Statement on Processing of Customer Data for Cloud Services
This Statement on Processing of Customer Data for Liferay Cloud Services (the “Statement”) describes how Liferay, Inc., Liferay International Limited or its respective affiliates (these entities collectively referred to as “Liferay” and individually as a “Liferay Affiliate”) make use of certain information (“Information”) provided by you, the user (“You”), to Liferay as required for Your use of certain Liferay hosted services and applications (the “Services”).
While Section I below applies to Liferay Cloud Services that involve processing of Information including Personal Data by Liferay on Your behalf (further below “Services Processing Personal Data”), Section II describes the Information processed by Liferay’s hosted services and applications that do not involve Personal Data (further below “Other Hosted Services”).
Liferay reserves the right to update this Statement from time to time by posting an updated version no later than thirty (30) days prior to the posted effective date of such update. Liferay encourages You to check this page for updates regularly, in particular, before You start using any kind of additional Liferay Cloud Services Liferay might introduce in the future. Your continued use and access of the Cloud Services after the posted effective date signifies your acceptance to the updated Statement. Notwithstanding the aforesaid, Liferay will notify You of any updates of this statement separately, if and as might be required under a written agreement between You and Liferay.
I. Services Processing Personal Data
This Section I applies to the following Services:
- Liferay DXP Cloud
- Liferay Analytics Cloud
Liferay Cloud, Inc. & Subprocessors
The Services are provided by Liferay Cloud, Inc., a Liferay Affiliate, located in the USA, who utilizes the following subprocessors:
- Amazon.com, Inc., Seattle, Washington, U.S. (“AWS”), utilizing the following subprocessors
- Dynatrace LLC, Waltham, Massachusetts, U. S., utilizing the following subprocessors
- Zendesk, Inc., San Francisco, California, U. S., utilizing the following subprocessors
Liferay Group Subprocessors
- Liferay, Inc., Diamond Bar, California, and Hamilton, Ohio, U. S.
- Liferay Latin America Ltda., Recife and São Paulo, Brazil
- Liferay GmbH, Eschborn, Germany
- Liferay S.L.U., Madrid, Spain
- Liferay Dalian Software Co., Ltd., Dalian Liaoning, China
- Liferay Japan K. K., Tokyo, Japan
- Liferay India Pvt. Ltd., Bangalore, India
- Liferay Hungary Kft., Budapest, Hungary
Please note that this is an extensive list of subprocessors who might be potentially involved in processing of Personal Data. However, not all of them will be involved in every engagement.
If You have purchased Services from a Liferay Affiliate other than Liferay Cloud, Inc., You understand that such Liferay Affiliate is subcontracting the Services to Liferay Cloud, Inc. and therefore will not be involved in processing of any Personal Data You might submit to the Services. For clarity, any references to the security measures or certifications confirming the implemented security standards apply to Liferay Cloud, Inc. only, but not to the Liferay Affiliates selling the Services.
Categories and Types of Personal Data
Within the scope of Your use of the Services, You may submit Personal Data to the Services. The extent, categories and types of such Personal Data that You submit to the Services is fully controlled and determined by You and may vary depending on Your individual use of the Services.
Liferay anticipates that such Personal Data may, e. g. include, Personal Data of the following categories of data subjects:
- Your employees, agents, advisors, contractors
- Your prospects, customers, business partners, vendors
- Employees, agents, advisors and contractors of Your prospects, customers, business partners and vendors
Liferay anticipates that such Personal Data may, e. g. include, the following types of Personal Data:
- First and last name
- Private or professional Email
- Phone number
- Business or private address
- Further contact information, such as e. G. Skype ID
- Geo-localization data
- Language preferences
- IP addresses
Technical and Organisational Security Measures
The Services are hosted on AWS cloud, virtual computing environment provided by AWS as defined above and, as per the Shared Responsibility Model. Therefore, all the Physical Access Control to the AWS infrastructure is assured by AWS. AWS is compliant with the CISPE Code of Conduct, which ensures that its cloud infrastructure provider is using appropriate data protection standards to protect their data consistent with Europe’s current Data Protection Directive and the General Data Protection Regulation. AWS also has a long list of internationally-recognized certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27001 for technical measures, ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1, and EU-specific certifications such as BSI’s Common Cloud Computing Controls Catalogue (C5).
In addition Liferay is taking the following security measures to process Personal Data submitted by You to the Services, as certified by the SOC 2 compliance report available upon request, and assures that any sub-processors utilized by Liferay provide for at least the same level of protection:
- Office Space: Access to Liferay’s office space is physically secured through a badge management system, lockdown procedures, and access monitoring.
