Effective 6 June 2022
Short Plain Language Summary
Concrete CMS is a free open source tool for building websites. You don’t have to host with us, but if you want the advantages that come with hosting your site with the maintainers of your CMS:
We store some contact information about you so we can help you and so you can use the CMS.
You have the ability to store lots of information, potentially sensitive, in the website you’re managing on our servers. We’ll keep it private and secure but you must make all the decisions about data sharing, deleting, and what regulations you have to follow.
We never share (let alone sell!) your information without you telling us to do it.
We are very deliberate about where we store your information, and we routinely pass independent audits by accredited firms to make sure we’re following our rules on keeping your data where it belongs and protecting it like we say we do.
Your business data is your data! Check out our Concrete Hosting Security page on how we keep it protected and our Compliance page for how we get external validation that we do what we say we do to keep it protected. If you are hosting with us, you are using Concrete CMS, check out security for the concrete open source core.
We take the protection of your information seriously and take steps to make sure the data you entrust to us by choosing Concrete for your website or intranet hosting is kept secure and private.
This Privacy Statement contains information on what privacy rights Concrete CMS Hosting Clients have about data we transmit and collect as well as what we do with that information.
Scope - Concrete CMS Hosting
PortlandLabs has a standard Data Privacy Addendum (DPA) for hosting clients who need one.
Not in Scope - General
b. websites built with the open source Concrete downloadable from concretecms.org and/or concretecms.com.
Not in Scope : Hosting Customers Data Privacy Responsibilities
We appreciate you trusting PortlandLabs to host your Concrete website. Please ask for, and make yourself familiar, with our Shared Hosting Responsibility Model which outlines what you are responsible for and what we are responsible for.
Concrete CMS and Concrete Hosting provides the capability for website hosting clients to be compliant with privacy regulations (such as the GDPR, CCPA, LGPD etc) but PortlandLabs is not responsible for determining if the hosted site is subject to a specific privacy regulation nor is PortlandLabs responsible for any hosted site’s compliance to the privacy regulations to which they are subject. Any questions related to a specific site not ending in concrete5.org, concretecms.com, or concretecms.org should be directed to that specific site and not to PortlandLabs.
Privacy Details for Client Data
Concrete Hosting Data Collection, Handling, and Disclosure
PortlandLabs may transmit or store customer data on a Concrete Hosting client’s behalf depending on how the client configures their websites or intranets. PortlandLabs will protect that data with industry standard best practices.
Where Data is Stored
The servers we use are currently located in the US. If you send us data from outside the USA, please be aware that any information provided to us, including personal information, will be transferred from your country of origin to the USA. Your decision to provide such data to us, or allow us to collect such data either through our websites or via your websites that we host for you, constitutes your consent to this transfer of data and personal information.
If you have to be hosted in a specific country/region, talk to us! We can accommodate! We adhere to the GDPR.
Should a website hosted with PortlandLabs collect, transmit, and/or store Health Care information, PortlandLabs will enter into a Business Associate Agreement (BAA) with the client in accordance with the U.S Health Insurance Portability and Accountability Act (HIPAA). It is the client’s responsibility to request the BAA. PortlandLabs has been successfully audited for compliance with the HIPAA Security Rule (Storage of Health Care Data) and HITECH (Transmission of Health Care Data).
Client Employee Information
Use of Concrete CMS Hosting or Employee Portal means that client employees who are Concrete CMS users and administrators will have their corporate emails and roles stored by PortlandLabs.
PortlandLabs may ask clients to provide certain information and data. This information could include, for example, employee contact information for business continuity or incident response purposes, employee information to sign NDAs etc.
Concrete Hosting Client Employee information is stored in Zendesk (marketing, sales and service desk), Stripe (billing), Quickbooks (billing), and Google Drive (contracts, MSAs, NDAs, business continuity/incident client contact lists). PortlandLabs does a formal risk assessment of these external parties annually as part of PortlandLabs SOC 2 Type 2 & HIPAA/HITECH compliance and ISO 27001 certification.
Protection of Client Employee and Client Customer Information
PortlandLabs takes appropriate steps to protect and secure client employee and customer data from unauthorized access, use, and disclosure. We use adequate technical and organizational measures to protect your personal data against unauthorized, accidental or unlawful destruction, loss, alteration, misuse, disclosure, or access and against all other unlawful forms of data processing. We put these measures in place after evaluating current industry best practices, the cost of implementation, risks presented by processing, and the nature of the data.
PortlandLabs is responsible for the security and privacy of Client Customer data while it resides in the Concrete CMS Hosting Environment.
Client Customer Data that clients choose to store with Concrete Hosting resides on secure servers that only selected PortlandLabs’ personnel have access to. Access is controlled using the principle of least privilege, ssh PKI, and FIPS 140-2 validated multifactor authentication.These personnel are bound under strict confidentiality agreements prohibiting disclosure or use of clients information without consent. Access reviews are performed according to ISO 27001:2013, SOC 2 Type 2 Security Trust Principle, and HIPAA/HITECH requirements.
All data is encrypted at rest and in transit to prevent unauthorized parties from viewing, disclosing or using such information. Although we take reasonable security measures to protect client customer data, we cannot guarantee the security of client information prior to it reaching the Concrete CMS Hosting environment. Clients are responsible for the security and privacy of any data transmitted over the internet via their websites or other means to the Concrete CMS Hosting Environment until it hits the PortlandLabs’ internet gateway. Likewise, Portlandlabs cannot ensure or warrant the security of any information we transmit after it leaves the Concrete CMS hosting environment.
For more information, see:
Transfers of Information to Successors and Assignments
You acknowledge and agree that if PortlandLabs sells or assigns assets (or the assets of any division or subsidiary) to another entity, or PortlandLabs (or a division or subsidiary) is acquired by or merged with another entity, PortlandLabs may provide to such entity Hosting Client information that is related to that part of our business that was sold to, assigned to, or merged with the other entity without obtaining your further consent, but PortlandLabs will provide notice of such asset sales, assignments, acquisitions, or mergers on this website.
Alternatively, you may inform the PortlandLabs' Privacy Officer at email@example.com or at the following address:
Concrete CMS Hosting
Attn: PortlandLabs Privacy Officer
P.O. Box 14125
Portland, OR 97293
Please be specific in your complaint and provide as much detail as possible so that we can promptly address your concerns. We will investigate and respond to all complaints promptly.
Complaints with respect to Concrete’s use or protection of your personal information should be directed as outlined in https://www.concretecms.com/about/legal/privacy-policy