S.C PRESSINFRA S.R.L. is the company owning www.presslabs.com, hereinafter referred to as PRESSLABS, registered at the Trade Office under J35/1528/2017, unique identification number RO37483630, in Timișoara, Romania, 18 Traian Vuia Street. You can reach us at our general contact address email@example.com or for privacy and data protection matters at firstname.lastname@example.org.
This document complements and is an integral part of the General Terms and Conditions (“TCC”) and Data Protection Agreement and it is specifically addressed to PRESSLABS’ CUSTOMERS. It defines to what information PRESSLABS has access to, for what purpose, and for how long it is stored. This policy defines PRESSLABS as data controllers since PRESSLABS determines the means and purpose of the personal data processing. For the processing operations where the CUSTOMER collects the data and asks PRESSLABS to serve on their behalf as data processors, please visit the Data Protection Agreement section.
For our website visitors we have a separate policy notification available here.
This document has been aligned with the requirements of the General Data Protection Regulation or “GDPR” which has become applicable as of 25 May 2018. Here you can consult the full legal text. The definitions of “Personal Data”, “Data Subject”, “Personal Data Breach”, “Process”, “Processor” and “Controller” will each have the meaning given to them in the GDPR. Romanian country specific GDPR rules will also be taken into consideration upon adoption.
On our public website, in the Specifications section we have illustrated a technical infrastructure overview to help CUSTOMERS visualize all the tools we use for providing our service. Most of our tools are necessary for technical and operational reasons, however some of them process personal data. We’ll go through them, mentioning which apps processes what type of personal data in the description below.
Before we dive in, we want to make it clear that we guide ourselves by this principle: we do not use the data collected for other purposes than the ones listed below and we keep data collection to a very minimum.
If we would need to use the collected information for a different purpose than for which it was collected, we will notify our CUSTOMERS and ask their consent before doing so.
1. What information we collect and how we use it?
1.1. Pre-contractual relationship with prospective Customers
1.1.1. What and how. By filling out the Registration Form we directly collect the necessary information for entering a pre-contractual relationship with PRESSLABS. For example, for new registrations we collect name, e-mail, username and password together with technical data submitted by the browser. We then ask for billing information such as address, legal name and some documents, as described below.
1.1.2. Purpose. We collect this information as a prerequisite for entering a contractual relationship with PRESSLABS.
1.1.3. Legal basis. We process this information based on consent.
1.1.4. Who has access. Employees have access to this data on a need to know basis. This information is also available to our subprocessors’ authorized persons and to our collaborators and contractual partners with whom we cooperate based on confidentiality obligations and data processing agreements.
1.1.5. How long. We keep the registration data for as long as the user is active. After 30 days of inactivity we delete the account together with all personal information.
1.2. Contractual information
1.2.1. What & How. When CUSTOMERS require PRESSLABS services, we ask personal information in order to identify them and to enter a contractual relationship. The information we directly collect from is: name/organization name, e-mail address, contact address, telephone and tax attribute together with technical data submitted by the browser (such as the IP address used when creating the account). Besides that we’ll ask for copies of documents to prove the fiscal residency such as a personal ID document with picture for individuals and corresponding identification documents of the company for business customers. In case this data cannot be provided, the refusal determines the failure to conclude a valid service agreement and/or the impossibility of its execution.
1.2.2. Purpose. This information is needed for entering a contractual relationship as well as for legal obligations and for demonstrating financial/contractual obligations upon request from public authorities.
1.2.3. Legal basis. We process this information based on our contractual relationship.
1.2.4. Who has access. Employees have access to this data on a need to know basis. This information is also available to our sub-processors’ authorized persons and to our collaborators and contractual partners with whom we cooperate based on confidentiality obligations and data processing agreements.
