Liferay Trust Center / Data Protection

This question is too broad to properly answer this. We differentiate between Liferay’s compliance with the applicable data protection laws as organization and available product features and functionalities that support customers’ efforts to assure their own organizations’ compliance efforts. To the extent Liferay processes personal data on behalf of its customers in the provision of its cloud based offerings, Liferay commits itself to assure that processing will be in accordance with the contractual commitments:

• Liferay commits itself to implementing appropriate Technical and Organizational Measures.
• Liferay commits itself to only processing Personal Data in accordance with the instructions of the customer.
• Liferay is only allowed to involve sub-processors who provide for the same level of protection and Liferay assumes an obligation to ensure that and any all data transfers to such sub-processors are in-line with the applicable data transfer requirements.
• Liferay commits itself to enable exporting or deleting the data upon expiration of the Subscription Services and supports customer's efforts to comply with any received data subject request.
• Liferay assumes an obligation to cooperate with customers on any audits required under the applicable data protection laws in order to establish a proof of compliant processing of personal data by Liferay.
• Liferay commits itself to notifying customers without undue delay of any data breaches.

Not Applicable

Liferay Analytics Cloud uses Google Cloud Platform (GCP) by Google Google Cloud EMEA Ltd. (Ireland) as its hosting provider.

For Liferay AC, Liferay PaaS and Liferay SaaS, Google Google Cloud EMEA Ltd. (Ireland) is the hosting provider. Hosting location of the data depends on the region that is chosen by the customer. The available regions in Europe are London (United Kingdom) and Frankfurt (Germany).

Liferay DXP customers purchasing Liferay Analytics Cloud as an add-on to on-prem based need to establish a Data Processing Addendum (DPA) with Liferay. To the extent the customer is located in one of the the EEA, Switzerland or UK, Central or South America, or Mexico, Liferay DPA is incorporated by reference into Appendix 1, via a reference in the Terms of Services, and will apply per default. To the extent a customer is located outside the EMEA but would require a DPA, we can incorporate it via a reference in the ordering document. You can find our Appendix 1 and DPA at https://www.liferay.com/legal .

Liferay uses external providers and Liferay Affiliates as Sub-processors. Since some of them are located outside the EEA, the use of such Sub-processors may entail remote access from a non-EU/EEA country to customer data stored within the EU/EEA for some specific reason, for example as might be required for a Sub-processor to perform maintenance or provide support to the customers.
For purposes of such transfers, Liferay implements appropriate safeguards as required under GDPR. For more information on this matter, as well as the compliance measures adopted by Liferay in case of cross-border data transfers and the countries to which we may transfer the data, please refer to: https://www.liferay.com/legal/cloud-services-data.

 

Where required by Data Protection Laws, Liferay adopts EU Standard Contractual Clauses (UE SCC). The applicable transfer mechanisms are identified at: https://www.liferay.com/legal/cloud-services-data.

Liferay uses Amazon Web Services EMEA SARL (“AWS”) for the backups of Customer data. Liferay applies BYOK encryption with the help of AWS KMS to prevent access to the personal data by AWS and its sub-processors. The keys are stored in HSMs in the AWS region corresponding to the Google Cloud Platform (GCP) region selected by the customer for its production environment.

Customer authorizes use of some Sub-processors who may access the data from third countries.

For the EMEA, Brazil & Japan customers, transfers outside EEA and EU Adequacy countries are limited to transfers to Brazil - for which Liferay obtained a legal opinion of a reputable law firm in Brazil, confirming that there is nothing in the laws in Brazil that could impede on the level of protection afforded to the personal data by the EU data protection laws.

To the extent customer decides to use analytics capabilities of our products Liferay SaaS or Liferay PaaS (deactivated per default) or Analytics Cloud as a stand-alone product, data can be accessed by Liferay, Inc (US). Liferay, Inc (US) is certified under the EU-US and Swiss-US Data Privacy Framework and therefore any transfers of personal data from the EEA to Liferay,Inc. are subject to the adequacy decision by the European Commission as of July 11, 2023. In addition, per default Analytics Cloud only collects events data associated with a system generated identifier. Otherwise, customer fully controls syncing of other identifiers and information stored in its Liferay DXP/Liferay SaaS and Liferay PaaS instances, which will, however, require a risk assessment on the customer side. Liferay, Inc has until now never received or responded to any requests for its customers' data stored in its services.

