Wordfence Is GDPR Compliant
As of September 27, 2021, the revised EU Standard Contractual Clauses issued by the EU Commission on June 4, 2021 (in effect as of June 27, 2021) apply to all Defiant, Inc. (dba Wordfence) agreements. You may review the revised Wordfence Terms of Service at https://www.wordfence.com/
Today the team at Defiant completed the required steps to make our organization and services GDPR compliant.
Your starting point for Wordfence and GDPR should be the following page: Wordfence and GDPR – General Data Protection Regulation page.
On the above page you can find everything you need to ensure that you remain GDPR compliant while enjoying the security benefits of Wordfence. This includes the EU Standard Contractual Clauses. We also include a list of the cookies the Wordfence plugin sets when installed on a site and what each cookie does to improve security.
As part of this project, we have also updated our terms of service and privacy policy. Current users of Wordfence will be prompted with our new terms of service and privacy policy within the next 24 hours as the newest version of Wordfence is deployed. New users of Wordfence will see the terms of service and privacy policy prompt as soon as they install Wordfence.
The Wordfence user interface will be disabled until you review and agree to our new terms. The prompt will look like this:
We have optimized this process so that, if you have many sites running Wordfence Premium, once you agree on one site, you won’t have to repeatedly agree to the same terms across all your other sites.
I’d like to congratulate our team on completion of this project. It required hundreds of hours of work which included product updates, website changes, the creation of new agreements and documentation and a thorough data and security audit.
While we can not provide GDPR advice to other companies, if you have any questions about GDPR as it relates to Wordfence, you are most welcome to post them in the comments below.
Mark Maunder – Defiant Founder and CEO
Comments
2:46 pm
Can you tell me about how Wordfence is using Firewalls and blocking in relation to the GDPR considering an IP address to be personal information? IE can Wordfence still collect/log IPs for the purpose of security/logging even though the GDPR considers the IP address to be PI that you have to ask permission for? Or is the security/logging/blocking function an exception to the IP address is PI thing?
2:53 pm
Hi Nikole,
As a website operator, you are a data controller, using GDPR terminology. You have a Data Protection Agreement (DPA) with us and we are a Data Processor. Under the terms of the agreement, if one of your site visitors wants their data deleted, they contact you and if needed, you contact us to have the data removed. This is legal under the GDPR and it allows us to store your site visitor IP addresses if needed.
To take this one step further, you'll notice that in our DPA we have sub-processors defined. For example, Amazon AWS is a sub-processor of ours. They are also GDPR compliant and we make you aware that we are using them in the DPA. So if your site visitor or user contacts you to have data removed, you contact us and we'll ensure that our sub processors also comply with the request.
Once you understand the concept of data controller (the website the user visits), data processor (that's us and anyone else who handles user data for you) and data sub-processors (services we use for things like storage), then it all begins to fit together a little easier. We are moving European data around, but we are ensuring that there is a clear understanding of where it is stored and there is clear accountability.
Hope that helps. Please note that I am not a lawyer and you should not consider this legal advice.
Regards,
Mark.
2:49 pm
Great work! I have only one question. Will new release of Wordfence add some information on Privacy Policy page introduced in WP 4.9.6?
2:57 pm
Hi Jakub,
This is a recent development and we are still researching possibly integration with this feature.
Mark.
3:03 pm
Thanks for getting up to speed on GDPR. That's a big help. I have a few quick questions:
1.) Your privacy policy describes the types of personally identifiable information that Wordfence collects from visitors who go to the Wordfence website, but I don't see any information on the types of personally identifiable information that Wordfence collects from people who visit websites that use premium Wordfence for security. To prepare for GDPR, I need to know what personally identifiable information Wordfence collects from the visitors to my website (which uses Wordfence premium). Could you please provide that information?
