Liferay Trust Center/

Data Protection

Liferay understands how critical it is for our prospects and customers to find secure and compliant digital solutions for their business needs. We are committed to being not just a vendor, but a trusted partner for our customers.

Our focus is to ensure that the valuable information you entrust to us is secure and treated in accordance with the applicable data protection laws. As part of the FOSS community, we apply best practices when it comes to IP and FOSS licensing. We also believe in conducting business with integrity, ultimately fostering strong relationships with our customers and our community.

This Trust Center provides a comprehensive collection of resources designed to aid every customer’s due diligence process and demonstrate our commitment to security and compliance.

Data Protection

Data Protection

Liferay acknowledges the complexity of data protection compliance. That’s why we distinguish between our organizational adherence to data protection laws and the features and functionality embedded within our products. Our products are designed to support our customers' efforts to achieve compliance within their own operations. 
When handling personal data as part of our cloud-based offerings, Liferay pledges to process such data in line with the applicable data protection laws, a commitment enshrined in our agreements.
 

  • Strong Security Measures: Liferay is committed to adopting and maintaining robust Technical and Organizational Measures to ensure the security of personal data.
  • Purpose-Driven Data Processing: We process personal data solely as required in order to provide our services to our customers based on their directives.
  • Vetted Sub-Processors: Our agreements only allow us to engage sub-processors subject to equivalent standards of data protection and rigorous vendor due diligence, guaranteeing, where applicable, the relevant data transfer mechanisms.
  • Export & Deletion of Personal Data: Liferay facilitates the exportation or deletion of Personal Data at the end of a subscription term and aids customers in responding to data subject requests.
  • Audit Collaboration: We pledge cooperation with our customers during audits to verify compliant data processing practices.
  • Breach Communication: In the event of a data breach, Liferay ensures timely and comprehensive communication with affected customers, minimizing potential impacts.
Liferay's commitments, outlined in our agreements, reflect our proactive stance on data protection and our dedication to supporting our customers' data protection compliance efforts.

Data Protection Liferay SaaS
Data Protection Liferay PaaS
Data Protection Liferay Analytics Cloud
Data Protection Liferay Self-Hosted
Privacy Terms
Subprocessors
Technical and Organisational Measures
Data Protection Blog
Privacy Notices
Whitepaper

Data Protection Liferay SaaS

Is Liferay GDPR/LGPD compliant?

This question is too broad to properly answer this. We differentiate between Liferay’s compliance with the applicable data protection laws as organization and available product features and functionalities that support customers’ efforts to assure their own organizations’ compliance efforts. To the extent Liferay processes personal data on behalf of its customers in the provision of its cloud based offerings, Liferay commits itself to assure that processing will be in accordance with the contractual commitments:

• Liferay commits itself to implementing appropriate Technical and Organizational Measures.
• Liferay commits itself to only processing Personal Data in accordance with the instructions of the customer.
• Liferay is only allowed to involve sub-processors who provide for the same level of protection and Liferay assumes an obligation to ensure that and any all data transfers to such sub-processors are in-line with the applicable data transfer requirements.
• Liferay commits itself to enable exporting or deleting the data upon expiration of the Subscription Services and supports customer's efforts to comply with any received data subject request.
• Liferay assumes an obligation to cooperate with customers on any audits required under the applicable data protection laws in order to establish a proof of compliant processing of personal data by Liferay.
• Liferay commits itself to notifying customers without undue delay of any data breaches.
Where will the information/systems be hosted?
Liferay SaaS uses Google Cloud Platform (GCP) by Google Google Cloud EMEA Ltd. (Ireland) as its hosting provider. Liferay uses Amazon Web Services EMEA SARL (“AWS”) for the backups of Customer data.

Are the data centers located in Europe?
For Liferay SaaS, Google Google Cloud EMEA Ltd. (Ireland) is the hosting provider. Hosting location of the data depends on the region that is chosen by the customer. The available regions are identified here.

Liferay uses Amazon Web Services EMEA SARL (“AWS”) for the backups of Customer data. Liferay applies BYOK encryption with the help of AWS KMS to prevent access to the personal data by AWS and its sub-processors. The keys are stored in HSMs in the AWS region corresponding to the Google Cloud Platform (GCP) region selected by the customer for its production environment.

Do we need to sign a DPA with Liferay?
According to Section 9 of Appendix 6 where Customer is established in the the EEA, Switzerland or UK, Central or
South America, or Mexico and unless otherwise agreed between the parties in the applicable Order Form, the terms of the Data Processing Addendum available at www.liferay.com/legal as of the Order Form Effective Date (“DPA”) apply to the processing of Customer’s Personal Data by Liferay. You can find our Appendix 9 and DPA at https://www.liferay.com/legal .
If customers in other territories wish to enter into a DPA, Liferay can enable that upon request.
Will there be cross-border transfers of personal data? in which country will the data be hosted?
Liferay uses external providers and Liferay Affiliates as Sub-processors. Since some of them are located outside the EEA, the use of such Sub-processors may entail remote access from a non-EU/EEA country to customer data stored within the EU/EEA for some specific reason, for example as might be required for a Sub-processor to perform maintenance or provide support to the customers. For purposes of such transfers, Liferay implements appropriate safeguards as required under GDPR. For more information on this matter, as well as the compliance measures adopted by Liferay in case of cross-border data transfers and the countries to which we may transfer the data, please refer to: https://www.liferay.com/legal/cloud-services-data

Indicate whether the service meets the appropriate safeguards subject to Transfers:(Standard data Protection Clauses adopted by a supervisory authority and approved by the Commission , Binding corporate rules, an approved certification mechanism, an approved code of conduct, etc.)
Where required by Data Protection Laws, Liferay implements appropriate safeguards. The applicable transfer mechanisms are identified at: https://www.liferay.com/legal/cloud-services-data

Indicate whether there is any physical transfer of data, in addition to logical access by third parties.
Liferay uses Amazon Web Services EMEA SARL (“AWS”) for the backups of Customer data. Liferay applies BYOK encryption with the help of AWS KMS to prevent access to the personal data by AWS and its sub-processors. The keys are stored in HSMs in the AWS region corresponding to the Google Cloud Platform (GCP) region selected by the customer for its production environment.

Customer authorizes use of some Sub-processors who may access the data from third countries. 

For the EMEA, Brazil & Japan customers, transfers outside EEA and EU Adequacy countries are limited to transfers to Brazil - for which Liferay obtained a legal opinion of a reputable law firm in Brazil, confirming that there is nothing in the laws in Brazil that could impede on the level of protection afforded to the personal data by the EU data protection laws. 

To the extent customer decides to use analytics capabilities of our products Liferay SaaS or Liferay PaaS (deactivated per default) or Analytics Cloud as a stand-alone product, data can be accessed by Liferay, Inc (US). Liferay, Inc (US) is certified under the EU-US and Swiss-US Data Privacy Framework and therefore any transfers of personal data from the EEA to Liferay,Inc. are subject to the adequacy decision by the European Commission as of July 11, 2023. In addition, per default Analytics Cloud only collects events data associated with a system generated identifier. Otherwise, customer fully controls syncing of other identifiers and information stored in its Liferay DXP/Liferay SaaS and Liferay PaaS instances, which will, however, require a risk assessment on the customer side. Liferay, Inc has until now never received or responded to any requests for its customers' data stored in its services.
What measures and procedures does Liferay have in place regarding government access handling?
To the extent customer decides to use analytics capabilities of our products Liferay SaaS or Liferay SaaS (deactivated per default) or Analytics Cloud as a stand-alone product, data can be accessed by Liferay, Inc (US). Liferay, Inc. may fall under the scope of FISA 702 while it does not voluntarily cooperate with the authorities under the EO 12.333. However, since the entering into force of the EO 14.086 and designation of the EEA countries as a ""qualifying states"", European Commission (according to its adequacy decision for the US as of July 11, 2023) considers that there is nothing in the surveillance laws and practices in the US which could impede on the protections afforded to the data subjects under the European data protection laws. Liferay, Inc is certified under the EU-US and EU-Swiss Data Privacy Framework. In addition, per default AC only collects events data associated with a system generated identifier. Otherwise, customer fully controls syncing of other identifiers and information stored in its Liferay SaaS instances, which will, however, require a risk assessment on the customer side. Liferay, Inc has until now never received or responded to any requests for its customers' data stored in its services.

