Generally Accepted Privacy Principles

Last Updated: 02/20/2024


The Generally Accepted Privacy Principles (GAPP) provide a framework to ensure the privacy and security of personal information. Developed by AICPA and the Canadian Institute of Chartered Accountants (CICA), these principles are widely recognized and adopted in various forms by businesses and governments. This is the foundation of the privacy framework at dotCMS and is the underlying substrate for various regional regulations such as HIPAA and GDPR.

(See also our previous Privacy Policy document addressing those regulations in more granular detail.)


  1. Management and Leadership Commitment: dotCMS must establish a robust privacy program specifically designed for CMS operations. This includes clear leadership commitment, dedicated privacy personnel, and integration of privacy practices into CMS design, development, and maintenance.

    Role Responsibility
    Director of Cybersecurity Responsible for overarching privacy commitments of the organization
    Director of Cloud Engineering Responsible for privacy on the cloud engineering and customer PaaS systems
    CTO Responsible for privacy commitment in code and various SDLC phases
  2. Transparent Notice and Communication: dotCMS must clearly inform users, both administrators and dotCMS customers, about the types of personal information the application collects, processes, and stores. This should include detailed explanations within the CMS interface and related documentation.

  3. Choice, Consent, and User Control: dotCMS must implement user-centric privacy controls allowing users to easily provide, modify, or withdraw consent for data collection and usage. The only information we collect from customers is their names and their email addresses. We do not collect PII from customers and so there is no need for opt in or opt out consent.

  4. Data Collection Limitation: dotCMS limits the collection of personal data to only what is essential for the identified purposes, such as user management, content customization, and system functionality. dotCMS implements features to help CMS administrators comply with this principle.

  5. Purposeful Use, Retention, and Secure Disposal: dotCMS must ensure that personal data is used strictly for the declared purposes. dotCMS must Implement data retention policies and provide secure data disposal options to prevent unauthorized access upon deletion or expiration.

  6. Access and Correction: dotCMS product cannot change anything about users’ permissions and profile but admins do. All users must ask the admin to correct any changes as required.

  7. Robust Security Measures: dotCMS must implement advanced security measures to protect personal data within CMS against unauthorized access, loss, or breach. This includes regular security audits, encryption, access controls, and incident response plans.

  8. Data Quality and Relevance: dotCMS must ensure the mechanism to personal data within the CMS is with integrity such that data are retained accurately, complete, and updated as necessary. dotCMS provides tools for data validation and regular data quality checks.

  9. Continuous Monitoring and Compliance: dotCMS must conduct regular monitoring of the CMS environment for compliance with these privacy principles. dotCMS implements a robust feedback and complaint resolution mechanism. dotCMS must stay updated with changing privacy laws and adjust CMS features and policies accordingly.