1.2.5. How long. This information is stored for the duration of the contractual relationship and 5 years afterwards.
1.3. Customer site collaborators
1.3.1. What & How. Our CUSTOMERS, as website owners, may rely on external collaborators such as web developers for working on their website(s). PRESSLABS offers a Dashboard environment to CUSTOMERS where they can assign a collaborator role (more information is available in our Docs). We have access to collaborators’ data, but we do not use the data except for customer support purposes, as described below. We collect the following personal data mentioned in the Dashboard environment: name, email, username, password as well as technical data submitted by your browser (such as the IP address used when creating the account). PRESSLABS does not decide and does not have any interference with the way personal data collection is set up on the CUSTOMER’s site. The CUSTOMER has full responsibility about how it chooses to configure personal data processing through its website and the CUSTOMER is also responsible for the collaborator’s decisions with regards to their website.
1.3.2. Purpose. The collaborator’s field is part of our Dashboard service and is necessary for proper identification and addressing, as well as means of communication for the requests done by the collaborators, such as backup requests or synchronization requests of the development environments.
1.3.3. Legal basis. We process this information based on our contractual relationship with the CUSTOMER.
1.3.4. Who has access. Employees have access to this data on a need to know basis.
1.3.5. How long. The data will remain available in the Dashboard environment until the end of the contractual relationship with the CUSTOMER or until the Collaborator account becomes inactive for at least 30 days.
1.4. Billing information
1.4.1. What & How. We directly collect payment details such as credit card number, name, address or bank account. At the same time we also collect log data for being able to issue the correct billing amount for the service we provide. The log data is pseudoanonymized, meaning that we do not store full IP addresses of these logs, but only a part of them, in order to identify if needed the country where the access was made from as well as the provider assigned to such an IP address.
1.4.2. Purpose. This information is needed for payment purposes and issuing invoices.
1.4.3. Legal basis. We have a legal obligation to collect and process this information.
1.4.4. Who has access. For processing payments we use third party apps as mentioned in our Specification page. Our dedicated employees have access to this data as well as our sub-processors’ authorised persons and contractual collaborators.
1.4.5. How long. This information is stored for 10 years according to the law.
1.5. Customer support
1.5.1. What & How. In the event of contacting the technical assistance department the CUSTOMERS or Collaborators might be asked for further information regarding their operating system, software and other technical details that can improve offering solutions for the support requests. We offer technical support to the CUSTOMER and other co-workers and developers that are specifically assigned by the CUSTOMER to have access to the website code and support inquiries. In case we are receiving support requests from other e-mail addresses, we redirect the requests to the CUSTOMER and ask for permission to carry on with the support requests.
1.5.2. Purpose. The purpose for collecting this information is to provide technical assistance as well as for improving our internal and public documentation.
1.5.3. Legal basis. We process this information based on our contractual relationship.
1.5.4. Who has access. As mentioned in our Specification page, we use specific third party tools to provide customer support. Our support team has by default secured access to the site’s wp-admin. While the support account needs to have a password, which is randomly generated from 64 characters, we don’t use a password to connect, but a secured token that is only active for a limited amount of time (2 minutes).
1.5.5. How long. For the period of offering technical support, based on the contractual relationship.
1.6. Technical management, abuse prevention, backup and IP stats
1.6.1. What & How. We collect e-mail and IP address, browser and country in different technical and statistical instances, as described below. This information is collected indirectly via specific tools mentioned in our Specification page.
1.6.2. Purpose. This information is necessary for debugging, log management and abuse prevention purposes. We also use this data for backup purposes. For example, for preventing attacks, we monitor and collect IP addresses in order to identify and stop the abuse coming from a particular IP address. We also perform statistics at IP address level for internal use only. The e-mails in discussion are in general transactional e-mails sent by the CUSTOMER’s sites for various actions and notifications, such as password reset, comment notifications, new users notifications etc. These are stored for debugging purposes, such as cases when these e-mails do not arrive at their destination.
1.6.3. Legal basis. Our basis for processing this information is a legitimate interest to be able to protect and secure our service.
1.6.4. Who has access. Our employees in the development and support team, contractors and our sub-processors with whom we cooperate on a contractual basis.
