Is Dreamhost Privacy Shield certified?


#1

I’ve made my site GDPR compliant, however the remaining issue is log retention. Dreamhost has control of server log data. If Dreamhost is Privacy Shield certified that would solve it.

I searched the US companies listed at: https://www.privacyshield.gov/list for compliance, but did not find Dreamhost.


#2

We are in the same situation; as far as I know, it is not certified. We are all waiting for DH to say something about that but time is running fast and if we don’t get any answer we sadly need to move from DH. See this other thread Will Dreamhost be GDPR compliant?


#3

Privacy shield “protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes”
Logs aren’t transferred (they are created by the web server) and aren’t created for commercial purposes (although one can use them this way) but for statistical and security reasons.


#4

No I think … :eyes:


#5

We plan on becoming certified soon as possible. However you can email our security team directly from you panel and they should be able to provide further details.

To submit a ticket this can be done under “Support” > " Contact Support".

Thanks,
Mari


#6

That’s what I did (four days ago) but I haven’t received any reply yet.


#7

also the other data generated/registered by a web site is technically “created by the web server”, the reality is that is created because people use your service (web site) so the GDPR applies.


#8

Logs, as applied here, are a record of visitor’s history while at your site. They contain sensitive information about the visitor: the address of their computer, when they were there, what browser and operating system they use, how long they were there and what documents they viewed or downloaded, and if applicable, what products they purchased.

This information falls under the new privacy protection guidelines PII and is being addressed across the internet.

As site owners we have 4 choices to be GDPR compliant regarding log data retention:

• Encrypt log data
• Store log data inside the EU
• Purge all log data daily
• Use a host that is Privacy Sheild certified

Since our site’s log data is currently retained by our host, Dreamhost, having them Privacy Shield Compliance Certified is the logical solution.


#9

Hi keyplyr,

do you know how to purge all log data daily should Dreamhost not be Privacy Shield certified by 25th May?

Otherwise, every site owner needs seriously to consider to move to a different host especially if they have sales and/or visitors from Europe what probably everybody has.

Dear Dreamhost team, someone is certainly following this forum… I emailed your security team directly from the panel a few days ago and didn’t receive a reply. Are you going to be Privacy Shield compliant within the next 10 days?


#10

This would still save IP addresses. I think the IPs have to be pseudonymised in these two cases (if the other two points do not apply).


#11

Some more input on this.
Logs (and IP in logs) are everywhere, you need them, Apache needs them, modsecurity needs then, firewall preventing ddos needs them.

Also remember than in most countries you may be asked by police to give informations about illegal user activities on a site, so you should keep some data.

Some more things to read.



#12

Hi MariT!

Actually I emailed the security team from the panel 13 days ago. No answer. Just silence. This is simply not okay and I personally lost my faith in Dreamhost.
Your lines in this discussion and in the GDPR compliant discussion are the only indication that Dreamhost intends to be GDPR compliant. However, your text does not answer any questions. Let me guess, are you the Dreamhost-happy-answer-with-no-answers-bot? Eh, how many eyes has a dog?


#13

It’s not the logs themselves. They are needed for the basic operation of the site… it’s their storage, where & for how long, who has access to that data and what it’s used for.

Dreamhost being Privacy Shield Compliant Certified solves that. Still waiting for the official word on this.


#14

Hello Nelex,

I am not a bot and a dog has two eyes. I certainly sympathize with your concerns and have been in communication with management to make sure we address this as soon as possible. Hoping to have more concrete information soon!

I did pass along your concerns to management in regards to your unanswered inquiry. I sincerely apologize for the delay.


#15

Hello MariT,

Dreamhost being Privacy Shield Compliant Certified will solve that but unfortunately, there is only time until this week Friday. That’s 5 days away.

I’m currently updating our Privacy Policy and there I have to explain in detail how safe the data is that is stored on the server.


#16

Hello MariT,
the information we need is very simple and you should give us a clear answer; there are already 2,970 US organizations that are certified (https://www.privacyshield.gov/list), is Dreamhost becoming part of this list in the next few days or not?

Thanks.


#17

Hello @Soccerwidow,
how are you describing the storing safety? Based on a dreamhost document?

What I see here (https://www.iubenda.com/en/help/5428-gdpr-guide#consent) is:

“In regards to data transfer to the US, all transfers either require that the data processor adhere to the EU-US Privacy Shield or that informed consent is received from the user (in which case the consent must be given on the basis of sufficiently precise information, including information on the lack of protection in the third country).”

if the privacy shield is not available

  1. How can you describe the “lack of protection” in USA?
  2. What happens with IPs, since there is data transfer before the consent?

@MariT can you tell us at least:

  1. If there is any plan to allow ip anonymization for Apache logs
  2. How long exactly do you keep the logs?

Thanks


#18

Hi eoxx,

what exactly “lack of protection” means in technical terms goes beyond my understanding of servers and hosting providers. However, from the 25th May EU Individuals have the right to request their records and have the right to request to be ‘forgotten’. This is all what I know and I definitely don’t want to be fined for not being compliant. (Just google GDPR and you’ll find tons of information)

Please note that this regulation doesn’t apply to EU companies only. Even if you are not located in the EU, these regulations still apply to you if you have users who live in the EU who have their personal information in your systems. The GDPR regulations apply to everybody inside or outside the EU as long as they are storing or tracking personal data for EU individuals.

The teeth to these regulations are the penalties that can be the greater of 20 Million Euros or four percent of a company’s annual global revenue. That’s not EU revenue, that’s global revenue!

In effect, what the EU is doing, as they cannot regulate the big global data processors is that they delegated the responsibilities to keep data safe to the individual companies that can be regulated and controlled locally, thus much easier. They are using the crowd to put pressure on the big players.


#19

Every day I check to see if Dreamhost has been certified at Privacy Shield:
https://www.privacyshield.gov/list


#20

Hi @Soccerwidow and thanks for the answer.
Yes I know the GDPR and that’s why I asked you those questions; being compliant with the right to request records and the right to be forgotten is not enough, as I said in case the data of European citizens is transferred to USA (Dreamhost is a US Company) and the organization is not privacy shield certified you have to explain to your customers the lack of protection they are facing. Furthermore, the IPs thing is not clear, because you are transferring data to USA before the consent.