Privacy Policy for Concrete CMS Hosting 

Effective 6 June 2022

Short Plain Language Summary

Concrete CMS is a free open source tool for building websites. You don’t have to host with us, but if you want the advantages that come with hosting your site with the maintainers of your CMS:

  • We store some contact information about you so we can help you and so you can use the CMS. 

  • You have the ability to store lots of information, potentially sensitive, in the website you’re managing on our servers. We’ll keep it private and secure but you must make all the decisions about data sharing, deleting, and what regulations you have to follow.  

  • We never share (let alone sell!) your information without you telling us to do it. 

  • We are very deliberate about where we store your information, and we routinely pass independent audits by accredited firms to make sure we’re following our rules on keeping your data where it belongs and protecting it like we say we do. 

Your business data is your data! Check out our Concrete Hosting Security page on how we keep it protected and our Compliance page for how we get external validation that we do what we say we do to keep it protected. If you are hosting with us, you are using Concrete CMS, check out security for the concrete open source core

We take the protection of your information seriously and take steps to make sure the data you entrust to us by choosing Concrete for your website or intranet hosting is kept secure and private.

Official Agreement

PortlandLabs, Inc. (the founders and maintainers of the open source content management system “Concrete CMS” previously known as concrete5 and hereafter referred to as “Concrete” in this Privacy Policy) is committed to protecting your privacy when you host your website with PortlandLabs. 

This Privacy Statement contains information on what privacy rights Concrete CMS Hosting Clients have about data we transmit and collect as well as what we do with that information.

Scope - Concrete CMS Hosting

This privacy policy applies to data collected, transmitted, and stored by PortlandLabs on behalf of clients hosting their websites with PortlandLabs, “Concrete CMS Hosting” while the data is in PortlandLabs’ control in the hosting environment. 

PortlandLabs has a standard Data Privacy Addendum (DPA) for hosting clients who need one.

Any information that identifies or can be used to identify the person to whom such information pertains ("personal identifying information (PII)") that we collect, process, or store will be subject to this Privacy Policy.

Not in Scope - General

This Privacy Policy does not govern privacy practices associated with any website not hosted with PortlandLabs including, but not limited to:

a. any websites linked to this site. PortlandLabs is not responsible for the content or privacy practices of any other website to which this Site, the Services or any Material may link. You are strongly advised to review the privacy policy(ies) of any of these sites before using them.

b. websites built with the open source Concrete downloadable from and/or 

PortlandLabs corporate website and the Concrete open source project (any site ending in *, *, * have a separate Privacy Policy  Concrete CMS Privacy Policy and hence are not in scope for this Concrete CMS Hosting Privacy Policy.

This Privacy Policy does not apply to personal information of our employees or job applicants (except to the extent employees or job applicants are also hosting clients).

Not in Scope : Hosting Customers Data Privacy Responsibilities

We appreciate you trusting PortlandLabs to host your Concrete website. Please ask for, and make yourself familiar, with our Shared Hosting Responsibility Model which outlines what you are responsible for and what we are responsible for. 

PortlandLabs is not responsible for the content or privacy practices of any of the sites PortlandLabs is paid to host. Nor is PortlandLabs responsible for the privacy practices of third parties to which those sites share data. Hence, you should also have your own privacy policy for your website or intranet HOSTED BY PortlandLabs which informs your website or intranet users how you are keeping their data private and secure.

Concrete CMS and Concrete Hosting provides the capability for website hosting clients to be compliant with privacy regulations (such as the GDPR, CCPA, LGPD etc)  but PortlandLabs is not responsible for determining if the hosted site is subject to a specific privacy regulation nor is PortlandLabs responsible for any hosted site’s compliance to the privacy regulations to which they are subject. Any questions related to a specific site not ending in,, or should be directed to that specific site and not to PortlandLabs. 

This Privacy Policy does not govern data prior to it entering the Concrete hosting environment and after it leaves the Concrete hosting environment. 


Privacy Details for Client Data 

Concrete Hosting Data Collection, Handling, and Disclosure

PortlandLabs may transmit or store customer data on a Concrete Hosting client’s behalf depending on how the client configures their websites or intranets. PortlandLabs will protect that data with industry standard best practices.

PortlandLabs will follow instructions from our hosting customers, about data access, transfer, release, destruction and retention. Except in particular circumstances described in this Privacy Policy, or where required by law, regulation, litigation, national security or law enforcement, PortlandLabs will not will not sell, share, or give away any client data to anyone unless clients ask us to do so.


Where Data is Stored

The servers we use are currently located in the US. If you send us data from outside the USA, please be aware that any information provided to us, including personal information, will be transferred from your country of origin to the USA. Your decision to provide such data to us, or allow us to collect such data either through our websites or via your websites that we host for you, constitutes your consent to this transfer of data and personal information.