1.6.5. How long. There are different retention periods for the different tools we use. For transactional e-mails we store information for 3 days. For debugging and log management we store the information for 14 days from its communication.
1.7. E-mail communication from the Customer
1.7.1. What & How. CUSTOMER’s e-mail communication with PRESSLABS is recorded and stored.
1.7.2. Purpose. We collect this information directly from the CUSTOMER in order to process the CUSTOMER’s request, to respond to claims and to improve our products, services and websites by creating internal and public documentation, as well as adding new features in our service, based on the feedback we receive. It is possible to use the collected information in order to provide, maintain, protect and improve our services and to develop new ones.
1.7.3. Legal basis. The legal basis under which we process this information is our contractual relationship.
1.7.4. Who has access: Employees have access to this data on a need to know basis. This information is also available to our sub-processors’ authorized persons and to our collaborators and contractual partners with whom we cooperate based on confidentiality obligations and data processing agreements.
1.7.5. How long. This information is stored for the duration of the contractual relationship and 5 years after that, for quality assurance and improvement of our services.
1.8. Marketing, promotion and special offers
1.8.1. What & How. For sending regular newsletters and informing prospective and current Customers about our service we collect the following personal information: e-mail. On a case-by-base basis we also use this information to promote special offers to our customers.
1.8.2. Purpose. Our newsletter subscription is for sending notifications about our services and updates and for marketing and promotion purposes.
1.8.3. Legal basis. We process this information based on your consent.
1.8.4. Who has access. We use a third party service (MailChimp) to send out campaigns and our marketing and admin team has access to the personal data. MailChimp is a US based company registered under the Privacy Shield agreement.
1.8.5. How long. The personal data is stored in MailChimp until you request us to delete your e-mail or until unsubscription.
User traffic analysis
1.8.6. What & How. For analysing traffic and user behavior we collect age, gender, language, browser, operating system, location, network, mobile device. We use third party tools such as Google Analytics and HotJar.
1.8.7. Purpose. We use these data for marketing purposes in order to learn more about our customers’ preferences.
1.8.8. Legal basis. We process this information based on a legitimate interest to improve our service.
1.8.9. Who has access. Our marketing and admin team has access to this data and the third party tools that we use (Google Analytics).
1.8.10. How long. Age range, gender, language, browser, operating system, location, network, mobile device is stored for 14 months in Google Analytics.
2. Where is the data stored?
PRESSLABS processes the collected information on servers situated in EU and abroad, especially in the US, under the Privacy Shield agreement. It is highly possible that we process the obtained information outside the CUSTOMER’s country. We rely on sub-contractors for specific parts of our operations, however we only work with sub-processors who take GDPR compliance seriously and similar data protection laws.
A list of all our sub-processors is available here.
3. How do we secure and protect CUSTOMER information?
PRESSLABS takes the following technical and organizing measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.
3.1.1 Electronic access control
The CUSTOMER determines the password for the Presslabs Dashboard environment. PRESSLABS establishes security guidelines for the Dashboard password: the password needs to contain letters, numbers and symbols and must be at least 8 characters long. The password needs to be changed on a regular basis. The CUSTOMER should not share this password with anyone else.
The access to the collected data is limited to PRESSLABS employees and to its contractors, subject to confidentiality obligations. PRESSLABS’ support team has by default secured access to the CUSTOMER’s sites’ wp-admin. While the support account needs to have a password, which is randomly generated from 64 characters, PRESSLABS doesn’t use a password to connect, but a secured token that is only active for a limited amount of time (2 minutes).
The Presslabs Dashboard account can be granted rights for several sites separately, with different levels of permissions, according with the information provided in the Docs. For example Admins have full access to all the features of a site (except billing information, which is limited to the site owners) and can add/delete Developers, while Developers cannot add or delete other Developers.
The CUSTOMER can restrict public access and require login with WordPress Admin credentials to view any of the websites from their account.
PRESSLABS offer full HTTPS enabled wp-admin with Perfect Forward Secrecy by default and without the possibility to disable it, no matter if the CUSTOMER’s public site is secured or not. This is a security measure meant to strengthen the security of the data collected by the CUSTOMER.
