Streaming live at 10am (PST)

Webflow & GDPR | Hosting in EU + Privacy Statement needed


#1

As most of the GDPR topics have been closed, the issue at hand is still very much open and to be honest quite threatening.

I recently learned that Webflow should store, or at least a copy, of all the data in an account onto a server located in the EU. And also needed is a (personal) statement that all the data of a particular account is property of the Webflow-user or the client of the Webflow-user.

If this can be done, preferably at least a month before the 25th of May, than i and all of my clients can finally breath again. And i think pretty much every Webflow developer and his/her clients in the EU.

Yes, i know Webflow has released info about the GDPR multiple times already, which i praise them for.

But a client of mine states that this is just ‘buying time’ - This client needs be GDPR compliant ASAP and also needs a statement from Webflow that all the data on their sites is my clients own property. If this cannot be given anytime soon, my client needs to move to completely different system which can guarantee the security of personal-data, conform the GDPR.

Microsoft, Salesforce and Zoho CRM all have been down this road as well, and they eventually all decided it was needed to store the data in the EU and supply the users of their systems with a statement that the data is in fact stored in the EU and that it is the users own property. Without these two key elements, the data won’t be fully GDPR comliant.

The problem with systems that are hosted outside of the EU are the different laws and regulations, in America this is the Privacy Shield (formerly known as the Patriot Act) which would always be there and could always confiscate data, and therefor not making it fully GDPR compliant and thus ‘safe’.

I hope the Webflow team can enlighten us fully on the 11th of April, but i moreover hope that Webflow will be fully compliant to the GDPR within a week or 2 after this date.

Worstcase scenario is that i, and theoretically all Webflow developers with clients in the EU, need to export all their sites and rebuild them in a completely new system/CMS and host them on a server in the EU - and all that within a little more than one month!!! If this would even be feasible time-wise, this would also include major costs to rebuild entire sites.


#2

Hi @icexuick

Are you able to join the Q+A in just over an hour?

If you register, you can also log your question, and then if you miss it, can go to the point in the Q+A where it was answered. The recent ‘what we’ve been shipping’ blog post referenced GDPR - but I agree, we could really do with some more detail on that…and quickly!


#3

Hi StuM,

I was too late, now joined the Q&A after 90 minutes.
Is there a way to still receive the questions and answers?

Met vriendelijke groet,

Martijn Hoppenbrouwer
http://www.ixstudios.nl
[image: iX Studios | Website] https://www.ixstudios.nl
telefoon 0541 - 530 532
locatie Oostwal 80 Oldenzaal


#4

12th of April i thought they come out with something!


#5

No worries - you can re-watch on the Crowdcast link - and I think @PixelGeek said it would go on youtube too…

@icexuick - In case you couldn’t find it - I asked the question and it got answered at 13m17

@koen - Blog post/full details April 11th - not long now :slightly_smiling_face:


#6

Vlad answered this here:


#7

Hi StuM and PixelGeek,

I’ve viewed the answer in the Q&A. It’s nice to hear that privacy is a number one priority, as Vlad said, from day one from Webflow. I’m very interested in the 2 parts of being GDPR compliant that Vlad was talking about.

I’m am still a bit worried about the Privacy Shield Vlad shortly noted and ‘other’ regulations. I’ve read more about the GDPR and Privacy Shield, but mostly from within the US, out to the rest of the world. The other way around, using Webflow as an European developer (and for European companies) is different, and i think the main point/problem is the Privacy Shield and 100% ownership of all the data.

I did receive more detailed information about a GDPR expert here in the Netherlands (in the EU) and he stated the following is needed to fully comply to the GDPR:

  • Preferably a ISO 27001 certificate that complies to the international standard for Information Security. We did find that Webflow is ISO 27018 compliant, which is nice, but we would like to see this certificate including the Statement of Applicability (SoA) as files or downloads.

  • A minimal demand for European customers is a TPM statement (by an external company) in which is stated that the services that are being used by European companies/users and 100% of their data within is being stored (incl. backups) in the EU. Without any exceptions. My expert has examples of Mircosoft, SalesForce and ZoHo that have done this exactly like this. So in short, all the data must be stored on a server in the EU and the TPM statement must state that all the data is 100% of the user/client of the Webflow website.

  • Recommended is a monthly scan-report which states all the measures that were taken to keep all Webflow services as secure as possible. This is also something a webdeveloper could arrange for a client, f.e. by letting and security expert scan/test each (Webflow) site every month.

I hope to see answers on all of the above in the upcoming update on the 11th of April.

For most clients of mine, the above is (at this moment) leaps beyond what they are willing to invest. There are other options like removing webforms all together, or use other form, from Zoho for example.

If the above is something that is simply not feasible, than i hope you can communicate this as soon as possible. There is one, but maybe more of my clients, that need to switch to a completely different system that is top-of-the-line secure and complies 100% to the GDPR.


#8

I dont get why other EU Webflow Users are not as worried as we are and why the communication from webflow is so poor so far. Hopefully the 11th of April will clear all things… As you said: Time is running out to switch clients to another system.

https://www.linkedin.com/pulse/nightmare-letter-subject-access-request-under-gdpr-karbaliotis/


#9

Hi Christoph,

The type of reactions to the GDPR are widely spread and range from “Just be kind to people and be aware and responsible when storing or sharing personal data” to “You must comply 100% and each and every (personal)-data must be accounted for, no exceptions allowed - this still is only the tip of the iceberg”

Great article you linked: This will fall in the second category and worst-case scenario(s) that might become a standard procedure and might just drop in a lot of businesses inboxes from the 25th of May and beyond.