If you have to be hosted in a specific country/region, talk to us! We can accommodate! We adhere to the GDPR.



Should a website hosted with PortlandLabs collect, transmit, and/or store Health Care information, PortlandLabs will enter into a Business Associate Agreement (BAA) with the client in accordance with the U.S Health Insurance Portability and Accountability Act (HIPAA). It is the client’s responsibility to request the BAA. PortlandLabs has been successfully audited for compliance with the HIPAA Security Rule (Storage of Health Care Data) and HITECH (Transmission of Health Care Data). 


Client Employee Information

Use of Concrete CMS Hosting or Employee Portal means that client employees who are Concrete CMS users and administrators will have their corporate emails and roles stored by PortlandLabs.

PortlandLabs may ask clients to provide certain information and data. This information could include, for example, employee contact information for business continuity or incident response purposes, employee information to sign NDAs etc. 

Concrete Hosting Client Employee information is stored in Zendesk (marketing, sales and service desk), Stripe (billing), Quickbooks (billing), and Google Drive (contracts, MSAs, NDAs, business continuity/incident client contact lists). PortlandLabs does a formal risk assessment of these external parties annually as part of PortlandLabs SOC 2 Type 2 & HIPAA/HITECH compliance and ISO 27001 certification.


Protection of Client Employee and Client Customer Information

PortlandLabs takes appropriate steps to protect and secure client employee and customer data from unauthorized access, use, and disclosure. We use adequate technical and organizational measures to protect your personal data against unauthorized, accidental or unlawful destruction, loss, alteration, misuse, disclosure, or access and against all other unlawful forms of data processing. We put these measures in place after evaluating current industry best practices, the cost of implementation, risks presented by processing, and the nature of the data.

PortlandLabs is responsible for the security and privacy of Client Customer data while it resides in the Concrete CMS Hosting Environment. 

Client Customer Data that clients choose to store with Concrete Hosting resides on secure servers that only selected PortlandLabs’ personnel have access to. Access is controlled using the principle of least privilege, ssh PKI, and FIPS 140-2 validated multifactor authentication.These personnel are bound under strict confidentiality agreements prohibiting disclosure or use of clients information without consent. Access reviews are performed according to ISO 27001:2013, SOC 2 Type 2 Security Trust Principle, and HIPAA/HITECH requirements. 

All data is encrypted at rest and in transit to prevent unauthorized parties from viewing, disclosing or using such information. Although we take reasonable security measures to protect client customer data, we cannot guarantee the security of client information prior to it reaching the Concrete CMS Hosting environment. Clients are responsible for the security and privacy of any data transmitted over the internet via their websites or other means to the Concrete CMS Hosting Environment until it hits the PortlandLabs’ internet gateway. Likewise, Portlandlabs cannot ensure or warrant the security of any information we transmit after it leaves the Concrete CMS hosting environment. 

For more information, see: 

Concrete Hosting Security  

Concrete Hosting Compliance 

Concrete CMS Security

Transfers of Information to Successors and Assignments 

You acknowledge and agree that if PortlandLabs sells or assigns assets (or the assets of any division or subsidiary) to another entity, or PortlandLabs (or a division or subsidiary) is acquired by or merged with another entity, PortlandLabs may provide to such entity Hosting Client information that is related to that part of our business that was sold to, assigned to, or merged with the other entity without obtaining your further consent, but PortlandLabs will provide notice of such asset sales, assignments, acquisitions, or mergers on this website.


Changes in Privacy Policy

This Privacy Statement supersedes and controls over any other similar statement or policy for Concrete Hosting found on our websites. (Reminder, there is a Privacy Policy specifically for the open source Concrete CMS project which is separate from this Concrete CMS Hosting Privacy Policy)


PortlandLabs reserves the right to change these conditions from time to time as it sees fit and will provide notice of changes on this site. Please regularly review our Privacy Policy for updates. Use of Concrete CMS Hosting will signify acceptance of any adjustment to these terms. 


If you have objections to the Privacy Policy, you should immediately discontinue use of this Site and all PortlandLabs Services, including hosting of any of your sites.



If you feel that PortlandLabs has failed to comply with its obligations under this Privacy Policy or otherwise have complaints with respect to PortlandLabs' use or protection of your company information, please inform us immediately via the Concrete CMS Hosting customer support portal. 

Alternatively, you may inform the PortlandLabs' Privacy Officer at or at the following address:

Concrete CMS Hosting
Attn: PortlandLabs Privacy Officer
P.O. Box 14125
Portland, OR 97293

Please be specific in your complaint and provide as much detail as possible so that we can promptly address your concerns. We will investigate and respond to all complaints promptly.

Complaints with respect to Concrete’s use or protection of your personal information should be directed as outlined in