Webflow & GDPR | Hosting in EU + Privacy Statement needed

As most of the GDPR topics have been closed, the issue at hand is still very much open and to be honest quite threatening.

I recently learned that Webflow should store, or at least a copy, of all the data in an account onto a server located in the EU. And also needed is a (personal) statement that all the data of a particular account is property of the Webflow-user or the client of the Webflow-user.

If this can be done, preferably at least a month before the 25th of May, than i and all of my clients can finally breath again. And i think pretty much every Webflow developer and his/her clients in the EU.

Yes, i know Webflow has released info about the GDPR multiple times already, which i praise them for.

But a client of mine states that this is just ā€˜buying timeā€™ - This client needs be GDPR compliant ASAP and also needs a statement from Webflow that all the data on their sites is my clients own property. If this cannot be given anytime soon, my client needs to move to completely different system which can guarantee the security of personal-data, conform the GDPR.

Microsoft, Salesforce and Zoho CRM all have been down this road as well, and they eventually all decided it was needed to store the data in the EU and supply the users of their systems with a statement that the data is in fact stored in the EU and that it is the users own property. Without these two key elements, the data wonā€™t be fully GDPR comliant.

The problem with systems that are hosted outside of the EU are the different laws and regulations, in America this is the Privacy Shield (formerly known as the Patriot Act) which would always be there and could always confiscate data, and therefor not making it fully GDPR compliant and thus ā€˜safeā€™.

I hope the Webflow team can enlighten us fully on the 11th of April, but i moreover hope that Webflow will be fully compliant to the GDPR within a week or 2 after this date.

Worstcase scenario is that i, and theoretically all Webflow developers with clients in the EU, need to export all their sites and rebuild them in a completely new system/CMS and host them on a server in the EU - and all that within a little more than one month!!! If this would even be feasible time-wise, this would also include major costs to rebuild entire sites.

5 Likes

Hi @icexuick

Are you able to join the Q+A in just over an hour?

If you register, you can also log your question, and then if you miss it, can go to the point in the Q+A where it was answered. The recent ā€˜what weā€™ve been shippingā€™ blog post referenced GDPR - but I agree, we could really do with some more detail on thatā€¦and quickly!

Hi StuM,

I was too late, now joined the Q&A after 90 minutes.
Is there a way to still receive the questions and answers?

Met vriendelijke groet,

Martijn Hoppenbrouwer
http://www.ixstudios.nl
[image: iX Studios | Website] https://www.ixstudios.nl
telefoon 0541 - 530 532
locatie Oostwal 80 Oldenzaal

12th of April i thought they come out with something!

No worries - you can re-watch on the Crowdcast link - and I think @PixelGeek said it would go on youtube tooā€¦

@icexuick - In case you couldnā€™t find it - I asked the question and it got answered at 13m17

@koen - Blog post/full details April 11th - not long now :slightly_smiling_face:

1 Like

Vlad answered this here:

Hi StuM and PixelGeek,

Iā€™ve viewed the answer in the Q&A. Itā€™s nice to hear that privacy is a number one priority, as Vlad said, from day one from Webflow. Iā€™m very interested in the 2 parts of being GDPR compliant that Vlad was talking about.

Iā€™m am still a bit worried about the Privacy Shield Vlad shortly noted and ā€˜otherā€™ regulations. Iā€™ve read more about the GDPR and Privacy Shield, but mostly from within the US, out to the rest of the world. The other way around, using Webflow as an European developer (and for European companies) is different, and i think the main point/problem is the Privacy Shield and 100% ownership of all the data.

I did receive more detailed information about a GDPR expert here in the Netherlands (in the EU) and he stated the following is needed to fully comply to the GDPR:

  • Preferably a ISO 27001 certificate that complies to the international standard for Information Security. We did find that Webflow is ISO 27018 compliant, which is nice, but we would like to see this certificate including the Statement of Applicability (SoA) as files or downloads.

  • A minimal demand for European customers is a TPM statement (by an external company) in which is stated that the services that are being used by European companies/users and 100% of their data within is being stored (incl. backups) in the EU. Without any exceptions. My expert has examples of Mircosoft, SalesForce and ZoHo that have done this exactly like this. So in short, all the data must be stored on a server in the EU and the TPM statement must state that all the data is 100% of the user/client of the Webflow website.

  • Recommended is a monthly scan-report which states all the measures that were taken to keep all Webflow services as secure as possible. This is also something a webdeveloper could arrange for a client, f.e. by letting and security expert scan/test each (Webflow) site every month.

I hope to see answers on all of the above in the upcoming update on the 11th of April.

For most clients of mine, the above is (at this moment) leaps beyond what they are willing to invest. There are other options like removing webforms all together, or use other form, from Zoho for example.

If the above is something that is simply not feasible, than i hope you can communicate this as soon as possible. There is one, but maybe more of my clients, that need to switch to a completely different system that is top-of-the-line secure and complies 100% to the GDPR.

2 Likes

I dont get why other EU Webflow Users are not as worried as we are and why the communication from webflow is so poor so far. Hopefully the 11th of April will clear all thingsā€¦ As you said: Time is running out to switch clients to another system.

