place whose goal is to inspect for any new vulnerabilities, and any threats found are fixed within a few hours/days by our teams and security experts.
For more information about the security of Kentico Cloud, please visit our Security page.
Assistance to the Controller
The new legislation strengthens several rights of data subjects by granting them easier access to the personal data you store about them or an option to request to opt out and the deletion of this data. Kentico Cloud comes with out-of-the-box functionality that helps you satisfy their requests. For more information, please visit our documentation.
Of course, as users, you have the same rights as your visitors or customers. Therefore, if you want to trigger any of the data subject rights for any of your current or former users of Kentico Cloud, please contact us.
We will do everything we can in order to prevent any incidents involving your and/or your customers' data. However, if there's an incident involving any personal data, we will inform you in no later than 72 hours after having become aware of it and will take all the necessary actions to mitigate the impacts of the incident.
GDPR requires data controllers to sign a written contract with any other Controller they share personal data with. Therefore, we will have a Data Processing Agreement available for our partners and customers. If you wish to sign the Data Processing Agreement, please do not hesitate to contact us at any time.
The Use of Subprocessors
In order to provide you with the best experience for working with content, we use some services provided by third-party vendors. Every vendor has to pass strict security evaluation criteria and has to be compliant with data protection laws. You can find a list of all the services we use on this page. Moreover, here you can also see a list of all third-party software licenses that we use in our product.