Streaming live at 10am (PST)

Using Webflow and GDPR Questions / Guidance


#1

Hey guys. I appreciate you effort to make Webflow 100 % GDPR compliant, but there is no one single source of information on your GDPR status. I did find some very helpful answers from Vlad on this forum (How Webflow handles visitor traffic and form submissions for published websites), but the information is a bit fragmented. I would like to see something like a GDPR section on your website with all the details and answers. It would be really helpful to have all the information in one place, so that the clients could always check it. Many people in the EU still don’t know much about WF and the issue of the GDPR is a huge topic here. A GDPR guidance centre would be so helpful. Check out these examples:
https://www.dropbox.com/security/GDPR
https://www.mailjet.com/gdpr/mailjet-gdpr-compliance/
https://stripe.com/privacy-center/legal
https://www.mailgun.com/gdpr
https://support.wix.com/en/article/preparing-your-wix-site-for-the-gdpr

You have provided us with a great simple version of your Privacy policies. It would be much appreciated to have a similar page for all GDPR related questions.

There is a lot of confusion about the topic. Let’s take DPAs for example.
I would like to know who should sign it? Do we need to sign it just with Webflow or with each sub-processor too?

Could you answer the CDN question? It is a very important question for the EU clients.

One small detail about your sub-processors list https://webflow.com/legal/subprocessors
You are using mailjet for transactional emails. It’s indicated that the location is the US. As far as I can see on the mailjet’s website they are actually storing all the data in the EU: https://www.mailjet.com/support/where-is-my-personal-data-stored,29.htm

Thank you!


#2

First of all I would like to say that I am very enthusiastic about what Webflow offers its customers. Therefore I would like to sell Webflow Hosting to my clients.

Unfortunately, it seems to be legally very problematic to use the CDN of jquery due to the GDPR in Europe.

The problem has already been described on the wishlist and was posted to the forum:

https://wishlist.webflow.com/ideas/WEBFLOW-I-1280

https://forum.webflow.com/t/how-webflow-handles-visitor-traffic-and-form-submissions-for-published-websites/59713

And I found a comment from a german lawyer confirming the problem:
https://steigerlegal.ch/2018/05/15/jquery-datenschutz-problem/

Since this issue affects all customers from Europe, I hope for an early clarification.


#7

D4NIEL, Did you find a solution for this problem? Any updates?


#8

Hi @josef and @D4NIEL, my apology for the late reply. Webflow cannot provide legal advice, however you can see all of our sub processors here: https://webflow.com/legal/subprocessors

By using Webflow, you accept our terms of service and privacy policies, see here: https://webflow.com/legal/terms

I would suggest to contact a professional legal resource to see if you are allowed to use our subprocessor services.

I am helping to get further info to answer your questions, thanks for your patience.


#9

Hi cyberdave,
Thank you for the answer. I don’t think it’s realistic for users to check all your sub-processor’s GDPR compliance status, especially since Webflow updates this list from time to time. I do think it’s Webflow’s obligation to make sure it is fully GDPR compliant.

Working with clients from the EU it’s crucial to know whether Webflow is fully compliant.
The question raised by Daniel and others on the forum was not about some local restrictions it’s actually about Webflow’s GDPR compliance.

The question was asked several times on the forum but was never answered. Here are some more examples:

Christoph_Schober: “And are there plans for the jQuery third Party request? Actually we are forced to use this third party cdn. … this is legal topic not a feature request for the wishlist or a personal wish. jquery.com gets Visitors IP’s and i have no chance to prevent that. Also there is no information on jquery foundation site if and how they use the data. So please don’t let the whole thing leak on this little last topic.” (How Webflow handles visitor traffic and form submissions for published websites)

Sebastian Fiedler:
“To comply with EU-GDPR, those responsible for running a website hosted on webflow have to make sure that any third party that may come in contact with personal data (and according to the ECJ, this includes IP addresses as well) have a DPA in effect with the website owner. Webflow already offers such a DPA. So do Google and Cloudflare, but jQuery.com for example does not.” (https://wishlist.webflow.com/ideas/WEBFLOW-I-1280)

How can we sell webflow hosting to the EU clients if we can’t answer the basic question - Is it fully GDPR compliant?
It seems that since Webflow is a US based company the issue of the GDPR is not taken as seriously as here in Europe. But keep in mind that the GDPR not only applies to organisations located within the EU but also applies to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. The fines are just huge, and we can’t simply ignore such a crucial question.

Thank you for your help.


#10

Hi @Josef, thanks for your detailed feedback. I have reached out and our team is taking a look at the list of questions to provide guidance for this.

Thanks in advance.


#11

Thank you! Hope to hear from you guys soon.
Just to make it clear - even minor digital agencies in the EU are now saying that their products (for example a wordpress site) are fully gdpr compliant. Business clients are asking this question directly. Often they don’t even know what GDPR means, but it became a common practice. There are endless GDPR seminars and courses for businesses in the EU and it’s simply impossible to convince many people to use webflow hosting over wordpress if they are not 1000% sure it’s safe and GDPR compliant. I would also add that many people opt for wordpress because they can host their data in the EU and not in the US. I guess giving us this option would simply make it 10 times more appealing for European clients (especially from Germany).


#12

Any updates on your side?


#13

One more question about server logs. Here is an article about the issue: https://www.ctrl.blog/entry/gdpr-web-server-logs
That’s something affecting all people hosting with Webflow. Can we disable server-logs entirely or take steps to reduce how long they’re retained and what data they store?
I hope to get your answer about CDNs soon guys.