Liferay as a group of companies has a process in place for handling of such requests.
  
Any Data Requests received must be forwarded to the Privacy Office. Privacy Office will review a Data Request and, if necessary consult Legal department and/or competent external advisors and/or DPO(s), to assess:  (i) the validity and enforceability of the Data Request under the applicable laws and regulations; (ii) if there are reasonable grounds to consider that the Data Request is unlawful under any laws and (iii) potential legal or contractual obligation of any Liferay Company to notify or consult the Controller, the Data Subject(s) or any competent authorities and legal permissibility of such a notification.

The Recipient Liferay Company shall provide the minimum amount of information permissible when responding to a Data Request, based on a reasonable interpretation of the Data Request and the  legal assessment made by the Privacy Office.  Privacy Office shall  document its legal assessment and  preserve the documentation for each Data Request for a minimum term of five (5) years from receipt of the Data Request.
Are there any sub-processors for the processing of personal data?
Yes, Liferay utilizes the Sub-processors detailed in the table available at https://www.liferay.com/legal/cloud-services-data , where you can find the Legal Entity and contact details, the Location, the Function and Details of the Processing and the Data Transfer Mechanism when applicable (GDPR).
According to our DPA Liferay shall give Customer prior notice of the appointment of any new Subprocessor. If, within 10 calendar days of receipt of that notice, Customer notifies Liferay in writing of any objections (on reasonable grounds) to the proposed appointment neither Liferay nor any Liferay Affiliate shall appoint (or disclose any Customer Personal Data to) that proposed Subprocessor until reasonable steps have been taken to address the objections raised by any Customer. Where Liferay cannot address the objections in a commercially reasonable manner within a thirty (30) days from Liferay's receipt of Customer's notice, Customer may either (i) decide to use the Services as proposed by Liferay or (ii) by written notice to Liferay with immediate effect terminate the Agreement to the extent that it relates to the Services which require the use of the proposed Subprocessor and receive a pro-rated refund of any prepaid Fees for unused Services as of the effective date of such termination.
Can any third party access customer data and, if so, how?
No, the Technical and Organizational Measures (TOM) adopted by Liferay (https://www.liferay.com/legal/cloud-services-data) are implemented to ensure the confidentiality, integrity and availability of Personal Data submitted by Customer. The main system used for processing Personal Data is Google Cloud Platform and it is prohibited to store Personal Data on other electronic devices, such as employee workstations, BYOD and data carriers. Liferay uses Amazon Web Services EMEA SARL (“AWS”) for the backups of Customer data. Liferay applies BYOK encryption with the help of AWS KMS to prevent access to the personal data by AWS and its sub-processors. The keys are stored in HSMs in the AWS region corresponding to the Google Cloud Platform (GCP) region selected by the customer for its production environment. Prior to the processing of Personal Data by a Sub-processor, each service or system provided by such Subprocessor is reviewed and approved based on a vendor assessment, the Data Processing Agreement (DPA), Technical and Organizational Measures (TOM) documents and additional supporting documents describing the respective system protections and compliance with applicable data protection laws.
Are Liferay's TOM "appropriate" in terms of GDPR?
Liferay has implemented Technical and Organisational Measures in-line with the industry standard, as evidenced by the ISO 27001, SOC 2, HIPAA, and CSA STAR certification obtained for Liferay Liferay DXP Cloud services, as further described at: https://www.liferay.com/legal/cloud-services-data
Any certifications with respect to GDPR, privacy, security and disaster recovery? Can you provide security certification such as ISO27001 or audit report such SOC2? If so, please send a copy of a valid document. 
Our certification program includes: ISO 27001/ 27017/ 27018, SOC 2 Type 2, HIPAA, and CSA STAR Level 2. You can access our whitepaper to learn more about our Information Security Program at https://www.liferay.com/resources/product-info/Liferay+Liferay DXP+Cloud+Data+Security+and+Protection . Certificate reports can be provided upon request.
Does Liferay use encryption to protect customers’ data?
Encryption is not a general mandatory requirement under GDPR. However, use of encryption technology might be “appropriate” under certain circumstances. For example, all data in transit uses enforced SSL connections with minimum AES-256 encryption. Data stored in the Liferay Liferay SaaS is encrypted at rest.
When does Liferay irretrievably remove all customer data from its Services?
Customers may request access to Liferay service for purposes of retrieval of customer data within 14 days upon expiration or termination of customer's subscription. Upon request, Liferay will provide customer with access to the services for these purposes for a term of 14 days following receipt of the request. Liferay will irretrievably erase customer’s data from the systems 30 days after the expiration/termination of customer’s subscription.

Describe your process for permanently deleting data.
Liferay includes data protection tools to help companies address GDPR regulations and maintain control over how their platform manages user data. You can find more information in https://www.liferay.com/capabilities/security
Does the organization ensure that personnel authorized to process the personal data have committed themselves to confidentiality?
Yes, the company's policies guarantee the obligation of confidentiality of employees in the performance of their duties. All employees are subject to confidentiality obligations included in their employment or contractor agreements, as applicable.

Does the company disclose personal data to third parties?
No, only to Liferay employees, contractors and authorized sub-processors on need to know basis.
Does Liferay conduct background checks for the employees?
Liferay conducts security and background checks for employees involved in performance of the cloud services to the extent the local applicable laws allow that.
Does the Liferay provide privacy training to its employees? Is there proof available of employee completion?
Yes, employees are required to attend annual on-demand privacy trainings on the processing of personal data and on information security. Completion is recorded and proof is available.
Does Liferay conduct Privacy Impact Assessments (PIA) or Data Protection Impact Assessments (DPIA) for the services?
For purposes of its cloud services, Liferay acts as processor processing the data on behalf of the customer acting as controller. Therefore, the customer as controller is responsible for conducting PIA /DPIA, if and as might be required under the applicable data protection laws or customer’s internal policies. However, Liferay will provide the customer with reasonable assistance, including documentation, if required.

Do customers need to conduct a DPIA for Liferay products?
Customer does not necessary have to conduct DPIA when using Liferay. It really depends on customer's use of Liferay services. 
In accordance with Article 35 GDPR Data Protection Impact Assessments are only required where processing is likely to result in a high risk to the rights and freedoms of natural persons, including in the following situations:
1) Where customer’s use of the service would result in systematic and extensive evaluation of personal aspects relating to data subjects and would be used as a basis for decision-making with significant effects on the data subjects;
2) Where customer’s use of the service would result in a large-scale processing of certain sensitive data (such as health, generic or biometric data, data concerning ethnic origin, political opinions, religious or philosophical beliefs, etc.);
3) Where customer’s use of our service might involve large-scale systematic monitoring of public areas.
Since Liferay provides its customers with highly versatile solutions  which enable use by the customer for a big number of different use cases, Liferay is clearly not in the position to conduct such assessments for the customers. 
However, while the customer as controller will be primarily responsible for determining if a DPIA is required and for conducting a DPIA, Liferay will provide the customer with reasonable assistance (documentation of features provided).
Does Liferay have a formalized process in place to handle data breaches?
Yes, Liferay has a Data Incident Response Policy in place and provides for a contractual commitment to notify customers in any event of a data breach without undue delay. The notification will be provided to the email address associated with the customer account (admin), unless customer provided Liferay with an emergency contact.
Does Liferay have a formalized process in place to handle data breaches?
Yes, Liferay has a Data Subject Request (DSR) Policy in place when Liferay receives DSR as a Controller. However, where Liferay acts as a processor, Liferay cloud products provide features to help customer  to comply with any DSR. To the extent Liferay cloud products do not enable compliance, Liferay will support customer upon request. The customer, as a controller, will therefore be responsible for handling of the DSR. DSR should usually be directed to the customer, however, Liferay in accordance with the contractual documentation, has the obligation to notify the customer without undue delay, if Liferay receives a DSR, so that the customer can decide how to proceed.
Is there a dedicated role or team responsible for managing privacy in your organization?
Yes, Liferay has a Global Privacy Office: [email protected]

Does the company have a DPO appointed and communicated to the Data Protection Authorities?
Yes, Liferay has DPOs appointed in those territories where it is mandatory according to applicable laws.
For your information, depending on customer's location, the relevant contacts would be:
In Brazil is Grupo Adaptalia Brasil ([email protected])
In Spain is Grupo Adaptalia Spain ([email protected])
In Ireland is ByteLaw ([email protected]
In France is ByteLaw ([email protected])
In Hungary is ByteLaw ([email protected]
In Germany is ByteLaw ([email protected]

Do you have a formalized data protection program?
Liferay has a Data Protection Program in place in order to ensure Liferay is processing personal data in compliance with the applicable data protection laws and ensure Liferay’s innovative technologies help Liferay customers reach their compliance goals.

