Statement on Processing of Customer Data for Cloud Services

This Statement on Processing of Customer Data for Liferay Cloud Services (the “Statement”) describes how Liferay, Inc., Liferay International Limited or its respective affiliates (these entities collectively referred to as “Liferay” and individually as a “Liferay Affiliate”) make use of certain information (“Information”) provided by you, the user (“You”), to Liferay as required for Your use of certain Liferay hosted services and applications (the “Services”).

Liferay will use the Information only as set forth in this Statement, only for purposes set forth in this Statement, subject to the confidentiality and other relevant terms of your agreement with Liferay governing the provision of the applicable Services by Liferay to You, and, to the extent that Your use of the Services requires processing of any information relating to an identified or identifiable natural person, where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (“Personal Data”) by Liferay, in conformance with Liferay’s Privacy Policy set forth at and, if applicable, in accordance with the Data Protection Addendum.

While Section I below applies to Liferay Cloud Services that involve processing of Information including Personal Data by Liferay on Your behalf (further below “Services Processing Personal Data”), Section II describes the Information processed by Liferay’s hosted services and applications that do not involve Personal Data (further below “Other Hosted Services”).

Liferay reserves the right to update this Statement from time to time by posting an updated version. Liferay encourages You to check this page for updates regularly, in particular, before You start using any kind of additional Liferay Cloud Services Liferay might introduce in the future. Your continued use of and access to the Cloud Services  signifies your acceptance to the updated Statement. Notwithstanding the aforesaid, Liferay will notify You of any updates of this statement separately, if and as might be required under a written agreement between You and Liferay.
I. Services Processing Personal Data
Liferay DXP Cloud Subprocessors
Liferay Group Subprocessors
  • Liferay International Limited, Dublin, Ireland
  • Liferay Latin America Ltda., Recife and São Paulo, Brazil
  • Liferay Hungary Kft., Budapest, Hungary
  • Liferay S.L.U., Madrid, Spain
Third Party Subprocessors
  • Google Cloud EMEA Ltd., Dublin, Ireland
Liferay Analytics Cloud Subprocessors
In addition to the Subprocessors listed above, for purposes of Liferay Analytics Cloud Liferay furthermore relies on the following Subprocessors:
Liferay Group Subprocessors
  • Liferay, Inc., Diamond Bar, California, and Hamilton, Ohio, U. S.
  • Liferay Japan K. K., Tokyo, Japan
Third Party Subprocessors
  • ZenDesk Inc., San Francisco, California, U. S. 
Categories and Types of Personal Data
Within the scope of Your use of the Services, You may submit Personal Data to the Services. The extent, categories and types of such Personal Data that You submit to the Services is fully controlled and determined by You and may vary depending on Your individual use of the Services.

