HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

GDPR compliance of Vanilla


you must have heard that The European General Data Protection Regulation will be applicable as of May 25th, 2018. Any business who deals with EU citizen's personal data has to be compliant with that. Since all Vanilla forum managers / owners are subject to this let me phrase some questions out loud:

  • Is Vanilla Open Source compliant with GDPR? (the Core, I presume)
  • Will you make a statement on this so Vanilla forum managers / owners can reference that in case of an audit?
  • Will you adjust the default privacy policy?

Some useful links:




  • it is actually your responsibility not theirs.

    grep is your friend.

  • Who do you mean 'theirs'?

    Let's say I'm not a techie, I just want to launch a community forum, so I download Vanilla, install it and go live. How can I assure my community members that their personal data is safe?

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... MVP
    edited February 2018


    As the Admin of a Vanilla installation, you are the one who collects and stores anything that counts as 'personal data', in the database you create to set up a Vanilla forum. It has nothing to do with Vanilla, the software supplier. It's like asking Mercedes how they are going to ensure that people keep to the speed limit.

    You need to know that you are doing everything you can to keep user data safe.

  • @whu606

    I like your analogue, exactly, what I want to hear from Mercedes is: "If the speedometer shows 130 km/h we guarantee that your car runs 130 km/h on the highway, but if you push the pedal more that's your responsibility."

    So I'd expect Vanilla to say: "If you install the core and keep up with the security updates then your Vanilla is GDPR compliant."

    Let me have just one example on the requirements:
    GDPR states that you have to have an explicit list of the personal information you collect on a 'data subject'. Being an Admin, how should I identify what these personal information are? I'm not a specialist, not a developer, not a technie, how would I know i.e. what cookies Vanilla use, what are their names, if each of them represent uniqueness or not.

    You can't really expect me to download a forum software for free and then pay serious bucks for development / consultant / privacy auditor companies so I could say "My forum is GDPR compliant?".

    Don't you think that "Vanilla is GDPR compliant, my webhost is GDPR compliant, so am I." would be a much simplier and cheaper solution for Vanilla Admins?

  • @Csabbencs said:
    You can't really expect me to download a forum software for free and then pay serious bucks for development / consultant / privacy auditor companies so I could say "My forum is GDPR compliant?".

    Don't you think that "Vanilla is GDPR compliant, my webhost is GDPR compliant, so am I." would be a much simplier and cheaper solution for Vanilla Admins?

    But what we're trying to say is that any statement would be meaningless.

    No one uses the barebone version of Vanilla. Everyone uses at least one custom theme or plugin.

    You need to inform the customers of the data you collect and the purpose of collecting it, so a better question would be if there were any good Terms of services / privacy policy notices available to help you in the process of becoming GDPR compliant.

    No one is going to put their head on the chopping block to guarantee that your particular version of customized free software is GDPR complaint.

  • @Caylus
    You're right and that's why I was talking about 'The Core' of Vanilla. The Core Vanilla could easily be compliant.
    Then, if you have extra plugins, that's your turn, you can contact the plugin developers or hire a company to check how your plugins can be compliant.

  • R_JR_J Ex-Fanboy Munich Admin

    No Vanilla is not compliant.

    You need to provide your users with all the data your forum stores for and about them. There is no "report" or export that you can run to show it.

    I'm not sure about the right to be forgotten. While content can be deleted, there might remain information in some tables that I never checked. I doubt that UserMeta gets cleaned or the authentication providers.

    Maybe there will be plugins that support this, most probably not. You could only grant something like that for software that cannot be extended or which capabilities to be extended are very limited. That is against the nature of Vanilla.

    They shouldn't risk to tell their software is compliant to whatever.

    In general I doubt that any free software will ever grant you compliance to anything where you could be punished with a monetary fee. And if they would, I personally wouldn't trust them.

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... MVP

    Vanilla software developers can have no idea how you (or any user) will (or will not) protect the data collected from users.

    Vanilla software developers aren't storing or collecting any data.

    You are the entity responsible for ensuring GPDL (or any other) compliance.

    You might, I suppose, ask what data a vanilla Vanilla installation, with no extra add-ons enabled collects.

  • x00x00 MVP
    edited February 2018

    They would be foolish to make as statement becuase that is legally putting them on the spot when they are unable to make such claim for you.

    It is mealiness becuase the framework is only a small part of your compliance, for one the framework acts on the data it is doesn't hold most of that data. It is you that choose the application and sever set-up. They have no idea of what context you are using their framework.

    The basic concept of data protection compliance hasn't change in years, isn't complicated and the worst kinds of violation usually caries a prison sentence (rightly so).

    This recent legislation make what is defined as personal (identifiable) information broader. It arguably blurs the line of personal responsibility and the public domain, which is a shame, but that is a consequence of having bureaucrats making legislation with very little idea of the real threats to security or privacy.

    Neither GDPR and PECR protect you as a consumer against people who what to steal you private information/violate you privacy, nor do they ensure the public make good decisions with their data.

    Nevertheless you will need to comply, which means doing your homework. It is not something Vanilla as a company will provide, it is not a comparable to warranty, which I doubt vanilla would provide either

    grep is your friend.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    Vanilla provides the means to develop extensions to show compliance and inform users .

    Every person who downloads installs and hosts the forum software or any software that uses a data base and collects identifying and non identifying information from their users, are the ones responsible for protecting their users and safeguarding their information.

    There is nothing stopping children or hackers or anyone from downloading and using this free software for any purpose.