Can you share your Data Protection Program Manual?
Yes, it can be provided upon request.
Does Liferay use any Customer personal data for any secondary purposes?
Liferay processes personal data of customers' users of Liferay services as a controller, in order to deliver the services and to maintain contractual relationship with the customer, in accordance with the privacy notice: https://www.liferay.com/privacy-policy. Liferay only processes personal data of customers' end users' in accordance with the customers' instructions but for no other purposes, except for Liferay's use of the data in order to create anonymized aggregated statistics to the extent required for appropriate billing and in order to improve Liferay services and offerings. Liferay creates such statistics using server logs.
Which categories of personal data would Liferay process? Is there sensitive data involved in the data processing performed by Liferay?
The scope is fully determined by the customer, typical categories mentioned at https://www.liferay.com/legal/cloud-services-data re sensitive data - it depends on the customer use case.
Do you maintain a Record of Processing Activities (ROPA)?
Liferay maintains the ROPA in accordance with Article 30 GDPR.
Can the customer conduct compliance audits?
Audits are permitted to a certain extent and under the conditions set out in the DPA.

Liferay shall make available to the customer on request all information necessary to demonstrate compliance, including Processor’s records of Processing of Customer Personal Data conducted on behalf of the Customer, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by any Customer in relation to the Processing of the Customer Personal Data.

Customer undertaking an audit shall give Liferay reasonable notice of any audit or inspection to be conducted and shall make reasonable endeavors to avoid causing any damage, injury or disruption to Liferay’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection.

Liferay or a Subprocessor need not give access to its premises for the purposes of such an audit or inspection:

(i) to any individual unless he or she produces reasonable evidence of identity and authority;
(ii) outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis; or
(iii) for the purposes of more than one audit or inspection in any 12-month period, with the exceptions mentioned in the DPA.

If the requested audit scope is addressed in a SOC 2 Type I or similar certification or report performed by a qualified third party auditor within the prior 12 months and Liferay, as applicable, confirms that there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report to the extent it can reasonably do so under Applicable Law.

You can find our DPA at https://www.liferay.com/legal
Does the company have any liability insurance for security breaches?
Liferay has a General Liability (GL) and Errors & Omissions (E&O) insurance that covers data breaches.

Can you share your Insurance Policy?
Evidence can be provided upon request and subject to confidentiality obligations.
What are the legal basis and purposes for the processing of personal data?
It is the obligation of the customer, in its capacity as controller, to establish the purposes and legal basis . Customer agrees that for purposes of processing of Customer’s Personal Data through the cloud services Liferay acts as data processor and is appointed and authorized to process such Personal Data on behalf of Customer in accordance with Customer’s instructions and only to the extent required in order to provide the Cloud Services to Customer but for no further purposes.
Is Liferay registered with the Data Protection Authorities?
Liferay UK Ltd. is registered with the ICO (UK). Otherwise, no such requirements apply.
Does Liferay respect the Privacy by Design principle?
Yes we do, for features in new products, offerings & processes (PIA/DPIA).
Does Liferay have a vendor management policy for contracting its service providers and subprocessors?
Yes it does. Liferay conducts privacy and security reviews, as well as legal reviews for the signing of appropriate contracts and DPAs. Annual security reviews are conducted by the InfoSec department.

Data Protection Liferay PaaS

Is Liferay GDPR/LGPD compliant?

This question is too broad to properly answer this. We differentiate between Liferay’s compliance with the applicable data protection laws as organization and available product features and functionalities that support customers’ efforts to assure their own organizations’ compliance efforts. To the extent Liferay processes personal data on behalf of its customers in the provision of its cloud based offerings, Liferay commits itself to assure that processing will be in accordance with the contractual commitments:

•        Liferay commits itself to implementing appropriate Technical and Organizational Measures.
•        Liferay commits itself to only processing Personal Data in accordance with the instructions of the customer.
•        Liferay is only allowed to involve sub-processors who provide for the same level of protection and Liferay assumes an obligation to ensure that and any all data transfers to such sub-processors are in-line with the applicable data transfer requirements.
•        Liferay commits itself to enable exporting or deleting the data upon expiration of the Subscription Services and supports customer's efforts to comply with any received data subject request.
•        Liferay assumes an obligation to cooperate with customers on any audits required under the applicable data protection laws in order to establish a proof of compliant processing of personal data by Liferay.
•        Liferay commits itself to notifying customers without undue delay of any data breaches.
Where will the information/systems be hosted?
Liferay PaaS uses Google Cloud Platform (GCP) by Google Google Cloud EMEA Ltd. (Ireland) as its hosting provider.

Are the data centers located in Europe?
For Liferay AC, Liferay PaaS and Liferay SaaS, Google Google Cloud EMEA Ltd. (Ireland) is the hosting provider. Hosting location of the data depends on the region that is chosen by the customer. The available regions in Europe are London (United Kingdom) and Frankfurt (Germany).

Do we need to sign a DPA with Liferay?
According to Section 11 of Appendix 4, where Customer is established in the the EEA, Switzerland or UK, Central or
South America, or Mexico and unless otherwise agreed between the parties in the applicable Order Form, the terms of the Data Processing Addendum available at www.liferay.com/legal as of the Order Form Effective Date (“DPA”) apply to the processing of Customer’s Personal Data by Liferay. You can find our Appendix 4 and DPA at https://www.liferay.com/legal .
If customers in other territories wish to enter into a DPA, Liferay can enable that upon request.
Will there be cross-border transfers of personal data? in which country will the data be hosted?
Liferay uses external providers and Liferay Affiliates as Sub-processors. Since some of them are located outside the EEA, the use of such Sub-processors may entail remote access from a non-EU/EEA country to customer data stored within the EU/EEA for some specific reason, for example as might be required for a Sub-processor to perform maintenance or provide support to the customers. For purposes of such transfers, Liferay implements appropriate safeguards as required under GDPR. For more information on this matter, as well as the compliance measures adopted by Liferay in case of cross-border data transfers and the countries to which we may transfer the data, please refer to: https://www.liferay.com/legal/cloud-services-data

Indicate whether the service meets the appropriate safeguards subject to Transfers:(Standard data Protection Clauses adopted by a supervisory authority and approved by the Commission , Binding corporate rules, an approved certification mechanism, an approved code of conduct, etc.)
Where required by Data Protection Laws, Liferay implements appropriate safeguards. The applicable transfer mechanisms are identified at: https://www.liferay.com/legal/cloud-services-data

Indicate whether there is any physical transfer of data, in addition to logical access by third parties.
Liferay uses Amazon Web Services EMEA SARL (“AWS”) for the backups of Customer data. Liferay applies BYOK encryption with the help of AWS KMS to prevent access to the personal data by AWS and its sub-processors. The keys are stored in HSMs in the AWS region corresponding to the Google Cloud Platform (GCP) region selected by the customer for its production environment.

Customer authorizes use of some Sub-processors who may access the data from third countries. 