 

For Legal and subject to a NDA, for RFP purposes, audits or discussions (only provide explanation regarding google if requested): For onward data transfers incl. location of the recipient and purposes by the Sub-processor Google EMEA Ltd providing hosting services, please refer to: https://cloud.google.com/terms/subprocessors, The a pplicable transfer mechanisms, depending on the recipient, are either an adequacy decision(s) or SCC. Please also note, that none of the Sub-processors requires access to or is accessing the data on an ongoing or regular basis. Maintenance and support activities are being conducted at the lower data storage level. The data is encrypted at-rest at that layer. They may, however, be provided with access to the data by the customer within the context of maintenance or technical support if enabled by the customer (either through the admin console or e.g. via a screenshot or a data dump). Liferay does not use services called "voice transcription", "data labeling", "apigee technical support services" for purposes of its Liferay DXPC offering, which would require access to customer data. Google’s transparency report(s) are available at: https://transparencyreport.google.com/user-data/enterprise

To the extent customer decides to use analytics capabilities of our products Liferay PaaS or Liferay SaaS (deactivated per default) or Analytics Cloud as a stand-alone product, data can be accessed by Liferay, Inc (US). Liferay, Inc. may fall under the scope of FISA 702 while it does not voluntarily cooperate with the authorities under the EO 12.333. However, since the entering into force of the EO 14.086 and designation of the EEA countries as a ""qualifying states"", European Commission (according to its adequacy decision for the US as of July 11, 2023) considers that there is nothing in the surveillance laws and practices in the US which could impede on the protections afforded to the data subjects under the European data protection laws. Liferay, Inc is certified under the EU-US and EU-Swiss Data Privacy Framework. In addition, per default AC only collects events data associated with a system generated identifier. Otherwise, customer fully controls syncing of other identifiers and information stored in its Liferay SaaS instances, which will, however, require a risk assessment on the customer side. Liferay, Inc has until now never received or responded to any requests for its customers' data stored in its services.

Liferay as a group of companies has a process in place for handling of such requests.

Any Data Requests received must be forwarded to the Privacy Office. Privacy Office will review a Data Request and, if necessary consult Legal department and/or competent external advisors and/or DPO(s), to assess: (i) the validity and enforceability of the Data Request under the applicable laws and regulations; (ii) if there are reasonable grounds to consider that the Data Request is unlawful under any laws and (iii) potential legal or contractual obligation of any Liferay Company to notify or consult the Controller, the Data Subject(s) or any competent authorities and legal permissibility of such a notification.

The Recipient Liferay Company shall provide the minimum amount of information permissible when responding to a Data Request, based on a reasonable interpretation of the Data Request and the legal assessment made by the Privacy Office. Privacy Office shall document its legal assessment and preserve the documentation for each Data Request for a minimum term of five (5) years from receipt of the Data Request.

Yes, Liferay utilizes the Sub-processors detailed in the table available at https://www.liferay.com/legal/cloud-services-data , where you can find the Legal Entity and contact details, the Location, the Function and Details of the Processing and the Data Transfer Mechanism when applicable (GDPR).
According to our DPA Liferay shall give Customer prior notice of the appointment of any new Subprocessor. If, within 10 calendar days of receipt of that notice, Customer notifies Liferay in writing of any objections (on reasonable grounds) to the proposed appointment neither Liferay nor any Liferay Affiliate shall appoint (or disclose any Customer Personal Data to) that proposed Subprocessor until reasonable steps have been taken to address the objections raised by any Customer. Where Liferay cannot address the objections in a commercially reasonable manner within a thirty (30) days from Liferay's receipt of Customer's notice, Customer may either (i) decide to use the Services as proposed by Liferay or (ii) by written notice to Liferay with immediate effect terminate the Agreement to the extent that it relates to the Services which require the use of the proposed Subprocessor and receive a pro-rated refund of any prepaid Fees for unused Services as of the effective date of such termination.

No, the Technical and Organizational Measures (TOM) adopted by Liferay (https://www.liferay.com/legal/cloud-services-data) are implemented to ensure the confidentiality, integrity and availability of Personal Data submitted by Customer. The main system used for processing Personal Data is Google Cloud Platform and it is prohibited to store Personal Data on other electronic devices, such as employee workstations, BYOD and data carriers. Prior to the processing of Personal Data by a Sub-processor, each service or system provided by such Subprocessor is reviewed and approved based on a vendor assessment, the Data Processing Agreement (DPA), Technical and Organizational Measures (TOM) documents and additional supporting documents describing the respective system protections and compliance with applicable data protection laws.

Liferay has implemented Technical and Organisational Measures in-line with the industry standard, as evidenced by the ISO 27001, SOC 2, HIPAA, and CSA STAR certification obtained for Liferay DXP Cloud services, as further described at: https://www.liferay.com/legal/cloud-services-data

Our certification program includes: ISO 27001/ 27017/ 27018, SOC 2 Type 2, HIPAA, and CSA STAR Level 2. You can access our whitepaper to learn more about our Information Security Program at https://www.liferay.com/resources/product-info/Liferay+Liferay DXP+Cloud+Data+Security+and+Protection. Certificate reports can be provided upon request.

