Plesk GDPR Compliance

DISCLAIMER: This is a general overview of GDPR compliance for various Plesk versions, not a legally binding document. Plesk is not an authority on GDPR and does not claim to be a legal or official source. Treat the information on this page as a step on your way to GDPR compliance.
For more information, read the article about GDPR compliance on the Plesk blog. Have questions? Reach us at privacy@plesk.com.

Introduction

Data subjects of GDPR regarding Plesk are:

  • Plesk administrators, who provide their personal data (e-mail) to receive Plesk licenses or newsletters. We store this personal data in the Key Administrator and Partner Central services. Plesk Administrators are subjects to GDPR relations with Plesk International GmbH since we can store their personal data due to legitimate business reasons.
  • Plesk users, whose accounts are created on Plesk servers. Plesk users are subjects to GDPR relations with Plesk administrators.
  • Site visitors, who visit websites hosted on Plesk servers. Site visitors are subjects to GDPR relations with Plesk administrators.

GDPR compliance of Plesk versions

The table below shows how different Plesk versions handle GDPR aspects.

The following updates are required to have the GDPR related fixes installed on your server(s):

GDPR compliance Aspect 11.x and older
(unsupported versions)
Plesk 12.0,12.5
(unsupported versions)

Plesk Onyx 17.0
Plesk Onyx 17.5, 17.8 Plesk Obsidian
Storing the Plesk administrator's personal data
These Plesk versions are not GDPR compliant because they send personal data of the Plesk administrator to the Key Administrator and the Partner Central services.  * 

Plesk explicitly requests consent or a contract agreement from the Plesk administrator before sending their personal data to the Key Administrator and the Partner Central services.  * 

Plesk explicitly requests consent or a contract agreement from the Plesk administrator before sending their personal data to the Key Administrator and the Partner Central services.
Storing the Plesk administrator aliases and non-admin Plesk users' personal data
Personal data of Plesk administrator aliases and non-admin Plesk users is not sent anywhere regardless of the Plesk version.
Storing the visitor IP addresses for websites hosted on Plesk
Plesk does not anonymize IP addresses in logs. You can rotate the logs via log rotation.  * 
Note: this data is not sent anywhere.

Plesk anonymizes IP addresses in logs. You can rotate the logs via log rotation.  ** 
Note: this data is not sent anywhere.

* Since Plesk versions 11.x, 12.x, and earlier are no longer officially supported, they may not be in full compliance with the current privacy regulations. We strongly recommend updating to the latest Plesk version. Plesk takes no responsibility for breaches of any laws caused by using non-supported versions of Plesk.
Note: personal data sent by Plesk versions 11.x and older is not stored in the Key Administrator and the Partner Central services any more.

** GDPR does not specify exactly how long IP addresses can be stored. When IP addresses are anonymized, each address is kept in its original form for 24 hours. As for log rotation policies, Plesk users have the ability to configure them as they see fit.

IP addresses logging aspect

Clients IP addresses are logged by the following services:

  • Nginx, Apache, ProFTPD, Mail
  • AWStats, Webalizer
Below you can find recommendations for solving the issue on your servers, including the instructions for turning IP addresses logging off for Nginx and Apache servers.

Aspect Plesk versions applicability Solution Side effects
Enable IP addresses anonymizing Plesk Onyx 17.5-17.8
Plesk Obsidian
Panel UI and CLI instruction There should be no side effects. Fail2ban should continue working since File2ban processes log files before they are anonymized.
Disable web statistics tools (AWStats, Webalizer) Plesk 12.0-12.5
Plesk Onyx 17.0-17.8
Plesk Obsidian
Instruction of how to disable Users will not be able to use the web statistics tool in Plesk.
Force log files Rotation Plesk 12.0-12.5
Plesk Onyx 17.0-17.8
Plesk Obsidian
Instruction with a script which enforces daily rotation policy for logs files
  • The "Logs rotation management" permission will be automatically removed from all service plans and subscriptions.
  • Daily log rotation will be enforced for all existing domains.
  • Since Plesk clients and resellers will be still able to change log rotation settings, we recommend adding the script to crontab.
Disable IP addresses logging Plesk 12.0-12.5
Plesk Onyx 17.0-17.8
Plesk Obsidian
Instruction how to disable IP address logging
The following services will not work:
  • Fail2ban web sites protection will NOT work
  • AWStats and Webalizer web statistics will continue to work, but will lose aggregations statistics based on IPs