GDPR law - Seafile ready?

Is Seafile GDPR ready? There are some features like file tracking or IP logging (Access log) opt out on a user basis, that is missing.

Where do you clarify on the webpage that it is easy/will be ready until May 2018.

GDPR is a nightmare for all admins, but we still have to follow the law.

Matomo explains most parts of it understandable.



1 Like

+1 Thanks for bringing this up.


+++++++1 Danke!

1 Like

Thank you for this !
GDPR is coming into force now buy has been voted 2 years ago…
Seafile is already GDPR compliant regarding to its security features (crypting, file block storage model).
As you do here, some users already pointed other lacking opt-out features during the Seafile symposium in Strasbourg.
I hope the dev team will enforce next versions with them.
But, IP logging opt out feature should only be activated if other laws do not require them, because it is not absolutely mandarory in the GDPR.

1 Like

The GDPR provides the following rights for individuals:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

The first step for admin is to communicate clearly what personal data is collected and stored in Seafile.

For the community edition, the list is

  • the files (stored in libraries)
  • the user email and user name
  • the login log

For the pro edition, the extra information include

  • the file access log (default is turned off)
  • the file activities (which is a basic function of the system)
  • the search index stored in Elastic Search server

I think the Seafile software itself is not far from GDPR compliant.

If a user ask you to erase his/her data, you can delete its account and libraries, run GC to remove all deleted libraries from persistent storage. The login log of the user from database manually via SQL.

For the community edition, the only thing missing is login log, do we need to make it opt out on a user basis? Does not the user need to know the login history for security audit?


This should be possible via GUI/CLI from Seafile Server. In normal life admins don’t really mess with the DB on a regular basis. Do you expect all your paying customers to fiddle with the DB if they pay for this software? I would understand if you’d make such features PRO only though.

As far as I understand this freaking overly done law, yes. It would also be good if the admin can see/control such setting in the user overview.



@daniel.pan I’d really appreciate it if admin had option to disable all tracking (IP, user agent etc)
Also I think that the Storage Encryption Backend would also be available on the CE.


Or at least - and much more important - to delete his Information from the audit log (IP, metadata) after the user is deleted (as an extra option) and as @DerDanilo said it should be easy to do.

Maybe an option to disable the tracking for just some users but you’d still have the web server logs, so i don’t think this is needed as long as the user is using this system he needs to know that such things will be logged - But can easily be removed if he doesn’t use it anymore.

And a feature to export all that information about one user in the seafile system would help too, since the customer/user has the right to know which data is collected, so if the admin can click just one button and will receive a ZIP with all the Information about that user (like Google does it too).



As found in another forum:

The TL:DR for GDPR is that if you use personally identifiable information about a citizen of the EU you need to comply with it completely by May 25th 2018.

There needs to be a valid legal basis for processing personally identifiable informaion. Systems have to protect the rights of data subjects, Privacy notices must be adequate. Security of data and backups needs to be clearly documented and privacy and data protection should be by design. To my mind this rules out a lot of current cloud solution providers. It rules out backups being convenently dumped in cloud storage (unless encrypted). It rules out using dropbox or google cloud storage or AWS or icloud to store personally identifiable information. It is important therefore to act on GDPR now. Even if one EU citizen uses your product or service the product or service must comply with GDPR.


This feature will be added in the next release.


what about general setting for admins that would allow them to delete whole logging/limit it. I would really appreciate that. Also I think that would bring some users that have privacy as number 1 priority



I noticed that someone posted an interesting feature request on termes and conditons that may be related to this discusson on GDPR.


1 Like

Hi @daniel.pan
Has the feature already been added?
Maybe only in the Pro Version?

It will be included in the next release 6.3.

Do you know how long we will have to wait for the new Version?

The new version will be ready within a few weeks.

By law Software needs to be compliant by the 25th may 2018.
We have to shut down Seafile theoretically until there is a solution in place.
A few weeks from now is not good enough. This was known for a long time already. I don’t get why it was not implemented earlier.


1 Like

The login log of the user can be removed from database manually via SQL. So in theory, you don’t break the law if you manually delete it if the user request.


I’m in the US, so I’m not as familiar with the law, but I’m certain at some point, a similar law will be passed here.

So, my question is this. Does the law also apply to an individual that hosts their own data? What about an individual that runs Seafile out of their home but has a couple of friends that use it? What about non-profit organizations? Where is that line in the sand between private and public?

1 Like