Netlify Forms: Data center location

Is there any information available about the physical location of the data where Netlify stores form submissions?

Hey @sel,
Our backing store lives in San Francisco, so there’s a copy there, but your form submissions are also distributed to CDN nodes around the world along with your site, so there are copies in those nodes as well. Let us know if that helps or if you have followup questions!

1 Like

Hi @jen !

Thank you for this answer and thank you @sel for asking the question!

It would be very helpful if we could select where the forms data is stored. It is a GDPR nightmare if the form submission data is sent to San Francisco and even replicated all over the world.

I have read from the forums that the Netlify functions could be setup so that they automatically delete the data after the submission but it does not remove the problem. The problem is that the data would be still sent outside of the EU and temporarily stored outside of the EU.

The form feature itself looks super great, it seems so easy. But just because of this aspect it is very hard to use it from Europe.

Thanks a lot anyways for the otherwise great service! I hope you would consider thinking about the privacy matters of data storage, as this is very important for EU-based data registries.

hey there @ahu, i am going to ask someone to weigh in on this who knows more about this than i do! stay tuned.

Well, I do need to amend something Jen said; we store form submissions with our backing store(s) ONLY. They are not stored on CDN nodes in various countries, only the same place the rest of our user data is stored - files from your deploy can end up cached on CDN nodes, but submissions from your users never will be (we don’t cache POSTed content, and our form feature requires POSTing). At present, that is in the US; someday we may have an EU data center as well.

This should not be a “GDPR nightmare”. We are GDPR compliant, as our are European customers who use our form submission feature. Please read our GDPR documentation here about how that can be:

Note that we are not lawyers on the Support team; if you need legal opinions, you should find a local lawyer to confirm. But I can confirm that we have put substantial internationally accredited legal expertise to work in creating our GDPR policies and statements, and that we believe our customers in the EU and elsewhere can be compliant using any of our features, so while people occasionally assert that how we do things is not GDPR compatible - we have never found this to be true based on our own legal research, and many big names in EU have found the same thing via consultation with their own counsel.

@fool The real problem lies when we have to inform our customers where their data is being processed. This is a trust issue and makes privacy policies harder to implement when the data is sent and stored outside of EU.

Based on this page, right now USA does not seem to provide adequate level of data protection according to the European Commission:

Therefore, transfer of personal data to USA requires a user consent before the data can be sent to the US. This needs to be disclosed in the company’s site which uses Netlify to host their site (e.g. our site).

I am well aware that your you process data according to the GDPR regulations but the data is still being stored in the US which is the real problem here. In this case we would have to inform our customers that their data is stored in the US. And in this case, it causes a trust issue, which is why I used the term “GDPR nightmare”.

Everything is much simpler regarding the GDPR when the data doesn’t leave the EU boders.

Understandable. At the moment, it’s true most of the data is leaving US borders. So from what you said, the only option for you would be to add a note for your users.

Is there any updates on this issue? It would be very useful for European sites to have the form data stored in Europe. There are other form services that could be used to prevent the data to be sent to the US but I prefer to keep third party solutions to a very minimum.

No updates so far, @henrikhansson

As I understand it, the EU-U.S. Data Privacy Framework that Netlify has (will?) implemented should solve the issue with the form data being stored in the US. I’m not a GDPR expert but to my eyes this looks promising. Is there any official feedback / statement from Netlify regarding this?

I’ve asked a wider team about this and will let you know once we have more info.

Hi folks, this is what our counsel had to say.

When customers subscribe to Netlify, they enter into an agreement with Netlify, Inc., a Delaware corporation. As such, Netlify does transfer data to the USA, where some of our employees are based, together with sub-processors that we engage to provide our services.

Data transfers to the United States happen in reliance of the Standard Contractual Clauses, which are incorporated in our Data Processing Agreement available here: https://www.netlify.com/pdf/netlify-dpa.pdf

Netlify was also in the EU - US Privacy Shield list, and after the approval of the EU - US Data Privacy Framework we have been automatically included in that list as well:

Digital Privacy Framework

If you need further guidance and you’re not an Enterprise customer here, you’ll need to work with your own counsel to understand the implications of it and what you need to do to meet your local requirements. If you are an enterprise customer here, please contact your account manager and they can work with you on further legal queries.