Encryption is not a general mandatory requirement under GDPR. However, use of encryption technology might be “appropriate” under certain circumstances. For example, all data in transit uses enforced SSL connections with minimum AES-256 encryption. Data stored in the Liferay Liferay PaaS Enterprise Database is encrypted at rest.

For the system infrastructure, backup routines are run every 30 minutes, all backups are replicated in different regions, encrypted at rest, and permanently retained. For Customer Data, backup routines are run by default every day and retained for 30 days. All backups are replicated in different regions and encrypted at rest.

Customers may request access to Liferay service for purposes of retrieval of customer data within 14 days upon expiration or termination of customer's subscription. Upon request, Liferay will provide customer with access to the services for these purposes for a term of 14 days following receipt of the request. Liferay will irretrievably erase customer’s data from the systems 30 days after the expiration/termination of customer’s subscription.

Liferay includes data protection tools to help companies address GDPR regulations and maintain control over how their platform manages user data. Those tools [included in Liferay DXP] allow for erasing a user’s personal data and exporting a user’s personal data in a machine-readable format upon request. For data erasure, administrators can review content that potentially contains personal information and edit or delete as needed through a simple interface. Both tools include APIs for third-party apps to implement this feature or override the default behavior for out-of-the-box apps. You can find more information in https://help.liferay.com/hc/en-us/articles/360018156151-GDPR-Tools .

Liferay Analytics Cloud retains data for a period of 13 months by default. Customers can change the retention period in the control panel of the application settings to seven months. If they need data to be retained for more than 13 months, they can get in touch with Liferay Analytics Cloud Customer Support and define a custom retention period. Furthermore, Liferay retains all data for 30 days after the expiration of a customer’s contact. Within 14 days from the end of a customer's subscription they have the option to request access to this data, which will be provided for the purposes of data retrieval for another 14 days. All data will be irretrievably removed 30 days after the expiration of a customer’s subscription. In addition, Liferay customers can request deletion of personal data at any time during the term.

Yes, the company's policies guarantee the obligation of confidentiality of employees in the performance of their duties. All employees are subject to confidentiality obligations included in their employment or contractor agreements, as applicable.

No, only to Liferay employees, contractors and authorized sub-processors on need to know basis.

Liferay conducts security and background checks for employees involved in performance of the cloud services to the extent the local applicable laws allow that.

Yes, employees are required to attend annual on-demand privacy trainings on the processing of personal data and on information security. Completion is recorded and proof is available.

For purposes of its cloud services, Liferay acts as processor processing the data on behalf of the customer acting as controller. Therefore, the customer as controller is responsible for conducting PIA /DPIA, if and as might be required under the applicable data protection laws or customer’s internal policies. However, Liferay will provide the customer with reasonable assistance, including documentation, if required.

Customer does not necessary have to conduct DPIA when using Liferay. It really depends on customer's use of Liferay services.
In accordance with Article 35 GDPR Data Protection Impact Assessments are only required where processing is likely to result in a high risk to the rights and freedoms of natural persons, including in the following situations:
1) Where customer’s use of the service would result in systematic and extensive evaluation of personal aspects relating to data subjects and would be used as a basis for decision-making with significant effects on the data subjects;
2) Where customer’s use of the service would result in a large-scale processing of certain sensitive data (such as health, generic or biometric data, data concerning ethnic origin, political opinions, religious or philosophical beliefs, etc.);
3) Where customer’s use of our service might involve large-scale systematic monitoring of public areas.
Since Liferay provides its customers with highly versatile solutions which enable use by the customer for a big number of different use cases, Liferay is clearly not in the position to conduct such assessments for the customers.
However, while the customer as controller will be primarily responsible for determining if a DPIA is required and for conducting a DPIA, Liferay will provide the customer with reasonable assistance (documentation of features provided).

Yes, Liferay has a Data Incident Response Policy in place and provides for a contractual commitment to notify customers in any event of a data breach without undue delay. The notification will be provided to the email address associated with the customer account (admin), unless customer provided Liferay with an emergency contact.

Yes, Liferay has a Data Subject Request (DSR) Policy in place when Liferay receives DSR as a Controller. However, where Liferay acts as a processor, Liferay cloud products provide features to help customer  to comply with any DSR. To the extent Liferay cloud products do not enable compliance, Liferay will support customer upon request. The customer, as a controller, will therefore be responsible for handling of the DSR. DSR should usually be directed to the customer, however, Liferay in accordance with the contractual documentation, has the obligation to notify the customer without undue delay, if Liferay receives a DSR, so that the customer can decide how to proceed.

