About Content Storage and GDPR Compliance

Have you ever asked yourself where your Scrivito CMS content is stored, how it is secured, how fast and reliably it is served, and how Scrivito protects your data? Read on.

Which data is stored where?

All the content stored in a Scrivito CMS is handled by Amazon Web Services (AWS), meaning that it is transferred to, stored on, and retrieved from Amazon servers. Two distinct kinds of content exist, which are treated and stored differently, textual, and non-textual (binary) content.

Textual and binary CMS content

Textual content comprises everything represented as characters, first and foremost CMS object and widget instances (e.g. pages and their attributes), but, of course, also HTML markup, CSS, numbers, metadata and so on. Such content is stored using Amazon S3 (Simple Storage Service). Some structural data is stored in a highly scalable AWS database.

Content, which isn’t textual, is binary: images, videos, PDF files, apps and packages, but also office files like spreadsheets. Binary content is also stored using Amazon S3 but is additionally distributed worldwide through Amazon CloudFront (see below for details).

Note that the metadata of binary content (e.g. the EXIF and IPTC data of images) counts as textual content, too, and is hence stored separately from the distributed binaries themselves.

Data security and availability

To ensure that your content never gets lost due to a system failure, and that it's served reliably and fast, we store your data in Amazon’s EU (Ireland) region with its three Availability Zones. Amazon manages backups, software patching, automatic failure detection, and recovery for us – and thus for you. We use load balancers to mitigate traffic peaks, keeping your site up even during rush hours. All production servers are secured by a firewall, and all our services are isolated by VPCs (virtual private clouds).

As mentioned above, your binary content is stored separately from the textual content. Since binaries can become quite large, transferring them puts much more load on the network than with, for example, HTML files. Also, transferring binaries over long distances may significantly slow down their delivery. For these reasons, we use Amazon CloudFront, a CDN (content delivery network) that makes your binary content regionally available to visitors all around the world.

Note that all your pending, not-yet-published binaries (in your working copies) are for your eyes only and not publicly accessible.

Further reading

What about the application code?

Your Scrivito-based application needs to be hosted somewhere for people to be able to visit your website. You can have your app code hosted wherever you wish. We partner with Netlify for their easy-to-use full-service hosting, automatic deployment, fast delivery through their CDN and many more reasons for giving them a try.

Where does form data go?

When implementing a form in your Scrivito-based app (be it as a widget or directly in the page layout), you are free to decide how the submitted form data should be processed and where it should be persisted. You could use an Amazon Lambda function or any suitable remote service for this.

Netlify offers form handling, too, but forms currently need to be coded as plain HTML, meaning that you cannot have them rendered using Scrivito’s React-based components unless you additionally provide the HTML version. Note that form data handled by Netlify is stored in the US.

What about logs?

As our services are used, logs are generated and stored. Some of these logs include personal data provided by the users, for example in the process of signing up or logging in. The log entries enable us to better reconstruct the course of events, should technical issues arise. Log entries are automatically deleted after four weeks at the latest.

A Scrivito-based website, when used by visitors, doesn’t involve cookies unless the website application has been developed or extended so that it does. Many third-party services such as Google Analytics, or third-party libraries, e.g. for authenticating visitors, do require cookies in order to work as intended. Should your Scrivito-based app make use of cookies, be it directly or indirectly, ensure that visitors are informed in a GDPR-compliant manner and are given access to your privacy policy. The Scrivito Example App includes an exemplary cookie consent overlay that can be activated by specifying the privacy policy page in the site settings.

In addition to the above-mentioned, signing in to a Scrivito-based app as an editor involves your Scrivito dashboard which uses cookies to persist the editor’s authentication state. Next to these third-party cookies, local cookies are used to keep track of the editing context in Scrivito’s user interface (including, for example, the active working copy).

Data protection

Scrivito is developed by Infopark AG. As a company based in Germany, Infopark AG is governed by German data protection laws (currently § 9 sentence 1 of the German Federal Data Protection Act).

On May 25, 2018, the General Data Protection Regulation (GDPR) was enforced, according to which all personal data of EU citizens must be hosted in the EU. See https://gdpr-info.eu/ for details, or visit the homepage of EU GDPR.

The measures Infopark takes to ensure conformity with the applicable laws are detailed in the documents available on our Terms of Service page.

Order data processing

Infopark AG potentially stores and processes personal data on behalf of their customers, using third-party service providers such as Amazon Web Services (AWS). Order data processing contracts between Infopark AG and these third parties bind them to the current data protection regulations.

We encourage every customer using our services in connection with storing or processing personal data to sign an order data processing contract with us. Please contact our customer support for further information.

Data protection officer

Infopark AG has commissioned all legal data protection matters to a professional agency, coseco GmbH (info@coseco.de). Feel free to get in touch if questions arise.