GDPR Compliance
WP Engine continually monitors developments in data security, privacy, and compliance around the globe, and we have invested considerable resources in preparing for EU Regulation 2016/679 (“GDPR”) which comes into force May 25, 2018. We have always upheld the core principles behind GDPR, as evidenced by our early adoption of the EU-US and Swiss-US Privacy Shield programs, and take very seriously (and humbly) the trust our customers place in us when they choose to store personal data on our platform.
WP Engine will comply with GDPR’s requirements, both as a controller of our customers’ account data and a processor of the end-user personal data our customers control. In support of our customers’ compliance efforts, we are updating our terms to reflect the obligations we have as a processor under GDPR. (Such additional contractual obligations are commonly referred to as a Data Privacy Addendum , or a “DPA.”) In light of that, if you are governed by our online terms today, these updates will apply to you automatically. If you are not covered by our online terms, we will have a process by which you can obtain a signed DPA. (And if you are covered by our online terms and still prefer a signed copy of the DPA, we will be able to accommodate you, as well.)
We encourage our customers to begin assessing their own internal readiness if they haven’t already done so. A good resource for understanding the changes implemented by GDPR can be found here, or you can read the full text of the regulation.
Data Privacy Addendum (DPA) FAQ
Q: Will WP Engine’s privacy policy have a Data Privacy Addendum (DPA) in it?
A: Our Privacy Policy does not have a DPA within it, but instead links to a separate DPA. The DPA is a separate set of terms, online, and linked from both our Terms of Service and the Privacy Policy. The DPA applies to everyone, automatically, without the need to sign anything.Q: Does a DPA need to be signed or can it just exist in the Privacy Policy?
A: No, the DPA does not need to be signed. The exact language of the GDPR says: “The contract … shall be in writing, including in electronic form.” It is an accepted tenet of contract law that a written agreement includes online or clickthrough terms, and GDPR even calls out electronic contracts as being perfectly acceptable.Q: Is it possible to get a signed copy of the DPA?
A: While the online terms apply to you as a WP Engine customer, and this fulfills the compliance requirements of the GDPR, we will post a pre-signed version of the DPA which you can countersign and return to us. When it’s ready, we’ll post a link to that here. Please check back shortly.Q: What if my company says I specifically need a signed DPA?
A: GDPR applies to everyone who has end users who are citizens of any EU member state. Consequently, if you have a website, GDPR applies to you. All of our customers are impacted by GDPR, and they will all need some form of a DPA, but this DPA does not have to be signed manually.
Changes to Terms of Service
WP Engine has published a changelog of changes to the Terms of Service, Privacy Policy, and the addition of a Data Privacy Addendum (DPA). These changes will be effective as of May 10, 2018. We encourage you to view the changelog for more granular detail in how our terms and policies have changed as a final step in GDPR readiness.