- Other versions of this document
Legal FAQ – Privacy
Contentful & General Privacy Questions
Q: What is Contentful’s approach to compliance with data protection laws?
A: Contentful takes privacy seriously, and we are committed to safeguarding the personal data that we handle.
We appreciate the importance of compliance with data protection laws, rules and regulations for us, our suppliers and our customers, and we prioritize our adherence to these, including in particular the General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) as amended by the California Privacy Rights Act (CPRA). To that end, our approach to compliance includes, in part, the following:
We maintain a suite of internal policies and procedures relating to our processing of data that align with obligations under applicable laws and regulations. We also monitor regulatory developments and reflect changes and updates in our internal documentation.
We conduct regular training and awareness to ensure our employees understand their responsibilities regarding data privacy and protection.
We work to proactively identify and mitigate privacy risks to ensure a privacy-by-design philosophy across our business and products.
We maintain technical and organizational security measures to safeguard data. Please refer to How is data protected and what security measures are in place below
We are transparent about our data handling practices and provide clear information about how we collect, use, and store personal data in our Privacy Notice, available here.
We protect personal data and comply with legal requirements when we transfer personal data to third parties, including international transfers of personal data. Please refer to What measures are in place to ensure that third parties protect data and How does Contentful deal with compliance regarding international transfers of data?
Q: How do privacy laws apply to Contentful?
A: There are a suite of privacy laws globally that apply to organizations’ collection and use of personal data. The term “personal data” generally means information that relates to an identifiable individual.
In some circumstances, Contentful is a “controller” (or equivalent term depending on the jurisdiction) of personal data. Essentially, this means that Contentful decides how and why personal data is processed in those circumstances. This would include, for example, data we process for customer relationship management or for business development purposes. It would also include personal data of users that we process for purposes such as security, troubleshooting, maintaining the service and analytics to help us understand how they use the Contentful services. Most obligations under data privacy laws apply to controllers.
In respect of content that our customers upload and manage using the Contentful services for publication purposes, as we process that data on behalf of our customers and under their instructions, we act as a “processor” (or equivalent term depending on the jurisdiction) of personal data contained in such content. The customer is the controller of that data in those circumstances.
Q: Does Contentful make available a Data Processing Addendum for customers?
A: Yes, our Data Processing Addendum (“DPA”) for customers is available here. The DPA applies to personal data that we process on behalf and under the instruction of customers, as described at How do privacy laws apply to Contentful? above.
Our DPA includes data processing provisions mandated by European and US state privacy laws and Standard Contractual Clauses to facilitate international transfers of personal data from customers in Europe.
Data collection and usage
Q: What kind of data might be included in customer content?
A: Contentful provides infrastructure and services for its customers to manage their content that they wish to publish. Such editorial content, given its public nature, is non-sensitive and, though it could, it doesn’t usually contain personal data. Examples of typical customer content includes the following:
News articles (e.g. politics, sports, fashion);
Blog posts for your website;
Product information (e.g. product descriptions for an e-commerce store);
Store locations and opening hours;
Photo galleries and short videos; and
In-app notifications.
We do not allow customers to use the Contentful services to process any special categories of personal data (as defined under GDPR) or any sensitive personal information (as defined under CCPA/CPRA, such as financial account information, payment card numbers, social security numbers, and health information, including information governed by HIPAA). These and other restrictions are set out in more detail in the Contentful Acceptable Use Policy.
Q: How long do you retain personal data?
A: For personal data in customer content, the customer is in control of that data and may use the functionality included in the Contentful services to delete or retrieve that data at any time during the term of the agreement. At the end of the agreement with the customer, Contentful will delete all customer content within a reasonable timeframe of 35 days. This timeframe is to take account of back-up data of customer content stored and managed by our cloud storage provider.
For personal data that Contentful uses for its own purposes (as a controller), we generally will only retain such data for as long as we need to to fulfill the purposes for which it was collected. To this end, we maintain a records retention policy which includes appropriate retention periods for each category of data that we hold. These periods take into account, among others, the amount, nature, and sensitivity of personal data contained in those records.
Storage location and data transfers
Q: Where is data stored and processed?
A: We use Amazon Web Services (AWS) as our cloud provider and customer content is stored on certified and secure AWS servers located in the United States. Like most software services that involve users accessing the internet, we use a select number of Content Delivery Network (CDN) providers. CDNs briefly cache content in or near the location where the customer content is consumed in order to ensure fast delivery to the endpoint.
As a global business with offices and workers across Europe and the United States, personal data may be accessed and processed in countries outside where a customer is based, where we and our Sub-processors have operations. Details on all of our Sub-processors, including their locations, can be found on our Sub-processor Site.
Q: How does Contentful deal with compliance regarding international transfers of data?
For international transfers of personal data from the customer to Contentful, our DPA includes Standard Contractual Clauses (“SCCs”) to facilitate such transfers where personal data is subject to European data protection laws.
For international transfers of personal data among Contentful affiliates, Contentful has in place an intra-group data sharing agreement, which incorporates SCCs, among all Contentful entities.
For international transfers to third parties, including our Sub-processors, we transfer data only where an appropriate mechanism is in place to enable such transfers in compliance with European data protection laws. Typically, this will also be through the use of SCCs.
Security and third parties
Q: How is data protected and what security measures are in place?
A: We have implemented a comprehensive security program governed by our Information Security Management System that is in line with the ISO 27001 international standard. We systematically evaluate risks, threats and vulnerabilities to information security for our users and we maintain controls and a management process to constantly manage risk and meet security needs.
For information on our approach to security, please see Security at Contentful. For information on our specific security measures we maintain to provide the Contentful services, please see our Security Standards. For information on our ISO 27001 information security standard certification, please see here.
Q: What measures are in place to ensure that third parties protect data?
A: We conduct reviews of our vendors to ensure they maintain a sufficient level of privacy and security controls.
We make sure that we have appropriate contracts in place with our vendors to protect the privacy and security of the data they process on our behalf. This includes data processing and data transfer agreements that incorporate appropriate security standards, data protection obligations and international data transfer mechanisms.