Using Webflow and GDPR Questions / Guidance

Hey guys. I appreciate you effort to make Webflow 100 % GDPR compliant, but there is no one single source of information on your GDPR status. I did find some very helpful answers from Vlad on this forum (How Webflow handles visitor traffic and form submissions for published websites), but the information is a bit fragmented. I would like to see something like a GDPR section on your website with all the details and answers. It would be really helpful to have all the information in one place, so that the clients could always check it. Many people in the EU still don’t know much about WF and the issue of the GDPR is a huge topic here. A GDPR guidance centre would be so helpful. Check out these examples:
GDPR Compliance - Dropbox
Mailjet and GDPR Compliance: Answers to your most frequent questions | Mailjet
https://stripe.com/privacy-center/legal
GDPR Email Compliance | EU Data Protection | Mailgun
Wix Support

You have provided us with a great simple version of your Privacy policies. It would be much appreciated to have a similar page for all GDPR related questions.

There is a lot of confusion about the topic. Let’s take DPAs for example.
I would like to know who should sign it? Do we need to sign it just with Webflow or with each sub-processor too?

Could you answer the CDN question? It is a very important question for the EU clients.

One small detail about your sub-processors list Subprocessors | Webflow
You are using mailjet for transactional emails. It’s indicated that the location is the US. As far as I can see on the mailjet’s website they are actually storing all the data in the EU: https://www.mailjet.com/support/where-is-my-personal-data-stored,29.htm

Thank you!

8 Likes

First of all I would like to say that I am very enthusiastic about what Webflow offers its customers. Therefore I would like to sell Webflow Hosting to my clients.

Unfortunately, it seems to be legally very problematic to use the CDN of jquery due to the GDPR in Europe.

The problem has already been described on the wishlist and was posted to the forum:

https://wishlist.webflow.com/ideas/WEBFLOW-I-1280

And I found a comment from a german lawyer confirming the problem:

Since this issue affects all customers from Europe, I hope for an early clarification.

5 Likes

D4NIEL, Did you find a solution for this problem? Any updates?

Hi @josef and @D4NIEL, my apology for the late reply. Webflow cannot provide legal advice, however you can see all of our sub processors here: Subprocessors | Webflow

By using Webflow, you accept our terms of service and privacy policies, see here: Terms of Service | Webflow

I would suggest to contact a professional legal resource to see if you are allowed to use our subprocessor services.

I am helping to get further info to answer your questions, thanks for your patience.

1 Like

Hi cyberdave,
Thank you for the answer. I don’t think it’s realistic for users to check all your sub-processor’s GDPR compliance status, especially since Webflow updates this list from time to time. I do think it’s Webflow’s obligation to make sure it is fully GDPR compliant.

Working with clients from the EU it’s crucial to know whether Webflow is fully compliant.
The question raised by Daniel and others on the forum was not about some local restrictions it’s actually about Webflow’s GDPR compliance.

The question was asked several times on the forum but was never answered. Here are some more examples:

Christoph_Schober: “And are there plans for the jQuery third Party request? Actually we are forced to use this third party cdn. … this is legal topic not a feature request for the wishlist or a personal wish. jquery.com gets Visitors IP’s and i have no chance to prevent that. Also there is no information on jquery foundation site if and how they use the data. So please don’t let the whole thing leak on this little last topic.” (How Webflow handles visitor traffic and form submissions for published websites - #7 by callmevlad)

Sebastian Fiedler:
“To comply with EU-GDPR, those responsible for running a website hosted on webflow have to make sure that any third party that may come in contact with personal data (and according to the ECJ, this includes IP addresses as well) have a DPA in effect with the website owner. Webflow already offers such a DPA. So do Google and Cloudflare, but jQuery.com for example does not.” (Disable Google Fonts / serve jQuery and other | Webflow Wishlist)

How can we sell webflow hosting to the EU clients if we can’t answer the basic question - Is it fully GDPR compliant?
It seems that since Webflow is a US based company the issue of the GDPR is not taken as seriously as here in Europe. But keep in mind that the GDPR not only applies to organisations located within the EU but also applies to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. The fines are just huge, and we can’t simply ignore such a crucial question.