- Passwords and Credentials: Not only the systems are protected from inappropriate access by employees involved in the performance of the Service ("Team Members”), but also from unwanted access from non-Team Members. For this reason, all Team Members are obliged to use strong and protected credentials.
- Password Protection: All Team Members are obliged to use a Password Management System, verified by Liferay’s committee for security and dependability (“Security Committee”). All Services related account credentials must be stored in this Password Management System.
- Automatic blocking is enabled on all personal machines and internal systems.
- Multi-Factor Authentication (MFA): Wherever possible, MFA is enforced, and even mandatory, on all system accounts. If MFA is not possible, accounts must authenticate through a third-party account that provides MFA (e.g. Google, GitHub). If neither of these options are possible and only basic authentication is available (e.g. computer login), the account password must follow strict standards, including randomly generated or unique from any other account password, at least 15 characters long (ideally, 20-30 characters),not containing any known, personal information like birthdays, cities, or family details, or containing or deriving from any common password words like ‘password’.
- Encryption: All private and restricted data is encrypted at rest using AES-256. All data is encrypted at rest and in transit.
- Need to Know Individuals are prohibited from accessing information they otherwise would not have a need to know, unless required to do so in the performance of specific authorized tasks. Security Committee revokes any unnecessary access when it does not comply with this policy.
- User Roles: Access control privileges to systems are assigned to users via user roles wherever possible and practical. Roles are established based upon department and job function and are reviewed and updated when job or departmental functions change.
- Review of Administrator Access When a change to an individual’s access privileges is needed, they must contact the Security Committee. Then at least one of the members of the Security Committee will review the individual's role and make system changes to grant or maintain access. The Security Committee must review all Systems and all Individuals’ Administrator Access according to the Compliance Monitoring Policy.
- Group Credentials Whenever possible, no Administrator Access is given in the form of a group account, that is, one credential that validates multiple individuals. This way of authentication provides no way of monitoring individual access and introduces risks from shared passwords and tokens. If a system requires this type of authentication, the password or token is changed when an individual is removed from the group.
- All direct access to servers via SSH will be connected through a Bastion Host solution to prevent brute force attacks. All SSH activity is being logged and kept forever. Only members who must have access, may have access. All Security Policies also apply to remote access situations. All credentials must be compliant with the Access Control Policy.
- Customers databases are segregated in their own Virtual Machines and, every Project Environment is segregated on it's own Private Network.
- No production data is used in any development environment.
- Individuals are prohibited from accessing information they otherwise would not have a need to now, unless required to do so in the performance of specific authorized tasks.
- It is the Security Committee’s responsibility to revoke any unnecessary access when it does not comply with this policy.
- All data in transit uses enforced SSL connections with minimum AES-256 encryption.
- All requests are signed by the request actor in the form of user access token or ID.
- All server and database history is logged and retained forever.
- All document creation, changes, and deletion are kept in recorded logs. These logs are retained for 6 months and protected against unauthorized tampering by secure redundancy and access controls.
- For the system infrastructure, backup routines are run every 30 minutes, all backups are replicated in different regions, encrypted at rest, and permanently retained. For Customer Data, backup routines are run by default every day and retained for 30 days. All backups are replicated in different regions and encrypted at rest.
- Firewall configurations provide rugged inbound/outbound rules that are tested annually by internal/external penetration testing.
- System availability is monitored and reported according to Liferay’s System Availability Policy.
- Disaster Recovery plan is in place, documented and tested regularly.
- In the event where an incident requires a full disaster recovery, the entire infrastructure can be brought back online within 2 hours.
- The screens of the computers are always locked when left unattended; Personal data is not shared informally; Personal data is not saved to personal computers.
- All incidents are promoted immediately to the Security Committee and logged in an incident registry and graded by impact. Incidents are treated by priority and a post mortem root cause analysis is completed by the Security Committee regarding every incident.
- All systems are built to provide adequate pseudonymisation and data protection to not risk their availability, confidentiality, or integrity.
II. Other Hosted Services
Liferay Connected Services
Only in order to enable Your use and enjoyment of Liferay Connected Services, Liferay collects the following Information:
- Which patches are installed on each instance;
- Properties of your instance (excluding any key-value pair that contains usernames or passwords);
- JVM metrics;
- Portal and portlet metrics; and
- Cache and server metrics.
Your use of the Liferay Connected Services and Liferay’s ordinary performance of these Services do not, require You to provide, disclose or give access to Liferay to any Personal Data, and You will take all reasonable steps to avoid any unnecessary disclosure of Personal Data to Liferay.