In an important step to harmonize and strengthen European data protection, the European Union will see the EU General Data Protection Regulation (GDPR) come into effect May 25, 2018. Headquartered in Berlin, Contentful is subject to the strict German and European data protection rules. It goes without saying that we are committed to complying with applicable laws, including the GDPR.
Contentful provides content management infrastructure and services for our customers to manage editorial content that they specifically wish to publish through their digital products. As such, the content is typically non-sensitive editorial content that usually doesn’t contain personal data. However, it may. Regardless of the nature of such personal data, whether non-sensitive and intended for publication, the GDPR will apply and we are committed to processing such data in accordance with applicable law and our customer contracts.
Here are some highlights of the initiatives we have been working on with regards to privacy and security to ensure compliance:
We are running training and Q&A sessions with our employees to raise awareness of privacy and security generally and GDPR specifically. All employees get a security onboarding training and contractually commit to maintaining data secrecy.
We conduct security reviews on our vendors to ensure they maintain an appropriate level of privacy and security. We only use certified and secure vendors such as Amazon Web Services.
We make sure that we have appropriate contracts with our vendors to protect privacy and security. This includes data processing and data transfer agreements that address international data transfers, for example by including so-called EU standard contractual clauses or other legally approved data transfer mechanisms.
When we process personal data under GDPR for our customers, we will enter into appropriate contracts with such customers and comply with requirements set out in the GDPR and such contracts.
If you are a Contentful customer and you require a data processing agreement, please raise a support ticket using your Contentful account under the category 'Security & Privacy'.
If a data breach should happen, we have dedicated security and engineering staff on call and defined data breach and disaster recovery processes to act swiftly and under the GDPR and our customer contracts, including notifying our customers, authorities and affected individuals, as applicable.
In addition to our own legal and security experts, we have engaged external advisors to support our efforts in privacy and security, including a Data Protection Officer.
Contentful takes these and various other measures to ensure we provide compliant services to our customers. We continue to monitor legal and regulatory developments, for example with respect to GDPR implementation and best practices, and will adjust our approach accordingly.
If you have any questions about Contentful’s privacy and security practices, do not hesitate to contact your customer success manager or submit a support ticket.