For the EMEA, Brazil & Japan customers, transfers outside EEA and EU Adequacy countries are limited to transfers to Brazil - for which Liferay obtained a legal opinion of a reputable law firm in Brazil, confirming that there is nothing in the laws in Brazil that could impede on the level of protection afforded to the personal data by the EU data protection laws. 

To the extent customer decides to use analytics capabilities of our products Liferay SaaS or Liferay PaaS (deactivated per default) or Analytics Cloud as a stand-alone product, data can be accessed by Liferay, Inc (US). Liferay, Inc (US) is certified under the EU-US and Swiss-US Data Privacy Framework and therefore any transfers of personal data from the EEA to Liferay,Inc. are subject to the adequacy decision by the European Commission as of July 11, 2023. In addition, per default Analytics Cloud only collects events data associated with a system generated identifier. Otherwise, customer fully controls syncing of other identifiers and information stored in its Liferay DXP/Liferay SaaS and Liferay PaaS instances, which will, however, require a risk assessment on the customer side. Liferay, Inc has until now never received or responded to any requests for its customers' data stored in its services.
What measures and procedures does Liferay have in place regarding government access handling?
To the extent customer decides to use analytics capabilities of our products Liferay SaaS or Liferay SaaS (deactivated per default) or Analytics Cloud as a stand-alone product, data can be accessed by Liferay, Inc (US). Liferay, Inc. may fall under the scope of FISA 702 while it does not voluntarily cooperate with the authorities under the EO 12.333. However, since the entering into force of the EO 14.086 and designation of the EEA countries as a ""qualifying states"", European Commission (according to its adequacy decision for the US as of July 11, 2023) considers that there is nothing in the surveillance laws and practices in the US which could impede on the protections afforded to the data subjects under the European data protection laws. Liferay, Inc is certified under the EU-US and EU-Swiss Data Privacy Framework. In addition, per default AC only collects events data associated with a system generated identifier. Otherwise, customer fully controls syncing of other identifiers and information stored in its Liferay SaaS instances, which will, however, require a risk assessment on the customer side. Liferay, Inc has until now never received or responded to any requests for its customers' data stored in its services.

Liferay as a group of companies has a process in place for handling of such requests.
  
Any Data Requests received must be forwarded to the Privacy Office. Privacy Office will review a Data Request and, if necessary consult Legal department and/or competent external advisors and/or DPO(s), to assess:  (i) the validity and enforceability of the Data Request under the applicable laws and regulations; (ii) if there are reasonable grounds to consider that the Data Request is unlawful under any laws and (iii) potential legal or contractual obligation of any Liferay Company to notify or consult the Controller, the Data Subject(s) or any competent authorities and legal permissibility of such a notification.

The Recipient Liferay Company shall provide the minimum amount of information permissible when responding to a Data Request, based on a reasonable interpretation of the Data Request and the  legal assessment made by the Privacy Office.  Privacy Office shall  document its legal assessment and  preserve the documentation for each Data Request for a minimum term of five (5) years from receipt of the Data Request.
What measures and procedures does Liferay have in place regarding government access handling?
Yes, Liferay utilizes the Sub-processors detailed in the table available at https://www.liferay.com/legal/cloud-services-data , where you can find the Legal Entity and contact details, the Location, the Function and Details of the Processing and the Data Transfer Mechanism when applicable (GDPR).                                                                                             
                                                                                                                                                                                                                                                          According to our DPA Liferay shall give Customer prior notice of the appointment of any new Subprocessor. If, within 10 calendar days of receipt of that notice, Customer notifies Liferay in writing of any objections (on reasonable grounds) to the proposed appointment neither Liferay nor any Liferay Affiliate shall appoint (or disclose any Customer Personal Data to) that proposed Subprocessor until reasonable steps have been taken to address the objections raised by any Customer. Where Liferay cannot address the objections in a commercially reasonable manner within a thirty (30) days from Liferay's receipt of Customer's notice, Customer may either (i) decide to use the Services as proposed by Liferay or (ii) by written notice to Liferay with immediate effect terminate the Agreement to the extent that it relates to the Services which require the use of the proposed Subprocessor and receive a pro-rated refund of any prepaid Fees for unused Services as of the effective date of such termination.
Can any third party access customer data and, if so, how?
No, the Technical and Organizational Measures (TOM) adopted by Liferay (https://www.liferay.com/legal/cloud-services-data) are implemented to ensure the confidentiality, integrity and availability of Personal Data submitted by Customer. The main system used for processing Personal Data is Google Cloud Platform and it is prohibited to store Personal Data on other electronic devices, such as employee workstations, BYOD and data carriers. Liferay uses Amazon Web Services EMEA SARL (“AWS”) for the backups of Customer data. Liferay applies BYOK encryption with the help of AWS KMS to prevent access to the personal data by AWS and its sub-processors. The keys are stored in HSMs in the AWS region corresponding to the Google Cloud Platform (GCP) region selected by the customer for its production environment. Prior to the processing of Personal Data by a Sub-processor, each service or system provided by such Subprocessor is reviewed and approved based on a vendor assessment, the Data Processing Agreement (DPA), Technical and Organizational Measures (TOM) documents and additional supporting documents describing the respective system protections and compliance with applicable data protection laws.
Are Liferay's TOM "appropriate" in terms of GDPR?
Liferay has implemented Technical and Organisational Measures in-line with the industry standard, as evidenced by the ISO 27001, SOC 2, HIPAA, and CSA STAR certification obtained for Liferay Liferay DXP Cloud services, as further described at: https://www.liferay.com/legal/cloud-services-data
Any certifications with respect to GDPR, privacy, security and disaster recovery? Can you provide security certification such as ISO27001 or audit report such SOC2? If so, please send a copy of a valid document. 
Our certification program includes: ISO 27001/ 27017/ 27018, SOC 2 Type 2, HIPAA, and CSA STAR Level 2. You can access our whitepaper to learn more about our Information Security Program at https://www.liferay.com/resources/product-info/Liferay+Liferay DXP+Cloud+Data+Security+and+Protection . Certificate reports can be provided upon request.
Does Liferay use encryption to protect customers’ data?
Encryption is not a general mandatory requirement under GDPR. However, use of encryption technology might be “appropriate” under certain circumstances. For example, all data in transit uses enforced SSL connections with minimum AES-256 encryption. Data stored in the Liferay Liferay SaaS is encrypted at rest.
When does Liferay irretrievably remove all customer data from its Services?
Customers may request access to Liferay service for purposes of retrieval of customer data within 14 days upon expiration or termination of customer's subscription. Upon request, Liferay will provide customer with access to the services for these purposes for a term of 14 days following receipt of the request. Liferay will irretrievably erase customer’s data from the systems 30 days after the expiration/termination of customer’s subscription.

Describe your process for permanently deleting data.
Liferay  includes data protection tools to help companies address GDPR regulations and maintain control over how their platform manages user data. Those tools [included in Liferay DXP] allow for erasing a user’s personal data and exporting a user’s personal data in a machine-readable format upon request. For data erasure, administrators can review content that potentially contains personal information and edit or delete as needed through a simple interface. Both tools include APIs for third-party apps to implement this feature or override the default behavior for out-of-the-box apps. You can find more information in https://help.liferay.com/hc/en-us/articles/360018156151-GDPR-Tools .         
                                                     
Liferay Analytics Cloud retains data for a period of 13 months by default. Customers can change the retention period in the control panel of the application settings to seven months. If they need data to be retained for more than 13 months, they can get in touch with Liferay Analytics Cloud Customer Support and define a custom retention period. Furthermore, Liferay retains all data for 30 days after the expiration of a customer’s contact. Within 14 days from the end of a customer's subscription they have the option to request access to this data, which will be provided for the purposes of data retrieval for another 14 days. All data will be irretrievably removed 30 days after the expiration of a customer’s subscription. In addition, Liferay customers can request deletion of personal data at any time during the term.
Does the organization ensure that personnel authorized to process the personal data have committed themselves to confidentiality?
Yes, the company's policies guarantee the obligation of confidentiality of employees in the performance of their duties. All employees are subject to confidentiality obligations included in their employment or contractor agreements, as applicable.

