You have provided us with a great simple version of your Privacy policies. It would be much appreciated to have a similar page for all GDPR related questions.
There is a lot of confusion about the topic. Let’s take DPAs for example.
I would like to know who should sign it? Do we need to sign it just with Webflow or with each sub-processor too?
Could you answer the CDN question? It is a very important question for the EU clients.
First of all I would like to say that I am very enthusiastic about what Webflow offers its customers. Therefore I would like to sell Webflow Hosting to my clients.
Unfortunately, it seems to be legally very problematic to use the CDN of jquery due to the GDPR in Europe.
The problem has already been described on the wishlist and was posted to the forum:
Hi @josef and @D4NIEL, my apology for the late reply. Webflow cannot provide legal advice, however you can see all of our sub processors here: Subprocessors | Webflow
By using Webflow, you accept our terms of service and privacy policies, see here: Terms of Service | Webflow
I would suggest to contact a professional legal resource to see if you are allowed to use our subprocessor services.
I am helping to get further info to answer your questions, thanks for your patience.
Hi cyberdave,
Thank you for the answer. I don’t think it’s realistic for users to check all your sub-processor’s GDPR compliance status, especially since Webflow updates this list from time to time. I do think it’s Webflow’s obligation to make sure it is fully GDPR compliant.
Working with clients from the EU it’s crucial to know whether Webflow is fully compliant.
The question raised by Daniel and others on the forum was not about some local restrictions it’s actually about Webflow’s GDPR compliance.
The question was asked several times on the forum but was never answered. Here are some more examples:
Christoph_Schober: “And are there plans for the jQuery third Party request? Actually we are forced to use this third party cdn. … this is legal topic not a feature request for the wishlist or a personal wish. jquery.com gets Visitors IP’s and i have no chance to prevent that. Also there is no information on jquery foundation site if and how they use the data. So please don’t let the whole thing leak on this little last topic.” (How Webflow handles visitor traffic and form submissions for published websites - #7 by callmevlad)
Sebastian Fiedler:
“To comply with EU-GDPR, those responsible for running a website hosted on webflow have to make sure that any third party that may come in contact with personal data (and according to the ECJ, this includes IP addresses as well) have a DPA in effect with the website owner. Webflow already offers such a DPA. So do Google and Cloudflare, but jQuery.com for example does not.” (Disable Google Fonts / serve jQuery and other | Webflow Wishlist)
How can we sell webflow hosting to the EU clients if we can’t answer the basic question - Is it fully GDPR compliant?
It seems that since Webflow is a US based company the issue of the GDPR is not taken as seriously as here in Europe. But keep in mind that the GDPR not only applies to organisations located within the EU but also applies to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. The fines are just huge, and we can’t simply ignore such a crucial question.
Thank you! Hope to hear from you guys soon.
Just to make it clear - even minor digital agencies in the EU are now saying that their products (for example a wordpress site) are fully gdpr compliant. Business clients are asking this question directly. Often they don’t even know what GDPR means, but it became a common practice. There are endless GDPR seminars and courses for businesses in the EU and it’s simply impossible to convince many people to use webflow hosting over wordpress if they are not 1000% sure it’s safe and GDPR compliant. I would also add that many people opt for wordpress because they can host their data in the EU and not in the US. I guess giving us this option would simply make it 10 times more appealing for European clients (especially from Germany).
One more question about server logs. Here is an article about the issue: EU GDPR and personal data in web server logs | Ctrl blog
That’s something affecting all people hosting with Webflow. Can we disable server-logs entirely or take steps to reduce how long they’re retained and what data they store?
I hope to get your answer about CDNs soon guys.
I saw this thread in my forum summary and just wanted to give this a bump. I think it’s a pressing issue and it needs more transparency.
I already use Webflow with some clients, but I can’t even suggest it to others, because some companies/organisations take this extremely serious.
I have the same problem. I would like to use webflow as a tool for my work and sell the hosting and the webshop to my customers. Without legal basis (DSGVO) for the EU this is unfortunately not possible at the moment.
This makes webflow unfortunately a pure prototyping tool and not a tool which one can use also for the production.
What surprises me very much is the fact that here from webflow no reaction comes at all. After all, they want to play on the professional market. Especially with regard to the new ecommerce module. But if every webshop, which has been implemented with webflow in the EU is not legally secure, webflow will forego huge revenues.
PS: I’m also dealing with clients in Europe. And in Germany, this is a very sensitive topic. It took me some time to convince my company in EU/Germany to use Webflow. But now I’m in trouble because I can not prove to them that Webflow is 100% GDPR compliance. It would be ashamed not be able to use the CMS and e-commerce features.
I do trust Webflow will invest and support its European clients. The question is when and how? We need a dedicated article/post from Webflow to share it with our clients/companies.
Any update on this? I’d love to become a Webflow customer, and it would be very helpful to have a bit more guidance on how to use Webflow while considering GDPR compliance.
A guide or something would make it a lot easier to sell this solution to my boss.
Hey cyberdave
Regarding your answer from October 18, has this been discussed at Webflow?
I’d like to keep requests from my site to a minimum if possible. I also work for some law agencies. Webflow provides good resources for customers in the EU, there’s no problem with hosting in general when it comes to GDPR and the like.
There are exceptions of course — external assets like jquery were not a deal-breaker for now, but it’s been mentioned a couple of times and I don’t have a good answer for this matter.
I’m not an expert on licensing protected assets for commercial use, but jquery is licensed under MIT/Expat, so in theory Webflow could host it itself?
There’s one more thought on my mind, request http header transmit the complete url of the page that made the request instead of the domain only. As an example, the jquery file on AWS3 also gets passed the user agend which quickly turns the situation complex. Could Webflow set the policy for requests to no-referer?