Topology of a TYPO3 website .

Data streams & infrastructure

Against the background of data protection and security, the following is a brief description of the typical topology of a (TYPO3) website and its implications (especially with regard to GDPR).

A website leads in something to the following data streams:

 

In this example it is assumed that the TYPO3 system, the database server and the mail server are located on different computers. But these are all located in the provider's data center.A written order processing contract (AV contract) is mandatory. This should also be accompanied by the provider's technical and organizational measures (TOM for short). Keep these documents carefully

 

External resources are everything that is automatically called up or loaded from other servers (outside the provider's infrastructure) when the page is called up. These resources should be listed on the privacy police page, including the provider. Furthermore, you should justify why you need the resources.

Example passage for the use of googleMaps:

"...
The use of Google Maps is in the interest of an appealing presentation of our online offers and an easy location of the places indicated by us on the website. This represents a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.
..."

In case you use a tracking tool such as googleAnalytics, you must comply additional requirements. These include IP address masking and at least one opt-out function. Be aware with tracking tools that the OptOut function may not be sufficient. The better option is the OptIn, where the visitor must actively agree to the tracking. 

Basically, we recommend to keep theuse of external resources to a minimum. This incidentally also improves the pagespeed value of the website, as the loading time is usually significantly reduced..

Another data protection aspect is the sending of emails via TYPO3 (or the web server). Here, too, encryption is mandatory.

Are you interested in a free, personal or telephone consultation? We are a TYPO3 agency with profound, technical knowledge and many years of experience in developing and optimizing websites.

 

Example flow of a page view

As shown in the infographic, the following steps result from a page view:

 

1.  Page view

The visitor calls up a page. You should make your pages available only via the encrypted https protocol. You can learn how to do this here.

2. Dynamic page building in TYPO3

On the web server, TYPO3 dynamically generates the contents of the desired page (caching procedures are not considered here). This requires numerous database queries. The data is returned in the form of HTML/CSS/JavaScript files. Internal resources such as images, PDF downloads, etc. are also provided via the same route..

3. Complete construction of the page by the visitor browser 

The visitor's browser reads the received HTML/CSS/JavaScript code and then establishes the direct connection to the individual servers of the providers. These connections should also all be established using "https". Otherwise, the page is not properly encrypted, and the connection is classified as "not secure" by browsers. Using external resources is an "expensive" pleasure in terms of loading time. A separate network connection must be established to each server, which slows down page loading, especially on mobile devices.

4. Locally installed Matomo as an alternative to googleAnalytics

A "better" alternative to googleAnalyttics from a privacy point of view is to use the open source software Matomo on your own server.

5. Matomo database access

Installed locally, Matomo also accesses the provider's secure database server. IP masking and OptOut function are also mandatory.

Mail sending via the website

Another sensitive area is the sending of emails via the web server. This occurs frequently with contact and order confirmations or when sending newsletters via TYPO3

6. Data transfer to the internal mail server

TYPO3 usually connects the mail server of the provider for this purpose. We recommend to use the SMTP dispatch in principle, since here an authenticated dispatch takes place. To do this, in the TYPO3 install tool (or from TYPO3 version 9 in the backend under Admin tools->Settings) under Configuration presets -> Mail handling setting define an appropriate mail account through which the dispatch should take place:

 

 

7. Transport route encryption

Encryption between the sending email server and the receiving server depends on whether both support encryption, and if so, which one.
Both servers always agree on the highest possible encryption which both servers have. If both servers can use TLS, for example, this method is also used.
If one of the servers supports only SSL encryption, SSL is used.

Transport route encryption up to the recipient can therefore not be guaranteed, as it depends on whether all servers on the transport route support encryption of the transport..
In order to achieve the highest possible compatibility with other providers and to ensure successful e-mail transmission, providers usually dispense with an encryption requirement.

Cookies" theme

TYPO3 does NOT require cookies by default.

 

Cookies are only required when TYPO3 needs to be able to assign a visitor between several page views. Then a so-called session cookie (a unique ID) is set. Application examples for this are login-protected areas or shopping cart functionalities. These session cookies are technically mandatory in order to be able to offer the respective functionality. From a data protection perspective, their use should be unproblematic.

Less unobjectionable are cookies that have no direct connection with the functionality of the website. These include, in particular, tracking tools such as googleAnalytics and Matomo. Information in the form of a cookie notice is mandatory.