    Caveat Emptor . Vanilla software is a tool and they can’t possibly regulate or legislate how people use it.

    Facebook is the biggest violator of GPDL for that matter . Ask them the same question.

    Besides, all you need is a disclaimer and a clear privacy notice along with a safeguarded database. For any kind of software like this .

    Do you blame the maker of a hammer when you hit your finger with it instead of the nail ?

  • The enforceability of GPDL remains to be seen, the enforceability of PECR has been an abject failure.

    It is true that facebook are one of the largest data mining companies. Thought they can pay for good lawyers.

    grep is your friend.

  • CsabbencsCsabbencs
    edited February 2018

    Thanks for the invaluable comments!

    I'm just rather trying to urge Vanilla developers here to give some kind of - even unofficial - technical hints to Vanilla admins on the personal data Vanilla deals with.

  • R_JR_J Ex-Fanboy Munich Admin

    My personal approach would be to simply start over and see how things evolve.

    If some users asks for his data, open a new discussion and ask how to do this. You will get an SQL statement from one of us which exports most of the data. Pass that to the user and see if he is happy with that (most probably he will)

    If he wants his content to be deleted, use the inbuilt Vanilla feature. That is not complete, but the user will not be able to see that, only someone with access to your database might notice that fragments are left.

    What you have to take care for in respect to other information stored in the database or on the server, you should be able to find general hints. There's no difference in this regards to WordPress. Every blog/cms/forum has the same needs concerning to the hosting side.
    And again: if you come back with a request like "I need to purge/backup this and that information periodically", someone will provide you with an SQL that would extract/remove that data.

    As long as your forum is only a hobby, I doubt that you will ever have to deal with those legislation burdens. And if you are doing it professionally, you should spare some money for a lawyer anyway.

  • Vanilla devs are not responsible for Vanilla administrators' GDPR compliance, but they (or add-ons) can provide tools that aid admins in being GDPR compliant.

    As long as your forum is only a hobby, I doubt that you will ever have to deal with those legislation burdens.

    I'd say that this is a dangerous assumption and one that is very much against the spirit of GDPR. GDPR gives people rights over their data: the right to know what you're collecting, how you are processing it, how it can be changed or deleted, etc. It puts the person in control of their data.

    If your forums are a hobby, you should still care about your users' personal data, regardless of whether or not you might get caught up in legislation. GDPR provides a framework for looking after that valuable stuff called "data" that your users entrust to you. This is a responsibility. You should bear it well.

  • LincLinc Detroit Admin

    Our cloud service is GDPR compliant. We have not made any specific changes to core or created special addons to achieve this; we simply offer manual services as-needed to bridge any gaps. I believe our nuclear user delete option sufficiently expunges personally-identifiable information. User data can be manually exported if needed with sufficient technical knowledge. If you have specific GDPR-related concerns with core functionality, I encourage you to open an issue on our repo about it with as much detail as possible.

  • Nothing is truly deleted until the memory blocks are overwritten. The is computing 101. Forensic recovery is not that hard and there are number of good programs out there to do it. it has saved my and friends bacon many a time, but can be used by criminals too.

    Practically overwriting whole memory blocks, or partial "shredding" is not really it feasible on a live site. It is technically possible to remove the offending data and put the rest of the block back, but first you have to find all copies of that data, which is is limited by what we imagine all the data to be

    Sites with redundancy, high availability / horizontal scaling, you to repeat this process a number of time on different storage nodes. Cloud technologies data may be strew all over the place depending.

    Another option is some kind of encrypted storage end to end between the database server and the framework. problem with that is if you loose the keys you are screwed. Doing it between the client and databases server through the framework, makes sense for apps like Whatsapp, but that less feasible on a public website.

    Storing passwords, keys, personal and public data separately might make it easier to ensure compliance with some sort of encryption on the personal data.

    There is the option that many academic are proposing is that personal data is only held by the user and only requested when needed. The feasibility of this debatable. Technically it is possible.

    I think in reality GDPR will be a task to enforce, it is also more ambiguous than the data protection and privacy laws the preceded it.

    You can only do what you can yo protect your users. I suggest to avoid collecting personal information as much as is possible, and make very clear to user what public domain is and what publishing on your platform means.

    grep is your friend.

  • LincLinc Detroit Admin

    We published a blog post with more information about GDPR and Vanilla: https://blog.vanillaforums.com/community-answers-to-common-questions-about-gdpr-community-forums

  • lokanathlokanath New
    edited September 2018

    @Linc with my forum - how do I send someone’s user report or details from cPanel? Or do I have to contact Vanilla? I am not using Vanilla cloud (our non-profit just can’t right now - although I would like to in the future).

  • LincLinc Detroit Admin

    @lokanath said:
    Or do I have to contact Vanilla? I am not using Vanilla cloud

    Then why would you contact us? We don't have access to anything about your site.

    @lokanath said:
    how do I send someone’s user report or details from cPanel?

    I'm no lawyer, but I think you're over-estimating the complexity of that task. The personal information stored about the user consists of their email and IP addresses. Those are all stored in their record in the GDN_User table of the database.

  • lokanathlokanath New
    edited September 2018

    @Linc thank you - I found the GDN file - you are right - not a big deal...for some reason I cannot upload my pdf’s - I wrote a legal NDA - i think it will satisfy all the requirements for any forum developer...Glad to share it...or you can find it on docracy.com - my user there is ‘Bhikkhu’.

Sign In or Register to comment.