Help Documentation

VMP™ Security plugin documentation and support

Free Support

Support for users of the free version of the plugin is available on our support forums. The majority of features shown are available in the free version of VMP™ Security which helps protect millions of sites around the world.

Go to support forums

Access Upgraded Support Now

Our support engineers, equipped in Premium tickets within a few hours on weekdays, will be pleased to help you with advanced topics, provide comprehensive answers to your questions, and respond to all others in 24 hours or less.

Premium Support

VMP Security and GDPR – General Data Protection Regulation

This article covers how VMP Security handles personal data, how we support our customers’ GDPR compliance obligations, and what cookies the plugin sets on your site. It is not legal advice; if you have specific compliance requirements, consult a privacy lawyer who can apply them to your situation.

In This Article

Overview

The General Data Protection Regulation (GDPR) is a set of EU rules that give data subjects (anyone in the EU at the time their personal data is processed) more control over how their data is used. It also constrains how that data can be exported outside the EU. GDPR applies to any organization that processes the data of EU residents, regardless of where the organization itself is located.

If your site has EU visitors, GDPR likely applies to you. Even if you only operate in your home country, you may still receive EU traffic and incur some obligations. The conservative posture is to design your data handling as if GDPR applies, which is a reasonable baseline for any privacy regime.

Terms and privacy policies

Our Terms of Use and Privacy Policy describe how we handle the data we receive when you use VMP Security. They are updated periodically as our practices evolve and as new regulations come into effect; you are notified when material changes are made. Continuing to use the products after a material change means you accept the updated terms.

The current versions are linked from the footer of every page on our website. If you need a specific historical version (for example, to demonstrate the policy in effect on a particular date), customer support can supply it from our archive.

Data Processing Agreements

For customers who need a Data Processing Agreement (DPA) to satisfy their own GDPR obligations, we provide a standard DPA based on the EU’s Standard Contractual Clauses. The DPA establishes our role as a data processor and your role as the data controller, and documents the safeguards we apply to data we process on your behalf.

To request a DPA, contact customer support with your account details. The DPA is the same for all customers in the EEA or otherwise subject to GDPR; we cannot negotiate clause-by-clause changes for individual customers.

Cookies set by the plugin

The plugin sets a small number of cookies as part of its security features. None are used for tracking or analytics; each one supports a specific defense.

vmpfence_bypass

Purpose: Marks a visitor as authorized to bypass Country Blocking via the Bypass Redirect mechanism configured on the Blocking Options page.

Set on: Visitors who reach a URL with the configured bypass GET parameter and value.

Why: Country Blocking blocks visitors based on geo-IP. This bypass mechanism allows a site owner to give specific people from blocked countries access to their site without unblocking the country generally. The cookie has a 30-day lifetime.

vmpfence_remember_device

Purpose: Marks a device as remembered so the user can sign in without 2FA from that device for up to 30 days.

Set on: Users who tick the “remember this device for 30 days” option during sign-in, when the site administrator has enabled the feature.

Why: Convenience feature. After a successful 2FA, the user does not have to re-enter codes from the same browser for the cookie’s lifetime.

Data subject requests

Under GDPR, data subjects have rights to access, correct, and delete personal data held about them. For data processed by VMP Security on your site, those requests come to you as the data controller; the plugin’s defaults are designed to make responding straightforward.

  • Visitor IPs. Stored in Live Traffic and audit-log entries with retention you control. Configure shorter retention or IP truncation if your privacy assessment requires it.
  • User account data. Lives in WordPress core, not in plugin-specific storage. Standard WordPress export and erasure tools handle this.
  • 2FA enrollment data. Stored locally in the WordPress database, not transmitted off-site. Removed when the user account is deleted.
  • Audit log content. Sent to Portal in modes other than Preview. The Audit Log article describes the retention windows and the redaction applied before transmission.

If a specific data subject request requires a confirmation that we have purged data we processed on your behalf, contact customer support with the request reference.

Contents