Kerry

Hi,

I responded to another post thinking you had the free version. As you are using Premium, we have also seen your question in our ticketing system and have sent a reply there. Please respond to our email and we will help you that way rather than in the forums.

-Kerry

Hello,

If you are running the free version of Wordfence, it will automatically fetch an API key, there is no need to update it.

-Kerry

Hi,

We are aware of this issue with Jetpack and are investigating what is causing it. We will respond again soon when we have an update.

-Kerry

Hello,

I wish I had an easy answer for you but unfortunately you will have to get legal advice to determine if your site falls under GDPR and needs to sign the DPA.

For the damages question, this is laid out in Article 28 of the GDPR where processors/subprocessors are linked together to the controller ensuring the entire chain protects data and is held responsible.

-Kerry

Hi Vincent,

We have listed the data collected in our data processing agreement found here: https://www.wordfence.com/help/general-data-protection-regulation/#data-processing-agreement Scroll down to the Categories of data section. The third bullet item applies to the Wordfence plugin.

Wordfence needs to receive personal data in order to secure the website such as being able to apply the IP blacklist. You can sign the data processing agreement to lawfully send the data to Wordfence.

Your site running Wordfence will also be collecting personal data and using it locally (such as the rate limiting) so if GDPR applies to your site, you will want to let your customers know that.

-Kerry

Per 6.1 and 9.1 of the Defiant DPA, your site customers normally contact you and then you contact us. You submit data requests to the same email address that you submit the dpa which is included within the dpa.

The sites will continue to function as configured even without the terms/privacy being reviewed and accepted. The next time you log in, you will be able to review and accept the terms.

It is not necessary to anonymize IPs to be compliant with GDPR. Anonymizing IPs is one method companies use to remove IPs as PII and be compliant with GDPR. Wordfence is not able to anonymize IPs as it would break the security on the sites it protects such as brute force login protection no longer working. Privacy policies should indicate the data collected (per our data processing agreement) is collected for a legitimate interest (to provide security to the site). The attack data collected and sent to Wordfence is kept until it’s no longer useful. Generally that is 90 days but if the data is still malicious, it is kept active until it is no longer malicious.

There are lots of questions here but they can best be answered by reviewing our data processing agreement. We are in the process of getting certified for Privacy Shield but there is a backlog. In the meantime, we implemented a lawful solution for data transfer by using Standard Contractual Clauses along with our data processing agreement. If you review our dpa found here: https://www.wordfence.com/help/general-data-protection-regulation/#data-processing-agreement
scroll down to Categories of Data to see what data is collected from site visitors on your site when the Wordfence plugin is installed. We don’t keep data as long we feel like and I’m not sure how what we have stated could be interpreted as such. We keep the data collected per our dpa until it’s no longer useful. Most attack data is no longer useful after 90 days and is deleted. If the data is still associated with malicious behavior, we keep that malicious data until it’s no longer attacking then delete it. It would not be possible to set a firm deletion date for all attack data as attackers would wait until the following day to start up again. That’s why we word the dpa as deleting data when it’s no longer useful because it’s not possible to know when attack data stops being malicious. I hope that provides the answers needed.

That summary is correct except this is a more accurate conclusion:

“from the site visitor and store this data for 90 days unless there is still malicious activity for that data in which case it is kept until no longer malicious”

Hello,

Our privacy page covers the use of our website and the Wordfence plugin and site cleaning service.

-Kerry

• This reply was modified 6 years, 10 months ago by Kerry.

Hello,

Per our data processing agreement and standard contractual clauses, we keep the data until we no longer have a business need for it which is appropriate under GDPR as it was collected under a legitimate interest to provide security. It is necessary to keep some data as malicious IPs don’t stop being malicious on a schedule. Generally we delete data after 90 days as it’s no longer needed. Per GDPR, when we no longer have a business need for it, it’s deleted. But some IPs we keep longer such as those on the IP Blacklist until they stop being malicious. That is why we had to write our agreements that way.

-Kerry

Hello,
We have created a Help article with all our GDPR updates. You can find the cookie info here: https://www.wordfence.com/help/general-data-protection-regulation/#cookies-set-by-the-wordfence-plugin

-Kerry

Hi,

The Data Processing Agreement is setup so that it can be printed, signed, then scanned and emailed back.

Thanks, Kerry

Hello,
The Wordfence plugin version 7.15 includes opt-in choices for our customers rather than the passive agreements we have used in the past. As Wordfence qualifies as a data processor per GDPR, most of the changes are included in the updated privacy policy and new data processing agreement that provides a legal transfer method of personal EU data out of the EU to the US.
-Kerry