PRESSLABS’ employees can access the servers using an access control policy which enables/disables the access on all servers for PRESSLABS’ employees, based on their authorization permissions. The root server access is always disabled and the access is always done through SSH Keys, only by authorised PRESSLABS employees. For example PRESSLABS’ server suppliers do not have access to the servers they supply to PRESSLABS. In case of canceled or decommissioned servers, PRESSLABS undergoes the procedure of deleting the disks before the cancellation occurs.
3.1.2 Access control
All PRESSLABS computers are password protected with strong passwords (minimum 10 characters long, letters, numbers and special symbols). In case a laptop is stolen or lost, the corresponding SSH key used for connecting to the PRESSLABS infrastructure is immediately disabled in order to prevent unauthorized access to any parts of the infrastructure.
The data centers where the CUSTOMER’s personal data is stored are strictly monitored and protected, according with each supplier’s policies. More details about the suppliers and their level of security can be found on the Data Centers section of PRESSLABS’ website.
The logs stored by PRESSLABS are going through pseudonymization, meaning that only a part of the IP addresses is retained. The only exception is a set of logs with full IP addresses, which are kept for the past 14 days. The only purpose for keeping these logs is to mitigate potential attacks done by certain IP’s against PRESSLABS’ infrastructure. After 14 days these logs are automatically purged.
PRESSLABS performs updates for plugins and themes that have security vulnerabilities as soon as the vulnerabilities are disclosed, in order to avoid any possible issues.
After termination of the contract all CUSTOMER’s data will be deleted within 30 days. We do not create copies or duplicates of the data without the CUSTOMER’s knowledge, with the exception of backup copies as far as they are necessary to ensure proper data processing as well as data required for compliance with statutory storage obligations.
3.3 Availability and Resilience
All PRESSLABS’ internal administration systems are having the relevant data backed up on a daily basis. The backups are stored for 90 days. Wherever applicable, PRESSLABS is having disk mirroring on all relevant servers. All internal systems are constantly monitored using internal and external monitoring services, with alert notifications as well as automatic notification with escalation policies in place, in case of incidents.
Regarding the servers where the CUSTOMER data is stored, PRESSLABS’ backup policy is detailed in the Docs. Among the most important aspects to note:
- all CUSTOMER data has at least 3 layers of backup: disk mirroring, pairs of servers with automatic failover, off-site backup
- backups are kept for 30 days, except for the CUSTOMER code, where the entire history of code changes is kept in a versioning system based on Git
- on-demand backups (snapshots) can be requested by the CUSTOMER when needed.
All sites hosted by PRESSLABS are being automatically scanned for malware and viruses by a 3rd party provider (StatusCake). In case anything suspicious is found, PRESSLABS will notify the CUSTOMER and will try to work on a proper solution to cleanup the site. In case the infection came as a result of security flaws in PRESSLABS’ infrastructure, then the cleanup is solely PRESSLABS’ responsibility. In case the infection is a result of the CUSTOMER actions, such as weak or shared administrator passwords or compromised advertising networks, PRESSLABS cannot be held responsible for these events.
In case of DDoS attacks, depending on the capacity of PRESSLABS’ suppliers, the traffic is either filtered and dropped at the entry in the supplier’s network, or the attacked server(s)/IP(s) are null-routed and all the traffic is routed to other, clean IP’s. All front-end servers have at least 3 available IP’s at any time, in order to be able to mitigate such DDoS attacks.
4. Data breaches. How do we respond to security incidents?
A personal data breach can happen for a number of reasons, for example: inappropriate access controls allowing unauthorized/unnecessary access to data, equipment failure, human error, hacking attack, loss or theft of data or equipment on which data is stored, or through which it can be accessed.
As soon as a personal data breach is identified or suspected it is immediately reported to the Level 2 Support team.