Does the company disclose personal data to third parties?
No, only to Liferay employees, contractors and authorized sub-processors on need to know basis.
Does Liferay conduct background checks for the employees?
Liferay conducts security and background checks for employees involved in performance of the cloud services to the extent the local applicable laws allow that.
Does the Liferay provide privacy training to its employees? Is there proof available of employee completion?
Yes, employees are required to attend annual on-demand privacy trainings on the processing of personal data and on information security. Completion is recorded and proof is available.
Does Liferay conduct Privacy Impact Assessments (PIA) or Data Protection Impact Assessments (DPIA) for the services?
For purposes of its cloud services, Liferay acts as processor processing the data on behalf of the customer acting as controller. Therefore, the customer as controller is responsible for conducting PIA /DPIA, if and as might be required under the applicable data protection laws or customer’s internal policies. However, Liferay will provide the customer with reasonable assistance, including documentation, if required.

Do customers need to conduct a DPIA for Liferay products?
Customer does not necessary have to conduct DPIA when using Liferay. It really depends on customer's use of Liferay services. 
In accordance with Article 35 GDPR Data Protection Impact Assessments are only required where processing is likely to result in a high risk to the rights and freedoms of natural persons, including in the following situations:
1) Where customer’s use of the service would result in systematic and extensive evaluation of personal aspects relating to data subjects and would be used as a basis for decision-making with significant effects on the data subjects;
2) Where customer’s use of the service would result in a large-scale processing of certain sensitive data (such as health, generic or biometric data, data concerning ethnic origin, political opinions, religious or philosophical beliefs, etc.);
3) Where customer’s use of our service might involve large-scale systematic monitoring of public areas.
Since Liferay provides its customers with highly versatile solutions  which enable use by the customer for a big number of different use cases, Liferay is clearly not in the position to conduct such assessments for the customers. 
However, while the customer as controller will be primarily responsible for determining if a DPIA is required and for conducting a DPIA, Liferay will provide the customer with reasonable assistance (documentation of features provided).
Does Liferay have a formalized process in place to handle data breaches?
Yes, Liferay has a Data Incident Response Policy in place and provides for a contractual commitment to notify customers in any event of a data breach without undue delay. The notification will be provided to the email address associated with the customer account (admin), unless customer provided Liferay with an emergency contact.
Does Liferay have a formalized process in place to handle data breaches?
Yes, Liferay has a Data Subject Request (DSR) Policy in place when Liferay receives DSR as a Controller. However, where Liferay acts as a processor, Liferay cloud products provide features to help customer  to comply with any DSR. To the extent Liferay cloud products do not enable compliance, Liferay will support customer upon request. The customer, as a controller, will therefore be responsible for handling of the DSR. DSR should usually be directed to the customer, however, Liferay in accordance with the contractual documentation, has the obligation to notify the customer without undue delay, if Liferay receives a DSR, so that the customer can decide how to proceed.
Is there a dedicated role or team responsible for managing privacy in your organization?
Yes, Liferay has a Global Privacy Office: [email protected]

Does the company have a DPO appointed and communicated to the Data Protection Authorities?
Yes, Liferay has DPOs appointed in those territories where it is mandatory according to applicable laws.
For your information, depending on customer's location, the relevant contacts would be:
In Brazil is Grupo Adaptalia Brasil ([email protected])
In Spain is Grupo Adaptalia Spain ([email protected])
In Ireland is ByteLaw ([email protected]
In France is ByteLaw ([email protected])
In Hungary is ByteLaw ([email protected]
In Germany is ByteLaw ([email protected]

Do you have a formalized data protection program?
Liferay has a Data Protection Program in place in order to ensure Liferay is processing personal data in compliance with the applicable data protection laws and ensure Liferay’s innovative technologies help Liferay customers reach their compliance goals.

Can you share your Data Protection Program Manual?
Yes, it can be provided upon request.
Does Liferay use any Customer personal data for any secondary purposes?
Liferay processes personal data of customers' users of Liferay services as a controller, in order to deliver the services and to maintain contractual relationship with the customer, in accordance with the privacy notice: https://www.liferay.com/privacy-policy. Liferay only processes personal data of customers' end users' in accordance with the customers' instructions but for no other purposes, except for Liferay's use of the data in order to create anonymized aggregated statistics to the extent required for appropriate billing and in order to improve Liferay services and offerings. Liferay creates such statistics using server logs.
Which categories of personal data would Liferay process? Is there sensitive data involved in the data processing performed by Liferay?
The scope is fully determined by the customer, typical categories mentioned at https://www.liferay.com/legal/cloud-services-data re sensitive data - it depends on the customer use case.
Do you maintain a Record of Processing Activities (ROPA)?
Liferay maintains the ROPA in accordance with Article 30 GDPR.
Can the customer conduct compliance audits?
Audits are permitted to a certain extent and under the conditions set out in the DPA.

Liferay shall make available to the customer on request all information necessary to demonstrate compliance, including Processor’s records of Processing of Customer Personal Data conducted on behalf of the Customer, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by any Customer in relation to the Processing of the Customer Personal Data.

Customer undertaking an audit shall give Liferay reasonable notice of any audit or inspection to be conducted and shall make reasonable endeavors to avoid causing any damage, injury or disruption to Liferay’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection.

Liferay or a Subprocessor need not give access to its premises for the purposes of such an audit or inspection:

(i) to any individual unless he or she produces reasonable evidence of identity and authority;
(ii) outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis; or
(iii) for the purposes of more than one audit or inspection in any 12-month period, with the exceptions mentioned in the DPA.

If the requested audit scope is addressed in a SOC 2 Type I or similar certification or report performed by a qualified third party auditor within the prior 12 months and Liferay, as applicable, confirms that there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report to the extent it can reasonably do so under Applicable Law.

You can find our DPA at https://www.liferay.com/legal
Does the company have any liability insurance for security breaches?
Liferay has a General Liability (GL) and Errors & Omissions (E&O) insurance that covers data breaches.

Can you share your Insurance Policy?
Evidence can be provided upon request and subject to confidentiality obligations.
What are the legal basis and purposes for the processing of personal data?
It is the obligation of the customer, in its capacity as controller, to establish the purposes and legal basis . Customer agrees that for purposes of processing of Customer’s Personal Data through the cloud services Liferay acts as data processor and is appointed and authorized to process such Personal Data on behalf of Customer in accordance with Customer’s instructions and only to the extent required in order to provide the Cloud Services to Customer but for no further purposes.
Is Liferay registered with the Data Protection Authorities?
Only in the ICO (UK) - Otherwise is not applicable.
Does Liferay respect the Privacy by Design principle?
Yes we do, for features in new products, offerings & processes (PIA/DPIA)
Does Liferay have a vendor management policy for contracting its service providers and subprocessors?
Yes it does. Liferay conducts privacy and security reviews, as well as legal reviews for the signing of appropriate contracts and DPAs. Annual security reviews are conducted by the InfoSec department.

Data Protection Liferay Self Hosted

(previously known as Liferay DXP - Self Hosted)
Is Liferay GDPR compliant?
This question is too broad to properly answer this. We differentiate between Liferay’s compliance with the applicable data protection laws as organization and available product features and functionalities that support customers’ efforts to assure their own organizations’ compliance efforts. To the extent Liferay processes personal data on behalf of its customers in the provision of its cloud based offerings, Liferay commits itself to assure that processing will be in accordance with the contractual commitments:

•        Liferay commits itself to implementing appropriate Technical and Organizational Measures.
•        Liferay commits itself to only processing Personal Data in accordance with the instructions of the customer.
•        Liferay is only allowed to involve sub-processors who provide for the same level of protection and Liferay assumes an obligation to ensure that and any all data transfers to such sub-processors are in-line with the applicable data transfer requirements.
•        Liferay commits itself to enable exporting or deleting the data upon expiration of the Subscription Services and supports customer's efforts to comply with any received data subject request.
•        Liferay assumes an obligation to cooperate with customers on any audits required under the applicable data protection laws in order to establish a proof of compliant processing of personal data by Liferay.
•        Liferay commits itself to notifying customers without undue delay of any data breaches.
Why does Liferay not access personal data in DXP products? Where has this issue been agreed? Why did we not sign a personal data processing agreement (DPA)?
Liferay does not process any Personal Data on behalf of its customers through Liferay DXP products. Liferay is offering its services around premise based software to enable usage without having to disclose personal data. Liferay aims to avoid processing personal data and minimizing the disclosure of collected personal data is the most basic effective way to protect the natural person’s interest with regard to the processing of his or her personal data. Therefore, data minimization is one of the most important, if not the core, principle of effective data protection.