Yes, Liferay has a Global Privacy Office: [email protected]

Yes, Liferay has DPOs appointed in those territories where it is mandatory according to applicable laws.
For your information, depending on customer's location, the relevant contacts would be:
In Brazil is Grupo Adaptalia Brasil ([email protected])
In Spain is Grupo Adaptalia Spain ([email protected])
In Ireland is ByteLaw ([email protected])
In France is ByteLaw ([email protected])
In Hungary is ByteLaw ([email protected])
In Germany is ByteLaw ([email protected])

Liferay has a Data Protection Program in place in order to ensure Liferay is processing personal data in compliance with the applicable data protection laws and ensure Liferay’s innovative technologies help Liferay customers reach their compliance goals.

Yes, it can be provided upon request.

Liferay processes personal data of customers' users of Liferay services as a controller, in order to deliver the services and to maintain contractual relationship with the customer, in accordance with the privacy notice: https://www.liferay.com/privacy-policy. Liferay only processes personal data of customers' end users' in accordance with the customers' instructions but for no other purposes, except for Liferay's use of the data in order to create anonymized aggregated statistics to the extent required for appropriate billing and in order to improve Liferay services and offerings. Liferay creates such statistics using server logs.

The following data is captured on the client side by a browser to be processed and stored inside Analytics Cloud service:

Events Data: Liferay Analytics Cloud uses client side JavaScript to track visitor interaction data taken from visitor activity with Liferay Liferay DXP, Liferay SaaS-SM or Liferay SaaS as applicable. This includes data related to Clicks, Scroll Depth, Views, Downloads, Submissions, and Page Loads. The interaction data is sent to Analytics Cloud services for reporting.

Geolocation and Technology Data: Liferay Analytics Cloud service third-party libraries to determine two kinds of data: visitors’ geolocation and the technology (type of browser, operating system) based on the captured Events Data. In order to ensure that no visitor data is exposed outside of Liferay Analytics Cloud, the library is hosted and run internally.

Personal Data: Personal Data is the information that is associated with an individual person, such as an employee, student, or donor. All data, including personal data, is encrypted via HTTPS in transmission; stored data is encrypted on the backend.
o For Unauthenticated Visitors, Liferay Analytics Cloud tracks IP addresses and browser session information.
o For Known Individuals/Authenticated Visitors, Liferay Analytics Cloud only requires an email address to be tracked as an identifier field for that visitor. All other Personal Data will be up to the Liferay Analytics Cloud customer’s own choice to sync (or not) to Analytics Cloud. For instance, if the customer doesn't wish to sync first name, address, and phone number into AC, the data mapping interface will allow the customer to remove these fields and AC will stop tracking these attributes from their data sources.

Individual Profile Information: On top of tracking analytics event data from website visitors, Liferay customers can also enrich individual profile information with information stored in Liferay Liferay DXP, Liferay SaaS-SM or Liferay SaaS as applicable, Salesforce, or through a CSV file import. This allows Liferay customers to aggregate behavior data and profile data, and help them understand their website visitors better. Any profile information imported into Analytics Cloud can be used to create multidimensional audience segments for more accurate personalization. Ultimately controlled by the customer - the service is set up to not process any sensitive data.

Liferay maintains the ROPA in accordance with Article 30 GDPR.

Audits are permitted to a certain extent and under the conditions set out in the DPA.

Liferay shall make available to the customer on request all information necessary to demonstrate compliance, including Processor’s records of Processing of Customer Personal Data conducted on behalf of the Customer, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by any Customer in relation to the Processing of the Customer Personal Data.

Customer undertaking an audit shall give Liferay reasonable notice of any audit or inspection to be conducted and shall make reasonable endeavors to avoid causing any damage, injury or disruption to Liferay’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection.

Liferay or a Subprocessor need not give access to its premises for the purposes of such an audit or inspection:

(i) to any individual unless he or she produces reasonable evidence of identity and authority;
(ii) outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis; or
(iii) for the purposes of more than one audit or inspection in any 12-month period, with the exceptions mentioned in the DPA.

If the requested audit scope is addressed in a SOC 2 Type I or similar certification or report performed by a qualified third party auditor within the prior 12 months and Liferay, as applicable, confirms that there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report to the extent it can reasonably do so under Applicable Law.

You can find our DPA at https://www.liferay.com/legal

Liferay has a General Liability (GL) and Errors & Omissions (E&O) insurance that covers data breaches.

Evidence can be provided upon request and subject to confidentiality obligations.

It is the obligation of the customer, in its capacity as controller, to establish the purposes and legal basis . Customer agrees that for purposes of processing of Customer’s Personal Data through the cloud services Liferay acts as data processor and is appointed and authorized to process such Personal Data on behalf of Customer in accordance with Customer’s instructions and only to the extent required in order to provide the Cloud Services to Customer but for no further purposes.

Only in the ICO (UK) - Otherwise is not applicable.

Yes we do, for features in new products, offerings & processes (PIA/DPIA)

Yes it does. Liferay conducts privacy and security reviews, as well as legal reviews for the signing of appropriate contracts and DPAs. Annual security reviews are conducted by the InfoSec department.

Local storage and a cookies.