Legal FAQ

What is Contentful?

Contentful is a cloud-based content management platform. Our typical customer can be an online publisher using Contentful to create a smart phone app for serving sports news. Contentful helps the customer with the underlying technical infrastructure, so that:

  • Editors from your organization, partner agencies, and freelance contributors can create and edit the content in our web-based application (e.g. write articles about games, upload images, define relevant URLs)
  • Developers from your organization, partner agencies, and freelance developers can write code in a way that enables your new smart phone app - the so-called “presentation layer” - to load the content produced by your editors directly from the Contentful platform.

The structure of your content is completely flexible and can be defined by a member of your team in accordance with the requirements of your project (e.g. articles, FAQs, product information, hotel reviews, landing pages, promotional in-app material and so on). Similarly, your development team is free to integrate content into any application, device type or platform. For example, content can be loaded into a website, mobile apps, smart watches, car navigation systems, digital signage, ATMs, map overlays, chat bots, or smart TVs.

A non-technical overview of Contentful’s service is available at: www.contentful.com/why-contentful/.

What kind of content is stored in Contentful?

Contentful is a content management system, not a generic database. Your editorial team can use Contentful to create, store and manage a variety of content formats - from text and images to location data and structured item lists. As a rule, all this content is intended for the wider public and is freely accessible through your websites, mobile apps, digital kiosks, etc. The public nature of editorial content means it is not subject to confidentiality or privacy restrictions.

Since Contentful was built from the ground up to serve editorial content, that has certain legal and technical implications for the type of content you deliver through our platform. You should be fine storing typical editorial content which includes:

  • News articles (e.g. politics, sports, fashion)
  • Blog posts for your website
  • Product information (e.g. product descriptions for an e-commerce store)
  • Store locations and hours
  • Photo galleries and short videos
  • In-app notifications

We strongly discourage you from storing any sensitive, regulated, or ephemeral content on our platform, including:

  • Any user-generated content such as comments, posts, images, peer-to-peer messaging
  • Any sensitive data such as user accounts, email addresses, payment details, private keys
  • Any sensor-produced data such as GPS waypoints, temperature readings, electricity consumption, traffic and weather conditions
  • Any real-time data such as sports scores, exchange rates, trading orders, flight tracking data
  • Any personal data (also known as personally identifiable information, or PII). Because our service is intended for public information that you wish to publish, we specifically do not allow personal data that is sensitive or so called special categories of personal data (as these are defined in applicable laws), or any regulated data (which may include data such as health, medical or financial data).

How does Contentful deal with data protection regulations?

Contentful has its main offices in Berlin, Germany and San Francisco, California. We therefore follow the strict German and European data protection rules (General Data Protection Regulation, GDPR) as well as the California Consumer Privacy Act (CCPA). We apply the same strict policies and practices throughout our organization, be it Berlin or our San Francisco office or a remote worker.

First off, it’s important to understand that Contentful provides infrastructure and services for its customers to manage their content that they specifically wish to publish. As such, the content is typically non-sensitive editorial content that customers want to publish, and have the right to publish, and it doesn’t usually contain personal data.

So what kind of personal data does Contentful process?

Your content that you upload to and manage on the Contentful platform and services may contain personal data, such as images of people. We do not know because we do not monitor your content, nor do we access your content unless you ask us to, for example to provide technical customer support. Our services will process your content for you and serve the content via application programming interfaces (APIs) and Content Delivery Network (CDNs) to your web, mobile and other applications for your end users to enjoy.

Because you as the customer build your own front-end applications that integrate with our "back-end" content management infrastructure, you are in control of the user experience (including privacy and data processing) in the front-end applications. We know nothing about the end users of your applications. We merely receive request headers from the incoming content requests (API calls) to be able to deliver your content to your apps. We do not have any means to identify or track an individual end user of your applications.

If you are using the Contentful web app to manage your content, Contentful requires the user’s name, email address and web app password and logs the IP address of the web app user. These are necessary pieces of information that are required for Contentful to provide the service, authenticate users and protect the service and your content.

That’s it. We process very limited personal data, all for purposes of providing and securing the service and your content. We do not track or profile end users via our service. Nor do we monitor or access your content unless you ask us to, for example to provide technical customer support. We simply provide content infrastructure to enable you to deliver and manage content in your applications.

Where is customer content and customer personal data stored?

We use certified and secure servers provided by Amazon Web Services (AWS) and a select few Content Delivery Network (CDN) providers. Please see our security overview and backup overview to learn more.

How does Contentful secure adequate level of data protection outside of the European Union?