2. I need to be able to refer my website visitors to the Wordfence privacy policy. But as I said earlier, your privacy policy seems to apply only to visitors to the Wordfence website, not to my website. Do you have a privacy policy specifically designed for the visitors who want to know what sort of information Wordfence is collecting from them when they go to my Wordfence-protected website?
3. I have a website that's based in the U.S. but that occasionally has visitors from the EU. Should I also sign your Data Processing Agreement and Standard Contractural Clauses? Or are those agreements only intended for websites based in the EU?
4. Do you have EU-US Privacy Shield certification? If not, what is your GDPR-compliant legal basis for transferring personally identifiable information from the EU to the U.S.?
Thanks for any clarification you can provide.
3:13 pm
1) Check our Data Protection Agreement (DPA).
2) You need to create your own privacy policy. Under GDPR you are a data controller. We are a data processor. As a data controller you can sign our DPA and create your own privacy policy. We don't do this for you. The DPA also contains info on what data your Wordfence collects when installed on your site and which sub-processors we use (e.g. we use Amazon AWS which is GDPR compliant).
3) If you have site visitors from the EU zone, then you likely fall under GDPR and will need to take appropriate action.
4) We have applied for Privacy Shield, but the application is pending and we don't expect it for a few weeks. Until that is approved, we are using standard contractual clauses (SCCs) as the legal basis for transferring EU data to the USA.
Hope that helps.
Mark.
4:10 pm
What about WordFence Multisite installations? I'm not seeing the "Review" notice in my main dashboard or in my client site dashboards.
8:09 pm
I've posted this question in our QA channel and am waiting for a reply from the team. It's after hours here so may have to get back to you tomorrow.
8:12 pm
You should see this on your network admin Wordfence pages within the administrative interface. If you don't see it within 24 hours, let us know.
5:09 pm
Question: is there a bit of a bug? I'm seeing the review button on some client sites after update, but not all. Since I'm asking clients to log in and review this...I'm getting some confused clients when it doesn't show up.
Is it only on sites that meet some criteria?
8:08 pm
Hi Lisa,
If you agree to terms on a site, all other sites with Premium keys owned by that same individual will not require agreement to the terms. That saves our key owners from having to agree to our ToS 100 times.
Mark.
8:09 pm
Also it may take up to 24 hours for the notification to appear on some sites.
11:37 pm
Thanks! I'll watch for it.
12:00 am
Hi,
some questions:
1. do "free" users of Wordfence have to sign the dpa also? Or the Agreement inside the plugin is OK? (which hasn't shown up yet btw..!)
2. Since (for us not lawyers) the dpa.pdf is 20 pages of "legal stuff" which we of course honor but can't make clear to every single one of our website visitors we would like to provide a link to the dpa.pdf in our privacy policy in order all that to be available to our visitors to read. --> Is there or can you provide a version of the dpa.pdf without the signatures of your COO for web use?
Thank you
6:29 pm
Both the free version and the premium version send attack data to the US. In terms of the data processing agreement, if you need to sign one it doesn't matter which version of the plugin you are using.
For the copy of the DPA, it's already publicly available so you can use the version we provide to share with your customers.
1:26 am
Should free users have to accept the new T&Cs? Also should we send DPAs to you if using the free plugin?
I'm still unsure on the issue of not being able to sign these for clients we manage their websites for - have you reviewed this with your team? :-)
6:26 pm
Hi Adam,
All customers, both free and paid, need to agree to the new terms and conditions. For the data processing agreement, there is no difference if you are using the free version or premium version as both versions send attack data to the US.
3:49 am
Reading through the agreement I find that in the DATA PROCESSING AGREEMENT the following sections are missing from the document: 7.1.3, 7.4
6:23 pm
Thanks for catching this! We will have an updated DPA tomorrow with the corrected section numbers. It's an immaterial change so the current DPA is valid for anyone that signs it.
