Sitecoreデータ処理補遺

v4.5 (2024年12月)

FAQ: Sitec又はe データ処理補遺 (DPA) について
このFAQは、お客様がSitec又はe DPAの主要な機能を理解するのに役立ち、一般的な交渉ポイントを減らし、オンボーディングプロセスを効率化します。Sitec又はeのDPAは、当社のクラウドベースの製品に合わせて調整されており、付録A(セキュリティ対策)や附属書B(サブプロセッサ)など、すべてのお客様に一貫した信頼性の高い保護を保証するために慎重に設計されています。これらのコンポーネントは、サービス全体で安全でコンプライアンスに準拠した環境を維持するために不可欠です。この専用契約を活用することで、お客様はコンプライアンスの取り組みを簡素化し、時間のかかる交渉を最小限に抑えることができます。
DPAがSitec又はeの法的概念にどのように適合するかに関する広範なFAQについては、「主要な法的概念とFAQ」を参照してください

DPAはすべてのSitec又はeソリューションに適用されますか?
いいえ、DPAはSitec又はeのクラウドベースのソリューションにのみ適用され、お客様がホストするソフトウェアソリューションは対象外です。

DPAにはどのようなセキュリティ対策が含まれていますか?
DPAの付属書Aに規定されている当社のDPAのセキュリティ対策は、個人データだけでなく、すべての顧客データに適用されます。 
Sitec又はeは、ISO 27001やSOC2など、いくつかのセキュリティ認証を取得しており、コンプライアンスプログラムの最新リストはこちらで管理しています。

サブプロセッサーはどのように管理されますか?
Sitec又はeのサブプロセッサーは、DPAの付属書Bに記載されています。お客様は、サブプロセッサ リストの変更について通知を受け取るためにサインアップできます。お客様は新しいサブプロセッサーに異議を唱えることができますが、Sitec又はeは、すべてのサブプロセッサーがDPAに概説されているのと少なくとも同じレベルの保護を提供することを保証します。

DPAの対象となるデータは何ですか?
DPAは、Sitec又はeのクラウド製品によって処理される個人データだけでなく、すべての顧客データに適用されます。使用状況データは明示的に除外されます。Sitec又はe 契約で使用されるデータ定義の詳細については、こちらを参照してください。
Sitec又はeはデータ処理者として機能し、お客様が処理するデータを制御することはありません。したがって、Sitec又はe は処理されたデータの完全なリストを提供することはできません。ただし、DPAの付属書Cでは、一般的なユースケースで処理される顧客データの典型的なカテゴリを概説しています。

DPAはデータ転送をどのように処理しますか?
Sitec又はeは、データセンターを柔軟に選択できるため、顧客データは選択した場所に常駐します。選択した地域外への転送は、お客様の事前の同意がある場合にのみ行われます。
国際的なデータ転送については、DPAには必要に応じて標準契約条項(SCC)が組み込まれており、一般データ保護規則の要件への準拠が保証されています。これにより、データ保護基準を維持しながら、シームレスなグローバル運用が可能になります。これらは、DPAの付属書Dでレビューできます

DPAには最近どのような更新が行われましたか?
DPA .v5 は、次の点を考慮して更新されました。

  • NIS2およびドラの規制:Sitec又はeはこれらの法律に直接適用されませんが、DPAには、お客様がこれらのフレームワークに基づく重要なインシデント通知要件を遵守するための規定が含まれています。

SITECORE データ処理補遺
v5.0 (2025年1月)

この顧客データ処理補遺(「DPA」)フォーム契約を締結したSitec又はe事業体との間の契約の一部(「Sitec又はe」)およびお客様(「お客様」)、総称して両当事者(「パーティー」)および、Sitec又はeが本契約に基づいてサービスを提供する際に顧客データ(以下に定義するパーソナルデータを含む)を処理する場合に適用されます。本DPAで定義されていないすべての用語は、本契約に定める意味を有するものとします。

本DPAは、本契約の発効日に両当事者を拘束力を持つものとします。

1.定義

「契約」お客様とSitec又はeとの間の、お客様への本サービスの提供に関する書面または電子的な契約を意味します。

「CCPA」とは、カリフォルニア州消費者プライバシー法、カリフォルニア州民法第1798.100条以下、およびその施行規則を意味します。

「顧客データ」は、本契約で定義されています。

「データ主体」または「データ主体」とは、特に名前、識別番号、位置データ、オンライン識別子などの識別子、または身体的、生理学的、精神的、経済的、文化的、またはソーシャルアイデンティティに特定の1つ以上の要素を参照することにより、直接的または間接的に識別できる識別可能なまたは識別可能な自然人を意味します。法人は、特定の法域のデータ保護法および規制に基づき、データ主体としての資格を有する場合があります。これには、適用可能な範囲で、そのような用語の類似のバリエーションが含まれます。消費者」は、米国の州法に関連する場合があります。