3 Likes

Hi Christoph,

The type of reactions to the GDPR are widely spread and range from ā€œJust be kind to people and be aware and responsible when storing or sharing personal dataā€ to ā€œYou must comply 100% and each and every (personal)-data must be accounted for, no exceptions allowed - this still is only the tip of the icebergā€

Great article you linked: This will fall in the second category and worst-case scenario(s) that might become a standard procedure and might just drop in a lot of businesses inboxes from the 25th of May and beyond.

Iā€™ve learned that there will be a rather large ā€œgrey-zoneā€ in how to interpret the GDPR, and how to deal with all the security issues, which will probably also vary quite a lot depending the type of company, the data and purposes.

But in the end, itā€™s about preventing (every) personal-data leak, small and large.
And when you do choose to go for the minimal approach (if there is any), there might be ā€˜gapsā€™ in your security and when the sh*t hits the fan, choosing this option can get you in (big) trouble.

But, iā€™ve also learned that in the current state of the web, it might just be pretty impossible to close every gap. Then you could say that practically the GDPR is here to support, encourage and improve the security of (global) personal-data, but that this will be a process that will take far longer to reach itā€™s true goal, simply because itā€™s not practically possible to comply 100% just yet.

Iā€™m also experiencing that companies are not that willing to invest time and money into the GDPR, and often reply to me as: ā€œOk, make it happen, make us fully GDPR compliantā€. This is offcourse far from the thruth and also itā€™s not something you do one day, and the next day will just be a regular day - itā€™s security by design and by default with every action you take when processing personal data, every day from the 25th of May 2018 and forward.

As for myself, i build custom websites as tailored-suite solutions. This means i donā€™t have a ā€˜standard systemā€™ that i can secure, i have to check and ā€˜fixā€™ each and every one individually. Often extra functionalities have been put in place, with an API, a widget and/or a script. Now all of these need to be double-checked and re-checked structurally, preferably daily. How can a web-developer do this? Website- and webapp-costs would skyrocket!

This is once more why i find i SO important that Webflow gets this right. If the whole Webflow-system is 100% GDPR and the data is 100% owned by the user(s)/clients and the data gets stored in the right country or in my case, the EU, then i can offer my clients the whole package.

As for the current ā€˜information-feedā€™ about Webflow & GDPR: I think they started off the right way, back in January if iā€™m correct, but now itā€™s just way to limited and vague. To be GDPR compliant there need to be statements and certificates to be shared and they need to be ready as quickly as possible.

This is probably a very hard thing as also Microsoft, Salesforce and ZoHo have been struggling with the GDPR as well. Personally i also would prefer putting time and effort into making Webflow better and better, but this privacy thing is important also and hopefully/maybe/probably the foundation for the upcoming 5-10 years of an overall better and more secure online experience. Though hard to imagine, but i think itā€™s worth the trouble and a good foundation makes room for a better future, in which i hope to be using Webflow every day!

1 Like

Hi Webflow team and f(ell)ow-Webflowers,

For the GDPR iā€™m trying to figure out which Cookies are being used.
Iā€™ve found that when embedding Vimeo videoā€™s there are 3 extra cookies used.

The api.embed.ly uses the cookie: em_beagle_eid and internet does not seem to know where this cookie is used for.
Could someone @ Weblow perhaps clarify this?

When you embed a Vimeo video these cookies are being used:

vimeo.com
vuid
unique ID - expires in 2 years

nr-data.net
JSESSIONID
Used for Session management - expires after ending browser session

embed.ly
_cfduid
Used by the content network (CDN), Cloudflare, to identify trusted web traffic - expires in 1 year

api.embed.ly
em_beagle_eid
No one knows where this cookie is for and also why this is saved for 20 years(!).

cdn.embed.ly
em_cdn_uid - expires in 1 year
Measures the number of times an embedded element from a third party service has been used. - expires in 1 year

Here is our official blog post about this:

2 Likes

Hello,

The EU doesnā€™t have the clout to bully large multinationals. The answer is easy for smaller entities, run the numbers and if you donā€™t make as much margin as youā€™d like due to the goofy regs just refuse to do business with the any EU citizen/company or make them pay a very substantial premium (3X-5X to start) for the added inconvenience.

1 Like

Has there been any update in this area?

I havenā€™t read any. Iā€™m waiting for it every day!

Me too :confused:
Icexuick do you have a solution for the connection to code.jquery.com? Any way to block this and selfhost jquery on own webspace? IPā€™s get transfered to jquery.com acutally.

I havenā€™t read any. Iā€™m waiting for it every day!

Yes, this is now pretty much as urgent as things get.

Many services now offer a data processing agreement.

This agreement states what is done with the data, where it is used for, which rules apply, who has acces and ownership, where the data is stored (physically), and what a Webflow user should do to keep it safe and what to do when there is a dataleak.

Also this statements states info on whoā€™s responsible for possible dataleaks or ā€˜damageā€™ done by data-leaks.

Zapier has a pretty nice example, an agreement which you can generate your-self and also sign (digitally). This is (almost) exactly what most (European) companies are looking for concerning the GDPR. Check EU Data Processing Agreement

Is something like this coming within 2 weeks?

Hi Christoph,

At the moment im sorry to say i have the ā€˜luxoryā€™ of (too) many clients - i canā€™t help you any further at the moment.

BTW. I havenā€™t hooked up jquery to Webflow yet, but if i have to, iā€™ll make sure to let you know!

This week i have started to migrate my webflow pages to wordpress nowā€¦ I am no more willing to wait for further information and relying on dripping communication from webflow.

2 Likes