4:17 am
In the DPA on page 19, Section "Categories of data", point 5, you write:
"Defiant automatically collects Customer and end user search queries and the date and time of the Customer and/or end user’s request and referral URL. Depending on the settings of a Customer and/or end user’s computer or mobile device (“Device”), Defiant also automatically collects: IP address; MAC address; Device make, model and operating system version; mobile network information; internet service provider; browser type and language; country and time zone in which the Device is located; and metadata stored on the Device. hen permitted, Defiant also may collect data about a User’s geographic location through GPS, beacons and similar technology. "
This is quite a lot of information to gather. When and why do you collect this data?
10:46 am
We do not store MAC addresses. This is an error that will be fixed in the next version of the DPA.
What we actually log from an attack is IP address, request time, referrer (when available) and browser user-agent string. The DPA spells out all the data we extract from that info. You can get a lot of information from the browser user-agent string and IP. So from the above items we get:
IP address, location, search queries, date and time of request, referral URL, device make, model and OS, mobile network info, ISP, browser type and language, country, timezone.
The 'metadata stored on the device' refers to things like other HTTP headers that may indicate preferred language etc. This can be helpful in determining an attackers origin.
Regards,
Mark.
4:23 am
Hi Mark
I use the free version of the plugin, not the premium service. Can you confirm that the free plugin also collects the following data from visitors to sites on which it is enabled: IP address, MAC address, browser type, device and model, operating system version, geographical data, time zone and meta data, and that this data is also transferred out of the EEA?
Also, on my Wordfence dashboard there is no option to agree to the new privacy policy and terms of service.
Kind regards,
Ruth Grant
6:31 pm
Hi Ruth,
Yes the free version does collect that data and transfer it out of the EEA to the US.
I'm told by our engineering team there can be a 24 hour delay from upgrading for the option to agree to appear. If you don't see it within that timeframe, please post in our forums so we can investigate: https://wordpress.org/support/plugin/wordfence/
5:57 am
Hi Mark
Love wordfence thanks for all you do :)
I'm UK based and host 100+ websites. I can see I only have to agree to your terms once to get that auto agreed on all my commercial API keys with you.
1) What about my sites/clients on the free version? I assume I'll have to agree to those one a time?
2) What about the DPA we need to sign also.... Do I as data processor sign one of those individually (in my own name) for each and every site I host and use wordfence on (free & commercial).
I'm assuming it's right that I sign the DPAs as processor and you sub processor.... rather than my clients signing those DPAs?
thanks for your time in confirming these points...
Jonathan (London)
6:35 pm
Hi Jonathan,
1. Yes that is correct as we don't have accounts for the free version of the plugin which means there is no way to tie the sites together.
2. For who signs the DPA, it depends on the agreement you have with your clients. If you have the ability to enter contracts on their behalf, then you can sign for them.
6:44 am
Hello,
is there a specific email address where we can send the signed data processing agreement to?
Thank you!
11:16 am
Yes! Please send the signed data processing agreement to privacy@wordfence.com.
Thanks and stay safe!
Tim
7:54 am
Dear Mark and team,
I appreciate the information you provided and alle the work done so far.
However, from my point of view, we have to deactivate Wordfence in Europe, as long as there is no opt out for the IP Adress of the site visitors.
Just opening this case in your mind:
When using Wordfence, I have to inform my site-visitors, that I am using your service, that this service is tracking the IP (for several good reasons) and there is no way for you to stop it (no opt out).
Nevertheless you (website visitor) can delete your information by requesting your rights, granted by the GDPR. Even if I (the website operator) don't collect any other data, adapt my serverlog-files to store no IPs, and do all the other stuff to be GDPR compliant, and so on...
As long as we don't have clear regulations from the European politics and/ or court decision, we are in a crazy state.
For us as a small agency, we are going to minimize the risks :-(
Is there a plan to implement an OptOut for users?
10:17 am
"However, from my point of view, we have to deactivate Wordfence in Europe, as long as there is no opt out for the IP Adress of the site visitors."