Liferay anticipates that such Personal Data may, e. g. include, Personal Data of the following categories of data subjects:
  • Your employees, agents, advisors, contractors
  • Your prospects, customers, business partners, vendors
  • Employees, agents, advisors and contractors of Your prospects, customers, business partners and vendors
Liferay anticipates that such Personal Data may, e. g. include, the following types of Personal Data:
  • First and last name
  • Gender
  • Title
  • Position
  • Company
  • Private or professional Email
  • Phone number
  • Business or private address
  • Further contact information, such as e. G. Skype ID
  • Geo-localization data
  • Language preferences
  • IP addresses
Technical and Organisational Security Measures
Liferay is taking the following security measures to process Personal Data submitted by You to the Services, as certified by the SOC 2 and ISO 27001: 2013 compliance report available upon request, and assures that any sub-processors utilized by Liferay provide for at least the same level of protection:
  • Office Space: Access to Liferay’s  office space is physically secured through a badge management system, lockdown procedures, and access monitoring.
  • Passwords and Credentials:  Not only the systems are protected from inappropriate access by employees involved in the performance of the Service ("Team Members”), but also from unwanted access from non-Team Members. For this reason, all Team Members are obliged  to use strong and protected credentials.
  • Password Protection:  All Team Members are obliged to use a Password Management System, verified by Liferay’s  committee for security and dependability (“Security Committee”). All Services related account credentials must be stored in this Password Management System.
  • Automatic blocking is enabled on all personal machines and internal systems.
  • Multi-Factor Authentication (MFA): Wherever possible, MFA is enforced, and even mandatory, on all system accounts. If MFA is not possible, accounts must authenticate through a third-party account that provides MFA (e.g. Google, GitHub). If neither of these options are possible and only basic authentication is available (e.g. computer login), the account password must follow strict standards, including  randomly generated or unique from any other account password, at least 15 characters long (ideally, 20-30 characters),not containing any known, personal information like birthdays, cities, or family details, or containing or deriving from any common password words like ‘password’.
  • Encryption: All private and restricted data is encrypted at rest using AES-256. All data is encrypted at rest and in transit.
  • Need to Know Individuals are prohibited from accessing information they otherwise would not have a need to know, unless required to do so in the performance of specific authorized tasks. Security Committee  revokes any unnecessary access when it does not comply with this policy.
  • User Roles: Access control privileges to systems are assigned to users via user roles wherever possible and practical. Roles are established based upon department and job function and are reviewed and updated when job or departmental functions change.
  • Review of Administrator Access When a change to an individual’s access privileges is needed, they must contact the Security Committee. Then at least one of the members of the Security Committee will review the individual's role and make system changes to grant or maintain access. The Security Committee must review all Systems and all Individuals’ Administrator Access according to the Compliance Monitoring Policy.
  • Group Credentials Whenever possible, no Administrator Access is given in the form of a group account, that is, one credential that validates multiple individuals. This way of authentication provides no way of monitoring individual access and introduces risks from shared passwords and tokens. If a system requires this type of authentication, the password or token is changed when an individual is removed from the group.
  • All direct access to servers via SSH will be connected through a Bastion Host solution to prevent brute force attacks. All SSH activity is being logged and kept forever. Only members who must have access,  may have access. All Security Policies also apply to remote access situations. All credentials must be compliant with the Access Control Policy.
  • Customers databases are segregated in their own Virtual Machines and, every Project Environment is segregated on it's own Private Network.
  • No production data is used in any development environment.
  • Individuals are prohibited from accessing information they otherwise would not have a need to know, unless required to do so in the performance of specific authorized tasks.
  • It is the Security Committee’s responsibility to revoke any unnecessary access when it does not comply with this policy.
  • All data in transit uses enforced TLS connections with minimum AES-256 encryption.
  • All requests are signed by the request actor in the form of user access token or ID.
  • All server and database history is logged and retained forever.
  • All document creation, changes, and deletion are kept in recorded logs. These logs are retained for 6 months and protected against unauthorized tampering by secure redundancy and access controls.
  • For the system infrastructure, backup routines are run every 30 minutes, all backups are replicated in different regions, encrypted at rest, and permanently retained. For Customer Data, backup routines are run by default every day and retained for 30 days. All backups are replicated in different regions and encrypted at rest.
  • Firewall configurations provide rugged inbound/outbound rules that are tested annually by internal/external penetration testing.
  • System availability is monitored and reported according to Liferay’s System Availability Policy.
  • Disaster Recovery plan is in place, documented and tested regularly.
  • In the event where an incident requires a full disaster recovery, the entire infrastructure can be brought back online within 2 hours.
  • The screens of the computers are always locked when left unattended; Personal data is not shared informally; Personal data is not saved to personal computers.
  • All incidents are promoted immediately to the Security Committee and logged in an incident registry and graded by impact. Incidents are treated by priority and a post mortem root cause analysis is completed by the Security Committee regarding every incident.
  • All systems are built to provide adequate pseudonymisation and data protection to not risk their availability, confidentiality, or integrity.
II. Other Hosted Services
Liferay Connected Services
To the extent You use Liferay Connected Services to register servers, Liferay collects the following Information for this purpose: the server name, the Liferay DXP version number, the environment name & type, if it is currently connected and when was it last connected.

Your use of the Liferay Connected Services and Liferay’s ordinary performance of these Services do not, require You to provide, disclose or give access to Liferay to any Personal Data, and You will take all reasonable steps to avoid any unnecessary disclosure of Personal Data to Liferay.