Depending on the type and severity of the incident the Level 2 Support team will assess whether a full investigation into the breach is required. The investigation will:
- a) Establish the nature of the incident, the type and volume of data involved and the identity of the data subjects
- b) Consider the extent of a breach and the sensitivity of the data involved
- c) Perform a risk assessment
- d) Identify actions PRESSLABS needs to take to contain the breach and recover information
- e) Assess the ongoing risk and actions required to prevent a recurrence of the incident.
The General Data Protection Regulation (GDPR) requires data controllers that all relevant breaches are reported to the supervisory authority within 72 hours of becoming aware of a relevant breach. If the breach is evaluated to result in a high risk for the rights and freedoms’ of the data subject, the incident it will also be reported to the CUSTOMER without undue delay.
5. What happens with your data after we end our contract?
At the end of our contractual relationship we will delete the CUSTOMER’s personal data, as well as existing copies no later than 30 days after the contractual relationship has ended, unless the applicable European Union or Romanian law requires storage of the data.
6. What are your rights?
GDPR makes data subject’s rights much more explicit. Please find below information about individual rights.
In order to exercise your rights as a CUSTOMER, please send us your request by email at email@example.com The request will be handled by our Support and Administrative teams, based on the nature of the request. We will respond promptly or no later than 30 days.
6.1 The right to be informed and to have access to your data
This is a right for an individual to obtain confirmation whether a controller processes personal information about them and, if so, to be provided with details of that personal information and access to it.
Individuals should receive a description of the personal information being processed, for which purposes personal information is being collected and processed and the recipients or categories of recipients to whom personal information is disclosed.
The communication of individual’s personal information will be in an understandable form and without compromising the privacy of other individuals.
An individual may make a request only in respect of their own personal information. However, an individual may give their consent, in writing, to another individual to make a request on their behalf (e.g. a lawyer acting on behalf of the individual).
A right to access may be restricted where providing access would be impossible or involve disproportionate effort.
PRESSLABS may also deny or limit access to personal information to the extent that granting full access would reveal confidential commercial information (e.g. where the information is subject to contractual obligations of confidence or is being processed as part of an ongoing audit, investigation or enforcement activities).
6.2. The right of rectification.
Individuals have the right to correct data if it is inaccurate or incomplete.
6.3. The right of erasure (“the right to be forgotten”).
Individuals can request the data controller to erase personal information about them in case the data collection was unlawful or on other legal grounds.
6.4. The right to object.
Individuals have the right to object to the processing of their data.
6.5. The rights to restriction.
This is a right for an individual to require a data controller to restrict processing of personal information about them in order to limit future processing operations.
6.6. The right not to be subject to automated decision making processes
You have the right not to be subject to a decision based on automated processing that results in a legal effect.
6.7. The right to data portability.
You have the right to receive your personal information in a structured, commonly used and machine readable format and to transmit that information to another controller, if certain grounds apply.
Individuals have the right to complain to the National Data Protection Authority and to address a court.
Where the processing operations are based on consent, you have the right to withdraw your consent at any time. Withdrawing your consent will only have effect in the future, the processing operations prior to withdrawal of consent will remain valid.
7. How we cooperate with public authorities?
PRESSLABS discloses personal information only in response to a subpoena, court order or other governmental request. If a governmental body sends PRESSLABS a demand for Customer’s data, PRESSLABS will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, PRESSLABS may provide Customer’s basic contact information to the government body. If compelled to disclose Customer’s data to a government body, then PRESSLABS will give the Customer reasonable notice of the demand, unless PRESSLABS is legally prohibited from doing so.
8. Privacy by design and by default
Privacy by design is an approach we take into consideration for building and delivering our services. The privacy by design principle is about promoting privacy and anticipating, managing and preventing privacy risks.
PRESSLABS is focusing on privacy by design and by default principles as essential tools for minimizing privacy risks and building trust.
10. Legal framework
The policy is drawn on the provision of the General Data Protection Regulation (GDPR) and it is applicable as of 25 May 2018. Romanian Law 677/2001 on the protection of individuals regarding the processing of personal data and free movement of such data has been replaced by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the GDPR).