This is a common misconception and is incorrect. GDPR does not prevent collection of user data. You have to do it under the terms of the GDPR, which is exactly what we're doing.
For some reason there is this common misconception that you are no longer allowed to collect IPs. I'm unsure why this confusion exists, but my guess is that a few amateurs have thrown up "GDPR guide" pages and are providing bad advice.
Regards,
Mark.
8:28 am
Hello,
I'm using a centralized service to implement Privacy and Cookie Policy on my site.
I have to write down the following information:
- Provider
- Purpose
- Personal data collected
- Privacy Policy Information
Here's an example for Google Recaptcha service:
Provider
Google inc.
Purpose
SPAM protection
Personal Data collected
Usage data
Cookies
Privacy Policy
Google reCAPTCHA is a SPAM protection service provided by Google Inc.
The use of reCAPTCHA is subject to the Google privacy policy and terms of use.
Where can I find these information?
Thank you
Antonio
11:15 am
Thanks for reaching out. I think the process you have is a great idea! All of the information about what Wordfence collects and how it is used can be found on this page. If you have any other specific questions you're welcome to reach out at privacy@wordfence.com.
Thanks and stay safe!
Tim
1:30 pm
As for now i am running on the free plugin. Do you also offer this DPA service for "costumers" running on the free version, or only on the permium plugin?
Thank you for great service and plugin.
1:35 pm
If you need to sign the data processing agreement, it is valid for both free and premium customers.
12:05 am
Why does WF needs to send information about my customers to the USA anyway? Other security software not always does....
As I see it, GDPR regulation is not meant to create a lot of paperwork and make lawyers happy, but to protect internet users and let data collectors think twice if they really need to collect that much. Several scripts I use (like NInja Firewall) now offer the possibility to hash IP addresses. This immediately solves a big part of the GDPR problem.
Why couldn't WF do something like this?
10:05 am
Alex,
I have a few comments about this. Firstly, hashing IP addresses does not 'tokenize' them because those hashes can be reversed. There are only 2^32 IPv4 addresses and that means that you can reverse hashed IPv4 addresses in minutes.
Secondly, under GDPR, you don't need to tokenize IP addresses if you are legally transferring them using a DPA, as we are. There are two justifications for storing user PII. The first is via user consent. The second is through a legitimate business purpose. Security falls into the latter category, which is why you can store data that helps you secure your website. It is also how a data controller (that is you) is able to use a data processor (that's us) and their sub processors (that is for example AWS which we use and who are GDPR compliant) to store that data.
There is a lot of misinformation and assumptions online. We worked very closely with a large law firm with US and European offices to bring ourselves into compliance.
Regards,
Mark.
1:21 am
Hi
Maybe I'm missing something, but I can't find any information on HOW LONG Wordfence keeps the data it gathers from visitors to websites on which it is installed. "Indefinitely" isn't enough - we need a specific period of time if our privacy notices are to be compliant. Can you help please?
Thanks!
10:48 am
Hi Ruth,
In general we delete data after 90 days as it is no longer needed. Some data is kept for longer if it continues to be involved in malicious activity, such as IPs on our IP blacklist.
Regards,
Mark.
PS: Please note that I edited this comment a few minutes after initially posting a reply that was incorrect.
2:19 am
Thanks for the update on GDPR and Wordfence. One question remains though: Wordfence creates Cookies which are Third-Party-Cookies. If I'm correct you need to have consent from users before you are able to set Third-Party-Cookies unless there is a necessity for the cookie to be set. Is that the case with Wordfence cookies?
10:01 am
In the Wordfence plugin we set three cookies. You can visit this page to find out what they are and what they do: https://www.wordfence.com/help/general-data-protection-regulation/
It is important that you realize these are not third party cookies. These are first party cookies because it is your website setting these cookies. You installed software on your website (Wordfence) and that software sets those cookies. Those cookies are only sent between your visitor's browser and your website. That data is not sent to us when your visitor arrives on your site, which is why this is a first party cookie. It is you who is setting those cookies because you have installed Wordfence.
