Personal Data in ThinkCMS

Personal Data in ThinkCMS

This page provides information about personal data stored in ThinkCMS the flow of the data and the purpose. The information shown here covers only the built in functions and does not contain information on custom implementations. This page is intended for informational purposes only and should not be considered legal advice on any subject matter.

[ Contents ]

  1. Administrators
    1. Sessions
    2. Admin actions log
    3. Security events
    4. Failed logins
  2. Users
    1. Sessions
    2. Failed logins
  3. Cookie consents

 

Administrators

Administrators are back office / administration users who are responsible for managing the content on the site. Administrators can be created only by other administrators with appropriate permissions.

Data Purpose / Description
Username

Admin interface
Displayed on the administrator management interface in the back office / administration.

Authentication
Enable administrators to login into the back office.

Email address

Admin interface
Displayed on  the administrator management interface in the back office / administration.

Authentication
Enable administrators to login into the back office.

Email communication
Receive password reset emails, security notifications etc.

Name Admin interface
Displayed on the administrator management interface, the top bar showing the currently logged in admin and on other locations, mainly for identifying records or actions created by administrators in the back office / administration.
Password

Authentication
Required for authenticating the users in the back office / signing in.

Passwords are stored in secure hashed form. For more information on how we secure your passwords, see the security information.

References The administrator database ID is linked to sessions, admin actions log, password reset codes, security events log and records created by the administrator.

Sessions

Sessions are created when an administrator provides valid credentials (email address or username and password) in the login form. Each session is linked to a specific administrator via his unique database ID.

Data Purpose / Description
IP address

Admin interface
Displayed on the admin actions log and the security events log.

Security
The IP address is bound to a valid session for security purposes.

Session ID

Session management
A unique set of characters assigned by the application identify a user that has logged into the administration.

User-Agent

Admin interface
Displayed in the security events log.

Security
The User-Agent in hashed form is bound to a valid session for security purposes.

Date and time

Admin interface
Displayed on the admin dashboard to see the last active users and admin actions log and the security events log.

Security
Date and time of last action in the back office is used for session management, recording security events and admin actions.

References A valid and active administrator account.

Admin actions log

The admin actions log is intended for administrators with the highest permissions in the system. The main purpose is to create audit trail of all actions of the administrators including information and details on who, did what, from where and when, helping the system owners to maintain accountability of the users in the system;

Each admin action record is linked to a specific administrator via his unique database ID and is created automatically by the system when performing certain actions. To ensure that no personal or sensitive data is logged into the before and after states of the records logged in the admin actions log, pseudonymized version of the data fields recorded is used.

Data Purpose / Description
IP address

Admin interface
Displayed on admin actions log and the security events log.

Security
Review the IP addresses used to access the system and perform certain actions.

Date and time

Admin interface
Displayed on admin dashboard to see the last active users and admin actions log and the security events log.

Security
Date and time of the action performed in the system.

References

Administrator Name - Displayed on admin actions log to identify the user who performed a specific action.

Security events

Specific security events with the extra information are logged in the system including login and log out events, failed logins, password reset requests, password resets, brute force protection temporary account locks and other.

Each security event is linked to a specific administrator via his unique database ID and is created automatically by the system when a certain event occurs.

Data Purpose / Description
IP address

Admin interface
Displayed on admin actions log and the security events log.

Security
Review the IP addresses used to access the system and perform certain actions.

Date and time

Admin interface
Displayed on the security events log.

Security
Date and time of the security event;

User-Agent

Admin interface
Displayed in the security events log.

Security
The User-Agent in plain-text is logged for security purposes.

Location Security
Extracted from the IP address, the location when the event occurred is used to identify unusual locations and other security purposes.
References

Administrator Name - Displayed on admin actions log to identify the user who performed a specific action.

Failed logins

The failed logins log is used to prevent brute force password attacks and logs all failed password attempts for the administrator area.

Data Purpose / Description
IP address

Security
Review the IP addresses used to access the system and perform certain actions.

Date and time

Security
Date and time of the action performed in the system.

References Administrator database ID

Users

Users are a common module enabling registration, authentication and access control for website users. New users are created when a website visitor goes through the process of registration or manually from the website administrators. While most implementations of this module contain different fields with personal information, here are the essential required for the normal functionality of the module.

Data Purpose / Description
Username

Authentication
Required for authenticating the users on the site.

Email address

Authentication
Required for authenticating the users on the site.

Email communication
Receive password reset emails, security notifications etc.

Password

Authentication
Required for authenticating the users on the site.

Passwords are stored in secure hashed form. For more information on how we secure your passwords, see the security information.

References The user database ID is linked to sessions, password reset codes and other content generated or linked to the user.

Sessions

Sessions are created when a user provides valid credentials (email address or username and password) in the login form. Each session is linked to a specific user via his unique database ID.

Data Purpose / Description
IP address

Security
The IP address is bound to a valid session for security purposes.

Session ID

Session management
A unique set of characters assigned by the application identify a user that has logged into the administration.

User-Agent

Security
The User-Agent in hashed form is bound to a valid session for security purposes.

Date and time

Security
Date and time of last action in the back office is used for session management, recording security events and admin actions.

References A valid and active user account.

 

Failed logins

The failed logins log is used to prevent brute force password attacks and logs all failed password attempts for user accounts.

Data Purpose / Description
IP address

Security
Review the IP addresses used to access the system and perform certain actions.

Date and time

Security
Date and time of the action performed in the system.

References User database ID

The cookie consent module is part of the GDPR compliance modules introduced in version 5.

Data Purpose / Description
IP address

Consent records
An anonymized IP with the first three octets (of an IPv4 address) or the first six hextets (of an IPv6 address) with remaining set to zero.

Date and time

Consent records
Date and time of the consent change in the system.

User-Agent Consent records
The User-Agent in plain-text.
All data collected and all related processing functionality is subject to policies defined by the owner of the implementation that regulate the period of storage and accessibility.