Plesk Documentation and Help Portal

Plesk GDPR Compliance

DISCLAIMER: This is a general overview of GDPR compliance for various Plesk versions, not a legally binding document. Plesk is not an authority on GDPR and does not claim to be a legal or official source. Treat the information on this page as a step on your way to GDPR compliance.
For more information, read the article about GDPR compliance on the Plesk blog. Have questions? Reach us at privacy@plesk.com.

Introduction

Data subjects of GDPR regarding Plesk are:

  • Plesk administrators, who provide their personal data (e-mail) to receive Plesk licenses or newsletters. We store this personal data in the Key Administrator and Partner Central services. Plesk Administrators are subjects to GDPR relations with Plesk International GmbH since we can store their personal data due to legitimate business reasons.
  • Plesk users, whose accounts are created on Plesk servers. Plesk users are subjects to GDPR relations with Plesk administrators.
  • Site visitors, who visit websites hosted on Plesk servers. Site visitors are subjects to GDPR relations with Plesk administrators.

GDPR compliance of Plesk versions

Note: Plesk Obsidian is the recommended Plesk version in terms of GDPR compliance.

Any version of Plesk Obsidian is GDPR-compliant.

Plesk versions earlier than Obsidian require the following updates to receive the GDPR-related fixes:

The table below shows how different Plesk versions handle GDPR aspects.

GDPR compliance aspect Plesk Obsidian (recommended);
Plesk Onyx 17.8 and 17.5		 Plesk Onyx 17.0;
Plesk 12.5 and 12.0
(unsupported versions)		 Plesk 11.x and earlier
(unsupported versions)
Compliant Plesk explicitly requests consent or a contract agreement from the Plesk administrator before sending their personal data to the Key Administrator and the Partner Central services. Not compliant These Plesk versions are not GDPR-compliant because they send personal data of the Plesk administrator to the Key Administrator and the Partner Central services. *  Compliant Plesk explicitly requests consent or a contract agreement from the Plesk administrator before sending their personal data to the Key Administrator and the Partner Central services. * 
Storing the Plesk administrator aliases and non-admin Plesk users' personal data Compliant Personal data of Plesk administrator aliases and non-admin Plesk users is not sent anywhere regardless of the Plesk version.
Storing the visitor IP addresses for websites hosted on Plesk Compliant Plesk anonymizes IP addresses in logs. You can rotate the logs via log rotation. ** 
Note: this data is not sent anywhere.		 Almost compliant Plesk does not anonymize IP addresses in logs. You can rotate the logs via log rotation. * 
Note: this data is not sent anywhere.

* Since Plesk versions 12.x, 11.x, and earlier are no longer officially supported, they may not be in full compliance with the current privacy regulations. We strongly recommend updating to the latest Plesk version. Plesk takes no responsibility for breaches of any laws caused by using non-supported versions of Plesk.
Note: personal data sent by Plesk versions 11.x and earlier is not stored in the Key Administrator and the Partner Central services any more.

** GDPR does not specify exactly how long IP addresses can be stored. When IP addresses are anonymized, each address is kept in its original form for 24 hours. As for log rotation policies, Plesk users have the ability to configure them as they see fit.

IP addresses logging aspect

Clients IP addresses are logged by the following services:

  • Nginx, Apache, ProFTPD, Mail
  • AWStats, Webalizer
Below you can find recommendations for solving the issue on your servers, including the instructions for turning IP addresses logging off for Nginx and Apache servers.

Aspect Plesk versions applicability Solution Side effects
Enable IP addresses anonymizing Plesk Obsidian (recommended)
Plesk Onyx 17.5-17.8		 Enable IP addresses anonymizing via panel UI or CLI There should be no side effects. Fail2ban should continue working since File2ban processes log files before they are anonymized.
Disable web statistics tools (AWStats, Webalizer) Plesk Obsidian (recommended)
Plesk Onyx 17.5-17.8
Plesk 12.0-12.5		 Disable web statistics tools Users will not be able to use the web statistics tool in Plesk.
Force log file rotation Plesk Obsidian (recommended)
Plesk Onyx 17.5-17.8
Plesk 12.0-12.5		 Use a script which enforces daily rotation policy for log files
  • The "Log rotation management" permission will be automatically removed from all service plans and subscriptions.
  • Daily log rotation will be enforced for all existing domains.
  • Since Plesk clients and resellers will be still able to change log rotation settings, we recommend adding the script to crontab.
Disable IP addresses logging Plesk Obsidian (recommended)
Plesk Onyx 17.5-17.8
Plesk 12.0-12.5		 Disable IP address logging The following services will be affected:
  • Fail2ban web sites protection will NOT work.
  • AWStats and Webalizer web statistics will continue to work, but will lose aggregations statistics based on IPs.
  • Industry
    Partners:
COMPANY
PRODUCT
KNOWLEDGE BASE
PROGRAMS
COMMUNITY
© 2020 Plesk International GmbH. All rights reserved. Plesk and the Plesk logo are trademarks of Plesk International GmbH.