If you need to list the cookies on your site, you can describe the Wordfence cookies as first party cookies because they are only sent from your visitor to your own website and not shared with us. To be clear: They do not work like Google Analytics cookies where data is sent and stored on Google's servers. The data is sent to your own server and if anything is stored, it is stored in your own database.
Regards,
Mark.
2:23 am
From my point of view Wordfence is not GDPR compliant. You send IPs and other personal data to the US. Data of all visitors. No chance to warn users before entering your website. Privacy policy does not help to legalize this fact.
9:38 am
Hi Birgitte,
We are allowed to process user PII either via consent or for a legitimate business purpose. In the case of the security data we process, we do it because security is a legitimate business purpose. We are legally allowed to transfer EU data to the US through our data protection agreement along with the standard contractual clauses we are currently using.
Please be very clear on this: We did not throw up a privacy policy and hope for the best. We have worked hard to ensure that we are fully GDPR compliant and this has included a wide range of steps on our part. For example, please see the DPA where we list our sub-processors who are also GDPR compliant. This, for example, allows you to receive a request from an EU citizen for data deletion, send that to us and we delete the user's data and ensure that our GDPR compliant sub-processors do too.
There are many web pages out there making claims that are written by amateurs. Actually becoming GDPR compliant requires a significant amount of work in close concert with legal professionals, which has been our approach. I'm confident that we are compliant at this point.
Regards,
Mark.
3:53 am
Thanks for supplying the GDPR-compliance in time! In Appendix 2 of the DPA you state that you abide by the security standards as specified by the Agreement. I'm uncertain, whether the Agreement specifies specific technical and organisational measures. Can you please point me in the right direction (which §?), as for our own measures we need to specify in detail the technical and organisational measures, which would have to be compatible to yours.
9:26 am
Hi Kay,
You are looking for Appendix 2.1 "Infrastructure security".
Regards,
Mark.
5:57 am
Hi,
for the DPA: where/how do I send back the signed DPA to you (by post? By Mail?) - which address?
Thanks!
Christine
9:21 am
Please send it to privacy@defiant.com. Thanks.
6:50 am
Hi,
unfortunately the address privacy@wordfence.com doesn’t work. Is there an alternative address?
Best regards!
9:19 am
Hi Christine. The address is privacy@defiant.com. Our company name is Defiant Inc. Our product is Wordfence. Thanks.
10:57 pm
Hello,
Does that mean we must sign the DPA document and cant use Wordfence without it or how is it meant?
Also we need to inform users about Wordfence on our privacy page, right?
9:52 am
Hi Mike,
I can't give you legal advice to help you compile a privacy policy, but I have asked our team about this and will get back to you.
Mark.
9:59 am
Hi Mike. Got a reply from our team:
If you are a controller under the GDPR regulation, you must sign the DPA to send us European personal data. We don’t know if you need to add Wordfence to the privacy policy. We haven’t researched the EU laws on what must be included in the privacy policy, since we are not an EU organization who have had to develop a privacy policy for ourselves. You need to let your visitors know what data is collected but we're not sure if you have to mention vendors by name in your privacy policy. You will have to get guidance on that.
Mark.
12:32 am
Hi,
For the DPA.
I administrate around twenty websites for clients using Wordfence on all of them.
Should I sign the DPA with you myself, one contract for all sites. Or must every single client sign the DPA with you?
Thanks!
9:51 am
I've asked our legal team about this and will get back to you.
9:53 am
You are the controller for all sites and one contract suffices per entity. A different DPA is needed when it’s a different controller.
3:30 am
Gdpr will not work correctly .... because of all backdoors in wordpress.
that is my point
9:08 am
Hi Mark,
Thanks for your effort and the information you provide here. I know there is a lot of confusion about IP addresses and legitimate business purpose. I am totally with you that collecting IP for security reasons is a very legitimate business purpose. However I would like to understand better in what circumstances IP-addresses are sent to your server. But instead of asking, I would just outline what kind of paragraph I would like to add to my data protection page with regards to Wordfence.