Thank you for your help.

6 Likes

Hi @Josef, thanks for your detailed feedback. I have reached out and our team is taking a look at the list of questions to provide guidance for this.

Thanks in advance.

3 Likes

Thank you! Hope to hear from you guys soon.
Just to make it clear - even minor digital agencies in the EU are now saying that their products (for example a wordpress site) are fully gdpr compliant. Business clients are asking this question directly. Often they don’t even know what GDPR means, but it became a common practice. There are endless GDPR seminars and courses for businesses in the EU and it’s simply impossible to convince many people to use webflow hosting over wordpress if they are not 1000% sure it’s safe and GDPR compliant. I would also add that many people opt for wordpress because they can host their data in the EU and not in the US. I guess giving us this option would simply make it 10 times more appealing for European clients (especially from Germany).

3 Likes

Any updates on your side?

3 Likes

One more question about server logs. Here is an article about the issue: EU GDPR and personal data in web server logs | Ctrl blog
That’s something affecting all people hosting with Webflow. Can we disable server-logs entirely or take steps to reduce how long they’re retained and what data they store?
I hope to get your answer about CDNs soon guys.

3 Likes

Any updates on the GDPR issues discussed here?

3 Likes

I saw this thread in my forum summary and just wanted to give this a bump. I think it’s a pressing issue and it needs more transparency.
I already use Webflow with some clients, but I can’t even suggest it to others, because some companies/organisations take this extremely serious.

4 Likes

I’ve been waiting for the answer for a month now. No reaction from the webflow team.

1 Like

I have the same problem. I would like to use webflow as a tool for my work and sell the hosting and the webshop to my customers. Without legal basis (DSGVO) for the EU this is unfortunately not possible at the moment.

This makes webflow unfortunately a pure prototyping tool and not a tool which one can use also for the production. :pensive:

What surprises me very much is the fact that here from webflow no reaction comes at all. After all, they want to play on the professional market. Especially with regard to the new ecommerce module. But if every webshop, which has been implemented with webflow in the EU is not legally secure, webflow will forego huge revenues.

5 Likes

I am facing the same situation…

Hi @cyberdave,

Do you have already any update for us?

many thanks in advance!

PS: I’m also dealing with clients in Europe. And in Germany, this is a very sensitive topic. It took me some time to convince my company in EU/Germany to use Webflow. But now I’m in trouble because I can not prove to them that Webflow is 100% GDPR compliance. It would be ashamed not be able to use the CMS and e-commerce features.

I do trust Webflow will invest and support its European clients. The question is when and how? We need a dedicated article/post from Webflow to share it with our clients/companies.

7 Likes

any updates on this issue yet?

Any update on this? I’d love to become a Webflow customer, and it would be very helpful to have a bit more guidance on how to use Webflow while considering GDPR compliance.

A guide or something would make it a lot easier to sell this solution to my boss.

1 Like

Hey cyberdave :grinning:
Regarding your answer from October 18, has this been discussed at Webflow?
I’d like to keep requests from my site to a minimum if possible. I also work for some law agencies. Webflow provides good resources for customers in the EU, there’s no problem with hosting in general when it comes to GDPR and the like.

There are exceptions of course — external assets like jquery were not a deal-breaker for now, but it’s been mentioned a couple of times and I don’t have a good answer for this matter.
I’m not an expert on licensing protected assets for commercial use, but jquery is licensed under MIT/Expat, so in theory Webflow could host it itself?
There’s one more thought on my mind, request http header transmit the complete url of the page that made the request instead of the domain only. As an example, the jquery file on AWS3 also gets passed the user agend which quickly turns the situation complex. Could Webflow set the policy for requests to no-referer?

2 Likes

I’m having the same issue with jQuery and support @RDaneelOliwav suggestion regarding Webflow hosting jQuery itself.
Any updates on this issue?

1 Like

I’m surprised and, honestly, disappointing to see that this thread is 2 years old and there is still no reply from the Webflow team.

It’s hard to take you seriously like this.

3 Likes