For this reason we have included a written confirmation that customers’ use of Liferay services does not require providing, disclosing or giving access to personal data (aside from necessary contact data to establish a contractual relation) in Section 13.10 of our Enterprise Services Agreement (ESA).

It is not necessary to sign a DPA, as we do not process personal data on behalf of customers.

Liferay DXP customers purchasing Liferay Analytics Cloud as an add-on to on-prem based need to establish a DPA with Liferay.

Data Protection Liferay Analytics Cloud

Is Liferay GDPR compliant?

This question is too broad to properly answer this. We differentiate between Liferay’s compliance with the applicable data protection laws as organization and available product features and functionalities that support customers’ efforts to assure their own organizations’ compliance efforts. To the extent Liferay processes personal data on behalf of its customers in the provision of its cloud based offerings, Liferay commits itself to assure that processing will be in accordance with the contractual commitments:

•        Liferay commits itself to implementing appropriate Technical and Organizational Measures.
•        Liferay commits itself to only processing Personal Data in accordance with the instructions of the customer.
•        Liferay is only allowed to involve sub-processors who provide for the same level of protection and Liferay assumes an obligation to ensure that and any all data transfers to such sub-processors are in-line with the applicable data transfer requirements.
•        Liferay commits itself to enable exporting or deleting the data upon expiration of the Subscription Services and supports customer's efforts to comply with any received data subject request.
•        Liferay assumes an obligation to cooperate with customers on any audits required under the applicable data protection laws in order to establish a proof of compliant processing of personal data by Liferay.
•        Liferay commits itself to notifying customers without undue delay of any data breaches.
Where will the information/systems be hosted?
Liferay Analytics Cloud uses Google Cloud Platform (GCP) by Google Google Cloud EMEA Ltd. (Ireland) as its hosting provider.

Are the data centers located in Europe?
For Liferay AC, Liferay PaaS and Liferay SaaS, Google Google Cloud EMEA Ltd. (Ireland) is the hosting provider. Hosting location of the data depends on the region that is chosen by the customer. The available regions in Europe are London (United Kingdom) and Frankfurt (Germany).

Do we need to sign a DPA with Liferay?
Liferay DXP customers purchasing Liferay Analytics Cloud as an add-on to on-prem based need to establish a Data Processing Addendum (DPA) with Liferay. To the extent the customer is located in one of the the EEA, Switzerland or UK, Central or South America, or Mexico, Liferay DPA is incorporated by reference into Appendix 1, via a reference in the Terms of Services, and will apply per default. To the extent a customer is located outside the EMEA but would require a DPA, we can incorporate it via a reference in the ordering document. You can find our Appendix 1 and DPA at https://www.liferay.com/legal .
Will there be cross-border transfers of personal data? in which country will the data be hosted?
Liferay uses external providers and Liferay Affiliates as Sub-processors. Since some of them are located outside the EEA, the use of such Sub-processors may entail remote access from a non-EU/EEA country to customer data stored within the EU/EEA for some specific reason, for example as might be required for a Sub-processor to perform maintenance or provide support to the customers.
For purposes of such transfers, Liferay implements appropriate safeguards as required under GDPR. For more information on this matter, as well as the compliance measures adopted by Liferay in case of cross-border data transfers and the countries to which we may transfer the data, please refer to: https://www.liferay.com/legal/cloud-services-data.

Indicate whether the service meets the appropriate safeguards subject to Transfers:(Standard data Protection Clauses adopted by a supervisory authority and approved by the Commission , Binding corporate rules, an approved certification mechanism, an approved code of conduct, etc.)
Where required by Data Protection Laws, Liferay adopts EU Standard Contractual Clauses (UE SCC). The applicable transfer mechanisms are identified at: https://www.liferay.com/legal/cloud-services-data.

Indicate whether there is any physical transfer of data, in addition to logical access by third parties.
Liferay uses Amazon Web Services EMEA SARL (“AWS”) for the backups of Customer data. Liferay applies BYOK encryption with the help of AWS KMS to prevent access to the personal data by AWS and its sub-processors. The keys are stored in HSMs in the AWS region corresponding to the Google Cloud Platform (GCP) region selected by the customer for its production environment.

Customer authorizes use of some Sub-processors who may access the data from third countries. 

For the EMEA, Brazil & Japan customers, transfers outside EEA and EU Adequacy countries are limited to transfers to Brazil - for which Liferay obtained a legal opinion of a reputable law firm in Brazil, confirming that there is nothing in the laws in Brazil that could impede on the level of protection afforded to the personal data by the EU data protection laws. 

To the extent customer decides to use analytics capabilities of our products Liferay SaaS or Liferay PaaS (deactivated per default) or Analytics Cloud as a stand-alone product, data can be accessed by Liferay, Inc (US). Liferay, Inc (US) is certified under the EU-US and Swiss-US Data Privacy Framework and therefore any transfers of personal data from the EEA to Liferay,Inc. are subject to the adequacy decision by the European Commission as of July 11, 2023. In addition, per default Analytics Cloud only collects events data associated with a system generated identifier. Otherwise, customer fully controls syncing of other identifiers and information stored in its Liferay DXP/Liferay SaaS and Liferay PaaS instances, which will, however, require a risk assessment on the customer side. Liferay, Inc has until now never received or responded to any requests for its customers' data stored in its services.

For Legal and subject to a NDA, for RFP purposes, audits or discussions (only provide explanation regarding google if requested): For onward data transfers incl. location of the recipient and purposes by the Sub-processor Google EMEA Ltd providing hosting services, please refer to: https://cloud.google.com/terms/subprocessors, The a pplicable transfer mechanisms, depending on the recipient, are either an adequacy decision(s) or SCC. Please also note, that none of the Sub-processors requires access to or is accessing the data on an ongoing or regular basis. Maintenance and support activities are being conducted at the lower data storage level. The data is encrypted at-rest at that layer. They may, however, be provided with access to the data by the customer within the context of maintenance or technical support if enabled by the customer (either through the admin console or e.g. via a screenshot or a data dump). Liferay does not use services called "voice transcription", "data labeling", "apigee technical support services" for purposes of its Liferay DXPC offering, which would require access to customer data. Google’s transparency report(s) are available at: https://transparencyreport.google.com/user-data/enterprise
What measures and procedures does Liferay have in place regarding government access handling?
To the extent customer decides to use analytics capabilities of our products Liferay SaaS or Liferay SaaS (deactivated per default) or Analytics Cloud as a stand-alone product, data can be accessed by Liferay, Inc (US). Liferay, Inc. may fall under the scope of FISA 702 while it does not voluntarily cooperate with the authorities under the EO 12.333. However, since the entering into force of the EO 14.086 and designation of the EEA countries as a ""qualifying states"", European Commission (according to its adequacy decision for the US as of July 11, 2023) considers that there is nothing in the surveillance laws and practices in the US which could impede on the protections afforded to the data subjects under the European data protection laws. Liferay, Inc is certified under the EU-US and EU-Swiss Data Privacy Framework. In addition, per default AC only collects events data associated with a system generated identifier. Otherwise, customer fully controls syncing of other identifiers and information stored in its Liferay SaaS instances, which will, however, require a risk assessment on the customer side. Liferay, Inc has until now never received or responded to any requests for its customers' data stored in its services.

Liferay as a group of companies has a process in place for handling of such requests.
  