"Web-Security via Wordfence
We are using Wordfence (enter legal stuff, address, link to wordfence privacy statement, etc.) to protect our Webiste against hackers. As a normal site visitor browsing our Webiste or following offical links published on other Webistes and in Emails your IP-Address will not be sent to Wordfence. Only if you are showing a malicious behaviour (i.e. a browsing pattern typical for hackers, try to hack our Website using manipulated URLs, or try to access administration pages not intended to be accessed by the public) Wordfence might send your IP-Address to its servers to improve their service for the sake of security on the internet."
9:50 am
I might rephrase that slightly for grammar, but that is factually correct. If someone attacks your site, we get their IP address and if they have made enough attacks we add it to our blacklist. When the attacks stop, it is removed after a short period of time. Usually a day or two.
10:24 am
This GDPR thing is almost completely baffling to me ... to the point I'm considering throwing in the towel. Are there other small businesses like me who are lost when it comes to figuring out how to be compliant? Is there a simple, straightforward guide as to what we need to put in our privacy policy statement, at least in reference to Wordfence (figuring out how to cover oneself for all interrelated apps and plugins is a brain-melting consideration I can't begin to tackle).
9:49 am
Hi Raymond,
You're not alone. This puts a tremendous burden on small business. Even large organizations like the LA Times have elected to block European visitors rather than become compliant.
However, even with the complexity, we are committed to being compliant ourselves and helping our customers become compliant. I think there may be a few services you can use to develop your own GDPR compliant privacy policy. You should consider yourself a data controller and we are your data processor. Go ahead and read our DPA and sign it. Then if any customer contacts you and wants their data deleted, simply contact us using the instructions on the page below and we will remove that user's data.
https://www.wordfence.com/help/general-data-protection-regulation/
Mark.
11:05 am
Hi,
I have only 7 websites which are all mine, do I just do one DPA contract with you or do I need one for each site. Sounds stupid, but I just want to make sure.
I am assuming there are no blocking scripts for cookies plugins as this would mean the security would be made redundant.
Thanks
Gareth
9:51 am
I've asked our legal team about this and will get back to you.
9:53 am
You are the controller for all sites and one contract suffices per entity. A different DPA is needed when it’s a different controller.
10:04 am
I just wonder about one thing regarding the real-time blacklist:
Are you collection suspicious IPs from all websites that run wordfence and process them for the blacklist which in return is used to protect all sites connected to the wordfence real-time blacklist network?
I understand that this is the nature of wordfence and from security aspects this is a very useful feature but in this case you would process data not only on my advice but also for your self to improve your services – what is against the GDPR.
I think so due to this sentence in your DPA:
"All of EU Personal Data is collected to operate, manage and improve the Services and ensure the technical functionality and security of the Services. "
Could you please provide us with more details regarding this? I would be happy about any details or things I maybe miss understood...
Thanks & greetings
9:46 am
We maintain a blacklist of malicious IPs based on attack data. As do many security companies around the globe. Storing and processing PII including IPs is allowed under GDPR under several conditions including consent or legitimate interest. As per Recital 49 of GDPR, security constitutes a legitimate interest.
See: https://www.privacy-regulation.eu/en/r49.htm
7:33 am
Hi :)
1. When you hopefully get the EU. - U.S. Privacy Shield, will the data processing agreement then be Updated, and will it be possible to reenter the DPA?
2. Will it be free of charge, to get your assistance in complying the Rights of the data subject - deletion and request of insights in the collected data? And have you considered incoorporating this functionality in the new functions regarding deletion ans seeing the data?
Thank you :)
9:27 am
Yes we will issue a new DPA when Privacy Shield is completed.
Data deletion is free.