About Content Storage and GDPR Compliance

Content Storage

This section answers questions related to content storage, for example: Where is our Scrivito CMS content stored? How it is secured? How fast and reliably it is served? How does Scrivito protect our data?

All the content stored in a Scrivito CMS is handled by Amazon Web Services (AWS), meaning that it is transferred to, stored on, and retrieved from Amazon servers. Two distinct kinds of content exist, which are treated and stored differently, textual, and non-textual (binary) content.

Textual and binary CMS content

Textual content comprises everything represented as characters, first and foremost CMS object and widget instances (e.g. pages and their attributes), but, of course, also HTML markup, CSS, numbers, metadata and so on. Such content is stored using Amazon S3 (Simple Storage Service). Some structural data is stored in a highly scalable AWS database.

Content, which isn’t textual, is binary: images, videos, PDF files, apps and packages, but also office files like spreadsheets. Binary content is also stored using Amazon S3 but is additionally distributed worldwide through Amazon CloudFront (see below for details).

Note that the metadata of binary content (e.g. the EXIF and IPTC data of images) counts as textual content, too, and is hence stored separately from the distributed binaries themselves.

Data security and availability

To ensure that your content never gets lost due to a system failure, and that it’s served reliably and fast, we store your data in Amazon’s EU (Ireland) region with its three Availability Zones. Amazon manages backups, software patching, automatic failure detection, and recovery for us – and thus for you. We use load balancers to mitigate traffic peaks, keeping your site up even during rush hours. All production servers are secured by a firewall, and all our services are isolated by VPCs (virtual private clouds).

As mentioned above, your binary content is stored separately from the textual content. Since binaries can become quite large, transferring them puts much more load on the network than with, for example, HTML files. Also, transferring binaries over long distances may significantly slow down their delivery. For these reasons, we use Amazon CloudFront, a CDN (content delivery network) that makes your binary content regionally available to visitors all around the world.

Note that all your pending, not-yet-published binaries (in your working copies) are for your eyes only and not publicly accessible.

Further reading

What about the application code?

Your Scrivito-based application needs to be hosted somewhere for people to be able to visit your website. You can have your app code hosted wherever you wish. We partner with Netlify for their easy-to-use full-service hosting, automatic deployment, fast delivery through their CDN and many more reasons for giving them a try. Nevertheless, you are free to deploy your app to wherever you prefer.

Where does form data go?

When implementing a form in your Scrivito-based app (be it as a widget or directly in the page layout), you are free to decide how the submitted form data should be processed and where it should be persisted. You could use an Amazon Lambda function or any suitable remote service for this.

Netlify offers form handling, too, but forms currently need to be coded as plain HTML, meaning that you cannot have them rendered using Scrivito’s React-based components unless you additionally provide the HTML version. Note that form data handled by Netlify is stored in the US.

What about logs?

As our services are used, logs are generated and stored. Some of these logs include personal data provided by the users, for example in the process of signing up or logging in. The log entries enable us to better reconstruct the course of events, should technical issues arise. Log entries are automatically deleted after four weeks at the latest.

As a default, a website based on the Scrivito Example App is GDPR compliant as it neither uses cookies nor executes scripts without the visitor’s prior consent. However, if you add libraries or services requiring cookies (e.g. for authenticating visitors), or develop your own Scrivito-based app, you need to ensure that visitors are informed in a GDPR-compliant manner and are given access to your privacy policy. The Scrivito Example App includes an exemplary cookie consent overlay that can be activated by specifying the privacy policy page in the site settings.

In addition to the above-mentioned, signing in to a Scrivito-based app as an editor involves your Scrivito dashboard which uses cookies to persist the editor’s authentication state. Next to these third-party cookies, local cookies are used to keep track of the editing context in Scrivito’s user interface (including, for example, the active working copy). See the details.

Data protection

Scrivito is developed by JustRelate Group GmbH. As a company based in Germany, JustRelate Group GmbH is governed by the European General Data Protection Regulation (GDPR), according to which all personal data of EU citizens must be hosted in the EU. See https://gdpr-info.eu/ for details, or visit the homepage of EU GDPR.

The measures JustRelate takes to ensure conformity with the applicable laws are detailed in the documents available on our Terms of Service page.

Order data processing

JustRelate potentially stores and processes personal data on behalf of their customers, using third-party service providers such as Amazon Web Services (AWS). Order data processing contracts between JustRelate Group GmbH and these third parties bind them to the current data protection regulations.

We encourage every customer using our services in connection with storing or processing personal data to sign an order data processing contract with us. Please contact our customer support for further information.

Our data protection officer

Stephan Hartinger, Data Protection Officer (TÜV), Specialist for Work Safety, coseco GmbH, Albertus-Magnus-Straße 2-4, 86836 Graben, Tel. +49-8232-904850, info@coseco.de