Any Data Requests received must be forwarded to the Privacy Office. Privacy Office will review a Data Request and, if necessary consult Legal department and/or competent external advisors and/or DPO(s), to assess:  (i) the validity and enforceability of the Data Request under the applicable laws and regulations; (ii) if there are reasonable grounds to consider that the Data Request is unlawful under any laws and (iii) potential legal or contractual obligation of any Liferay Company to notify or consult the Controller, the Data Subject(s) or any competent authorities and legal permissibility of such a notification.

The Recipient Liferay Company shall provide the minimum amount of information permissible when responding to a Data Request, based on a reasonable interpretation of the Data Request and the  legal assessment made by the Privacy Office.  Privacy Office shall  document its legal assessment and  preserve the documentation for each Data Request for a minimum term of five (5) years from receipt of the Data Request.
Are there any sub-processors for the processing of personal data?
Yes, Liferay utilizes the Sub-processor detailed in the table available at https://www.liferay.com/legal/cloud-services-data , where you can find the legal entities and contact details, the location, the function and details of the processing and the data transfer mechanism when applicable (GDPR).

According to our DPA Liferay shall give Customer prior notice of the appointment of any new Subprocessor. If, within 10 calendar days of receipt of that notice, Customer notifies Liferay in writing of any objections (on reasonable grounds) to the proposed appointment neither Liferay nor any Liferay Affiliate shall appoint (or disclose any Customer Personal Data to) that proposed Subprocessor until reasonable steps have been taken to address the objections raised by any Customer. Where Liferay cannot address the objections in a commercially reasonable manner within a thirty (30) days from Liferay's receipt of Customer's notice, Customer may either (i) decide to use the Services as proposed by Liferay or (ii) by written notice to Liferay with immediate effect terminate the Agreement to the extent that it relates to the Services which require the use of the proposed Subprocessor and receive a pro-rated refund of any prepaid Fees for unused Services as of the effective date of such termination.
 
Can any third party access customer data and, if so, how?
No, the Technical and Organizational Measures (TOM) adopted by Liferay (https://www.liferay.com/legal/cloud-services-data) are implemented to ensure the confidentiality, integrity and availability of Personal Data submitted by Customer. The main system used for processing Personal Data is Google Cloud Platform and it is prohibited to store Personal Data on other electronic devices, such as employee workstations, BYOD and data carriers. Prior to the processing of Personal Data by a Sub-processor, each service or system provided by such Subprocessor is reviewed and approved based on a vendor assessment, the Data Processing Agreement (DPA), Technical and Organizational Measures (TOM) documents and additional supporting documents describing the respective system protections and compliance with applicable data protection laws.
Are Liferay's TOM "appropiate" in terms of GDPR?
Liferay has implemented Technical and Organisational Measures in-line with the industry standard, as evidenced by the ISO 27001, SOC 2, HIPAA, and CSA STAR certification obtained for Liferay Liferay DXP Cloud services, as further described at: https://www.liferay.com/legal/cloud-services-data.
Any certifications with respect to GDPR, privacy, security and disaster recovery? Can you provide security certification such as ISO27001 or audit report such SOC2? If so, please send a copy of a valid document.
Our certification program includes: ISO 27001/ 27017/ 27018, SOC 2 Type 2, HIPAA, and CSA STAR Level 2. You can access our whitepaper to learn more about our Information Security Program in https://www.liferay.com/en-AU/resources/product-info/Liferay+Liferay DXP+Cloud+Data+Security+and+Protection .
Are regular backups made on Liferay Cloud products?
For the system infrastructure, backup routines are run every 30 minutes, all backups are replicated in different regions, encrypted at rest, and permanently retained. For Customer Data, backup routines are run by default every day and retained for 30 days. All backups are replicated in different regions and encrypted at rest.
Does Liferay use encryption to protect customers’ data?
Encryption is not a general mandatory requirement under GDPR. However, use of encryption technology might be “appropriate” under certain circumstances. For example, all data in transit uses enforced SSL connections with minimum AES-256 encryption. Data stored in the Liferay Liferay PaaS Enterprise Database is encrypted at rest.
When does Liferay irretrievably remove all customer data from its Services?
Customers may request access to Liferay service for purposes of retrieval of customer data within 14 days upon expiration or termination of customer's subscription. Upon request, Liferay will provide customer with access to the services for these purposes for a term of 14 days following receipt of the request. Liferay will irretrievably erase customer’s data from the systems 30 days after the expiration/termination of customer’s subscription.

Describe your process for permanently deleting data.
Liferay includes data protection tools to help companies address GDPR regulations and maintain control over how their platform manages user data. Those tools [included in Liferay DXP] allow for erasing a user’s personal data and exporting a user’s personal data in a machine-readable format upon request. For data erasure, administrators can review content that potentially contains personal information and edit or delete as needed through a simple interface. Both tools include APIs for third-party apps to implement this feature or override the default behavior for out-of-the-box apps. You can find more information in https://help.liferay.com/hc/en-us/articles/360018156151-GDPR-Tools .

Liferay Analytics Cloud retains data for a period of 13 months by default. Customers can change the retention period in the control panel of the application settings to seven months. If they need data to be retained for more than 13 months, they can get in touch with Liferay Analytics Cloud Customer Support and define a custom retention period. Furthermore, Liferay retains all data for 30 days after the expiration of a customer’s contact. Within 14 days from the end of a customer's subscription they have the option to request access to this data, which will be provided for the purposes of data retrieval for another 14 days. All data will be irretrievably removed 30 days after the expiration of a customer’s subscription. In addition, Liferay customers can request deletion of personal data at any time during the term.
 
Does the organization ensure that personnel authorized to process the personal data have committed themselves to confidentiality?
Yes, the company's policies guarantee the obligation of confidentiality of employees in the performance of their duties. All employees are subject to confidentiality obligations included in their employment or contractor agreements, as applicable.

Does the company disclose personal data to third parties?
No, only to Liferay employees, contractors and authorized sub-processors on need to know basis.
Does Liferay conduct background checks for the employees?
Liferay conducts security and background checks for employees involved in performance of the cloud services to the extent the local applicable laws allow that.
Does the Liferay provide privacy training to its employees? Is there proof available of employee completion?
Yes, employees are required to attend annual on-demand privacy trainings on the processing of personal data and on information security. Completion is recorded and proof is available.
Does Liferay conduct Privacy Impact Assessments (PIA) or Data Protection Impact Assessments (DPIA) for the services?
For prem based products Liferay is neither controller nor processor and has limited visibility in customer's use.
For purposes of its cloud services, Liferay acts as processor processing the data on behalf of the customer acting as controller. Therefore, the customer as controller is responsible for conducting PIA /DPIA, if and as might be required under the applicable data protection laws or customer’s internal policies. However, Liferay will provide the customer with reasonable assistance, including documentation, if required.

Do customers need to conduct a DPIA for Liferay products?
Customer does not necessary have to conduct DPIA when using Liferay. It really depends on customer's use of Liferay services. 
In accordance with Article 35 GDPR Data Protection Impact Assessments are only required where processing is likely to result in a high risk to the rights and freedoms of natural persons, including in the following situations:
1) Where customer’s use of the service would result in systematic and extensive evaluation of personal aspects relating to data subjects and would be used as a basis for decision-making with significant effects on the data subjects;
2) Where customer’s use of the service would result in a large-scale processing of certain sensitive data (such as health, generic or biometric data, data concerning ethnic origin, political opinions, religious or philosophical beliefs, etc.);
3) Where customer’s use of our service might involve large-scale systematic monitoring of public areas.
Since Liferay provides its customers with highly versatile solutions  which enable use by the customer for a big number of different use cases, Liferay is clearly not in the position to conduct such assessments for the customers. 
However, while the customer as controller will be primarily responsible for determining if a DPIA is required and for conducting a DPIA, Liferay will provide the customer with reasonable assistance (documentation of features provided).
Does Liferay have a formalized process in place to handle data breaches?
Yes, Liferay has a Data Incident Response Policy in place and provides for a contractual commitment to notify customers in any event of a data breach without undue delay. The notification will be provided to the email address associated with the customer account (admin), unless customer provided Liferay with an emergency contact.
Does Liferay have a Data Subject Request (DSR) Policy in place?
Yes, Liferay has a Data Subject Request (DSR) Policy in place when Liferay receives DSR as a Controller. However, where Liferay acts as a processor, Liferay cloud products provide features to help customer  to comply with any DSR. To the extent Liferay cloud products do not enable compliance, Liferay will support customer upon request. The customer, as a controller, will therefore be responsible for handling of the DSR. DSR should usually be directed to the customer, however, Liferay in accordance with the contractual documentation, has the obligation to notify the customer without undue delay, if Liferay receives a DSR, so that the customer can decide how to proceed.
Is there a dedicated role or team responsible for managing privacy in your organization?
Yes, Liferay has a Global Privacy Office: [email protected]