As between you, our customer, and Contentful we will enter into a data processing agreement to govern our processing of your personal data. If needed, this will include so called standard contractual clauses approved by the EU Commission for transfer of personal data from the EU to countries outside of the EU. If you are a Contentful customer and you require a data processing agreement, please raise a support ticket in your Contentful account under the category 'Security & Privacy'.

As between Contentful and its vendors like AWS, Contentful enters into similar data processing agreements, including the standard contractual clauses or other legally approved data transfer mechanisms to ensure adequate level of data protection to the extent personal data is transferred outside of the EU.

What are you doing to ensure compliance with data protection laws?

Although the Contentful services are intended for managing non-sensitive, public, editorial content, Contentful takes privacy and security seriously. This includes complying with the GDPR and the CCPA. Here are some highlights of our initiatives with regards to privacy and security:

  • We are continuously investing in and improving our security. For more information on our security approach please see here.
  • We are certified according to the ISO 27001 information security standard.
  • We are running training and Q&A sessions with our employees to raise awareness of privacy and security generally and GDPR specifically. All employees get a security onboarding training and commit contractually to maintaining data secrecy.
  • We conduct security reviews on our vendors to ensure they maintain appropriate level of privacy and security.
  • We make sure that we have appropriate contracts with our vendors to protect privacy and security. This includes data processing and data transfer agreements that address international data transfers, for example by including so called EU standard contractual clauses or other legally approved data transfer mechanisms.
  • When we process personal data under the GDPR for our customers we will enter into appropriate contracts with such customers and comply with requirements set out in the GDPR and such contracts. If you are a Contentful customer and you use our services to process personal data and you do not yet have an appropriate agreement in place with Contentful, please raise a support ticket in your Contentful account under the category 'Security & Privacy'.
  • If a data breach should happen we have dedicated security and engineering staff on call and defined data breach processes to act swiftly and in accordance with the GDPR and our customer contracts, including notifying our customers, authorities or affected individuals, as applicable.
  • In addition to our own legal and security experts, we have engaged external advisors to support our efforts in privacy and security, including an external Data Protection Officer.
  • We continue to monitor legal and regulatory developments, for example with respect to GDPR and CCPA implementation and best practices, and will adjust our approach accordingly.

Why would my organization want to use Contentful?

Contentful provides the ready-to-use infrastructure for powering your content-driven applications. Thanks to our service, your development team can channel its efforts to building out modules providing high business value and launching new projects quickly, instead of building, scaling and maintaining the underlying plumbing.

By focusing on developing, managing and scaling content infrastructure for thousands of customers, Contentful can ensure that your content is delivered faster, stays more secure, and is always accessible. All this, at a fraction of the cost it takes to achieve similar performance levels with an in-house team.

How does Contentful deliver its services?

Contentful is a cloud-based content infrastructure with application programming interfaces for developers and additional tooling (software development kits) for specific programming languages. Contentful develops and operates its service as a multi-tenant environment.

This means that your organization does not need to run any software (besides the presentation layer in which content is displayed) on your systems, but instead is granted access to the content stored in the Contentful cloud-based backend.

Due to its cloud-based architecture, Contentful does not ship installable proprietary software. Contentful is solely used as a cloud service, all intellectual property rights of the Contentful platform stay with Contentful. This also means that Contentful does not provide customer-specific tailored services or software or other professional services more usual in custom-built IT projects.

How reliable is Contentful?

Contentful hosts and delivers content for the world’s largest organizations during a routine day and during the high-traffic events like Black Friday or the Super Bowl. We make an effort to provide a reliable service.

Contentful has been highlighted as a top vendor by industry analysts such as Gartner and Forrester. To date, Contentful has received about $45m in funding from some of the world’s most recognized investors.

Can we pay by check, wire transfer or PayPal?

Our self-service tier is built for the highest degree of automation, which permits us to offer self-service plans at low prices.

Adding custom payment terms or payment methods would result in high running costs and make the current plan prices untenable.

For this reason, we only accept payments by credit card on the self-service tier. Get in touch with our sales team for the improved enterprise version of Contentful, where we also support purchase orders, wire transfers (ACH, SEPA) and checks.

Can we change or amend the terms of service?

Just as for payment methods, offering custom legal terms would incur a lot of additional costs making it unsustainable for us to offer self-service plans at the current price levels.

For this reason, we do not support any changes to our online terms nor signing of any additional agreements nor carrying out of custom security audits on our self-service tier.

If you require more flexibility, contact our sales team to find out about the premium enterprise version of Contentful, where we offer more room for custom agreements.