I’ve learned that there will be a rather large “grey-zone” in how to interpret the GDPR, and how to deal with all the security issues, which will probably also vary quite a lot depending the type of company, the data and purposes.

But in the end, it’s about preventing (every) personal-data leak, small and large.
And when you do choose to go for the minimal approach (if there is any), there might be ‘gaps’ in your security and when the sh*t hits the fan, choosing this option can get you in (big) trouble.

But, i’ve also learned that in the current state of the web, it might just be pretty impossible to close every gap. Then you could say that practically the GDPR is here to support, encourage and improve the security of (global) personal-data, but that this will be a process that will take far longer to reach it’s true goal, simply because it’s not practically possible to comply 100% just yet.

I’m also experiencing that companies are not that willing to invest time and money into the GDPR, and often reply to me as: “Ok, make it happen, make us fully GDPR compliant”. This is offcourse far from the thruth and also it’s not something you do one day, and the next day will just be a regular day - it’s security by design and by default with every action you take when processing personal data, every day from the 25th of May 2018 and forward.

As for myself, i build custom websites as tailored-suite solutions. This means i don’t have a ‘standard system’ that i can secure, i have to check and ‘fix’ each and every one individually. Often extra functionalities have been put in place, with an API, a widget and/or a script. Now all of these need to be double-checked and re-checked structurally, preferably daily. How can a web-developer do this? Website- and webapp-costs would skyrocket!

This is once more why i find i SO important that Webflow gets this right. If the whole Webflow-system is 100% GDPR and the data is 100% owned by the user(s)/clients and the data gets stored in the right country or in my case, the EU, then i can offer my clients the whole package.

As for the current ‘information-feed’ about Webflow & GDPR: I think they started off the right way, back in January if i’m correct, but now it’s just way to limited and vague. To be GDPR compliant there need to be statements and certificates to be shared and they need to be ready as quickly as possible.

This is probably a very hard thing as also Microsoft, Salesforce and ZoHo have been struggling with the GDPR as well. Personally i also would prefer putting time and effort into making Webflow better and better, but this privacy thing is important also and hopefully/maybe/probably the foundation for the upcoming 5-10 years of an overall better and more secure online experience. Though hard to imagine, but i think it’s worth the trouble and a good foundation makes room for a better future, in which i hope to be using Webflow every day!


#10

Hi Webflow team and f(ell)ow-Webflowers,

For the GDPR i’m trying to figure out which Cookies are being used.
I’ve found that when embedding Vimeo video’s there are 3 extra cookies used.

The api.embed.ly uses the cookie: em_beagle_eid and internet does not seem to know where this cookie is used for.
Could someone @ Weblow perhaps clarify this?

When you embed a Vimeo video these cookies are being used:

vimeo.com
vuid
unique ID - expires in 2 years

nr-data.net
JSESSIONID
Used for Session management - expires after ending browser session

embed.ly
_cfduid
Used by the content network (CDN), Cloudflare, to identify trusted web traffic - expires in 1 year

api.embed.ly
em_beagle_eid
No one knows where this cookie is for and also why this is saved for 20 years(!).

cdn.embed.ly
em_cdn_uid - expires in 1 year
Measures the number of times an embedded element from a third party service has been used. - expires in 1 year


#11

Here is our official blog post about this:


#12

Hello,

The EU doesn’t have the clout to bully large multinationals. The answer is easy for smaller entities, run the numbers and if you don’t make as much margin as you’d like due to the goofy regs just refuse to do business with the any EU citizen/company or make them pay a very substantial premium (3X-5X to start) for the added inconvenience.


#13

Has there been any update in this area?


#14

I haven’t read any. I’m waiting for it every day!


#15

Me too :confused:
Icexuick do you have a solution for the connection to code.jquery.com? Any way to block this and selfhost jquery on own webspace? IP’s get transfered to jquery.com acutally.


#16

I haven’t read any. I’m waiting for it every day!


#17

Yes, this is now pretty much as urgent as things get.


#18

Many services now offer a data processing agreement.

This agreement states what is done with the data, where it is used for, which rules apply, who has acces and ownership, where the data is stored (physically), and what a Webflow user should do to keep it safe and what to do when there is a dataleak.

Also this statements states info on who’s responsible for possible dataleaks or ‘damage’ done by data-leaks.

Zapier has a pretty nice example, an agreement which you can generate your-self and also sign (digitally). This is (almost) exactly what most (European) companies are looking for concerning the GDPR. Check https://zapier.typeform.com/to/TcS4pD

Is something like this coming within 2 weeks?


#19

Hi Christoph,

At the moment im sorry to say i have the ‘luxory’ of (too) many clients - i can’t help you any further at the moment.

BTW. I haven’t hooked up jquery to Webflow yet, but if i have to, i’ll make sure to let you know!


#20

This week i have started to migrate my webflow pages to wordpress now… I am no more willing to wait for further information and relying on dripping communication from webflow.