Does the company have a DPO appointed and communicated to the Data Protection Authorities?
Yes, Liferay has DPOs appointed in those territories where it is mandatory according to applicable laws.
For your information, depending on customer's location, the relevant contacts would be:
In Brazil is Grupo Adaptalia Brasil ([email protected])
In Spain is Grupo Adaptalia Spain ([email protected])
In Ireland is ByteLaw ([email protected]
In France is ByteLaw ([email protected])
In Hungary is ByteLaw ([email protected]
In Germany is ByteLaw ([email protected]

Do you have a formalized data protection program?
Liferay has a Data Protection Program in place in order to ensure Liferay is processing personal data in compliance with the applicable data protection laws and ensure Liferay’s innovative technologies help Liferay customers reach their compliance goals.

Can you share your Data Protection Program Manual?
Yes, it can be provided upon request.
Does Liferay use any Customer personal data for any secondary purposes?
Liferay processes personal data of customers' users of Liferay services as a controller, in order to deliver the services and to maintain contractual relationship with the customer, in accordance with the privacy notice: https://www.liferay.com/privacy-policy. Liferay only processes personal data of customers' end users' in accordance with the customers' instructions but for no other purposes, except for Liferay's use of the data in order to create anonymized aggregated statistics to the extent required for appropriate billing and in order to improve Liferay services and offerings. Liferay creates such statistics using server logs.
Which categories of personal data would Liferay process? Is there sensitive data involved in the data processing performed by Liferay?
The following data is captured on the client side by a browser to be processed and stored inside Analytics Cloud service:

Events Data: Liferay Analytics Cloud uses client side JavaScript to track visitor interaction data taken from visitor activity with Liferay Liferay DXP, Liferay SaaS-SM or Liferay SaaS as applicable. This includes data related to Clicks, Scroll Depth, Views, Downloads, Submissions, and Page Loads. The interaction data is sent to Analytics Cloud services for reporting.

Geolocation and Technology Data: Liferay Analytics Cloud service third-party libraries to determine two kinds of data: visitors’ geolocation and the technology (type of browser, operating system) based on the captured Events Data. In order to ensure that no visitor data is exposed outside of Liferay Analytics Cloud, the library is hosted and run internally.

Personal Data: Personal Data is the information that is associated with an individual person, such as an employee, student, or donor. All data, including personal data, is encrypted via HTTPS in transmission; stored data is encrypted on the backend.
o For Unauthenticated Visitors, Liferay Analytics Cloud tracks IP addresses and browser session information.
o For Known Individuals/Authenticated Visitors, Liferay Analytics Cloud only requires an email address to be tracked as an identifier field for that visitor. All other Personal Data will be up to the Liferay Analytics Cloud customer’s own choice to sync (or not) to Analytics Cloud. For instance, if the customer doesn't wish to sync first name, address, and phone number into AC, the data mapping interface will allow the customer to remove these fields and AC will stop tracking these attributes from their data sources.

Individual Profile Information: On top of tracking analytics event data from website visitors, Liferay customers can also enrich individual profile information with information stored in Liferay Liferay DXP, Liferay SaaS-SM or Liferay SaaS as applicable, Salesforce, or through a CSV file import. This allows Liferay customers to aggregate behavior data and profile data, and help them understand their website visitors better. Any profile information imported into Analytics Cloud can be used to create multidimensional audience segments for more accurate personalization. Ultimately controlled by the customer - the service is set up to not process any sensitive data.
Do you maintain a Record of Processing Activities (ROPA)?
Liferay maintains the ROPA in accordance with Article 30 GDPR.
Can the customer conduct compliance audits?
Audits are permitted to a certain extent and under the conditions set out in the DPA.

Liferay shall make available to the customer on request all information necessary to demonstrate compliance, including Processor’s records of Processing of Customer Personal Data conducted on behalf of the Customer, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by any Customer in relation to the Processing of the Customer Personal Data.

Customer undertaking an audit shall give Liferay reasonable notice of any audit or inspection to be conducted and shall make reasonable endeavors to avoid causing any damage, injury or disruption to Liferay’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection.

Liferay or a Subprocessor need not give access to its premises for the purposes of such an audit or inspection:

(i) to any individual unless he or she produces reasonable evidence of identity and authority;
(ii) outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis; or
(iii) for the purposes of more than one audit or inspection in any 12-month period, with the exceptions mentioned in the DPA.

If the requested audit scope is addressed in a SOC 2 Type I or similar certification or report performed by a qualified third party auditor within the prior 12 months and Liferay, as applicable, confirms that there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report to the extent it can reasonably do so under Applicable Law.

You can find our DPA at https://www.liferay.com/legal
Does the company have any liability insurance for security breaches?
Liferay has a General Liability (GL) and Errors & Omissions (E&O) insurance that covers data breaches.

Can you share your Insurance Policy?
Evidence can be provided upon request and subject to confidentiality obligations.
What are the legal basis and purposes for the processing of personal data?
It is the obligation of the customer, in its capacity as controller, to establish the purposes and legal basis . Customer agrees that for purposes of processing of Customer’s Personal Data through the cloud services Liferay acts as data processor and is appointed and authorized to process such Personal Data on behalf of Customer in accordance with Customer’s instructions and only to the extent required in order to provide the Cloud Services to Customer but for no further purposes.
Is Liferay registered with the Data Protection Authorities?
Only in the ICO (UK) - Otherwise is not applicable.
Does Liferay respect the Privacy by Design principle?
Yes we do, for features in new products, offerings & processes (PIA/DPIA)
What is the technology used in Analytics Cloud for tracking?
Local storage and a cookies. 
Does Liferay have a vendor management policy for contracting its service providers and subprocessors?
Yes it does. Liferay conducts privacy and security reviews, as well as legal reviews for the signing of appropriate contracts and DPAs. Annual security reviews are conducted by the InfoSec department.

Privacy Terms

The legal terms governing the processing of our customers’ personal data on their behalf by Liferay can be found here: 

Data Processing Addendum

Liferay's Data Processing Addendum (DPA) applies per default to Liferay SaaS, PaaS, and Analytics Cloud customers located in EEA, the UK, Latin America, and Mexico and can otherwise be incorporated into the agreement upon the customer's request.

Liferay PaaS

(formerly known as Liferay Experience Cloud Self-Managed):

This Appendix contains terms and conditions governing personal data relevant to the subscription offerings for Liferay PaaS Services.

Liferay’s Subprocessors

Subprocessors 

Liferay utilizes certain sub-processors for the purposes of our offerings.

Technical and Organizational Measures

Technical and Organizational Measures

Liferay relentlessly enhances our Technical and Organizational Measures to safeguard customer data.

Data Protection Whitepaper

Data Protection for Liferay Services and Software

Data Protection Blog 

Data Protection Blog 

Explore Our Data Protection Insights! We share our thoughts about different data protection topics via our blog. Uncover the innovative features designed to support your compliance efforts.

Privacy Notices

Our approach to managing your information.

Website Privacy Notice

This Privacy Policy was created to inform you of our personal information handling practices for the Liferay website (www.liferay.com).

Candidate Privacy Notice

In this Liferay Job Candidate Privacy Notice (“Privacy Notice”), we want to inform you how Liferay collects and uses your personal data when you apply for an open position with Liferay​

1400 Montefino Avenue
Diamond Bar, CA 91765
USA
+1-877-LIFERAY
Built on Liferay Digital Experience Platform