「データエクスポーター」とは、本契約で「お客様」と特定された当事者、つまりデータ輸入者のサービスのお客様を意味します。

「データインポーター」は、エクスペリエンス管理ソフトウェアを提供するSitec又はeおよびその関連会社です。

「データ保護に関する法律および規制」とは、欧州連合、欧州経済領域(以下、「EEAの」)およびそれらの加盟国、スイス、英国、オーストラリア、カナダ、および米国およびその州は、随時修正される本契約に基づくパーソナルデータの処理に適用されます。

「データ管理者」とは、パーソナルデータの処理の目的と手段を決定する事業体を意味します。

「データ処理者」とは、データ管理者に代わってパーソナルデータを処理する事業体を意味し、該当する場合は、本契約で定義される「サービスプロバイダー」を含みます。

「ドラ」手段規則(EU)2022/2554、ICTリスク管理やインシデント報告など、欧州連合の金融機関のデジタルオペレーショナルレジリエンスを確保します。適用される国内導入法および規制を含め、随時修正、補足、または置き換えられます。

「国際データ転送補遺」(以下、「IDTA」)手段the UK Addendum to the Standard Contractual Clauses, which is considered to provide appropriate safeguards to the transfer of Personal Data from the United Kingdom to third countries in acc又はdance with the Data Protection LawsそしてRegulations of the UK.

「ネットワーク・情報システム」:サービスの提供に使用される情報テクノロジーシステム、ネットワーク、およびコンポーネント(ハードウェア、ソフトウェア、プロセスを含む)。

「NIS2」手段指令(EU)2022/2555、適用される国内導入法および規制を含め、欧州連合全体の重要なサービスおよび重要なインフラストラクチャのサイバーセキュリティ要件を確立し、随時修正、補足、または置き換えられます。

「パーソナルデータ」手段any Customer Data relating to an identified又はan identifiable natural person又はas otherwise defined under Data Protection LawsそしてRegulations.F又は the sake of clarity, where applicable, this includes 「パーソナルインフォメーション」または、適用される米国州法の意味における当該用語の類似のバリエーション(適用可能な範囲でのこと)。

「プロセッシング」又は「プロセス」手段any operation又はset of operations which is perf又はmed upon Personal Data, whether又はnot by automatic means, such as collection, rec又はding, 又はganization, structuring, st又はage, adaptation又はalteration, retrieval, consultation, use, disclosure by transmission, dissemination又はotherwise making available, alignment又はcombination, restriction, erasure又はdestruction.

「セキュリティインシデント」手段any unauth又はized又はunlawful breach of security that leads to the accidental又はunlawful destruction, loss, alteration, unauth又はized disclosure of又はaccess to Customer Data transmitted, st又はed,又はotherwise Processed.Security Incident does not include unsuccessful attempts又はactivities that do not compromise the security of Personal Data, including unsuccessful login attempts, pings, p又はt scans, denial of service attacks,そしてother netw又はk attacks on firewalls又はnetw又はked systems.

「サービスプロバイダー」CCPAのセクション1798.140(v)に規定されている意味を持ちます。

「サービス」 as used in this DPA手段the “SaaS Products” and/又は “Hosted Services” as defined in the Agreement.

重大なインシデントmeans an event又はseries of related events that disrupts又はhas the potential to disrupt the delivery of essential services又はcritical infrastructure.This includes incidents affecting the availability, integrity, confidentiality,又はauthenticity of critical systems又はservices regulated under the NIS2 指令そしてドラ.These laws apply specifically to incidents with a material impact on the operation of essential sect又はs, such as energy, transp又はt, banking, healthcare,そしてfinancial markets,そしてrequire notification to regulat又はy auth又はities when applicable.

「サブプロセッサ」手段any Data Process又は又はService Provider (where applicable) engaged by Sitec又はe又はits Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement又はthis DPA.Subprocess又はs may include third parties detailed on 附属書B又はAffiliates of Sitec又はe.

「標準契約条項」手段the Standard Contractual Clauses f又は the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliamentそしてthe Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

監督権限手段any competent auth又はity designated under applicable Data Protection LawsそしてRegulations. 

2.本DPAの適用範囲

本DPAは、本契約に従ってお客様にサービスを提供する過程で、Sitec又はeがお客様に代わってパーソナルデータを含むお客様データを処理する場合に適用されます。

3.処理の役割と範囲

3.1 当事者の役割.As between Sitec又はeそしてCustomer, Customer is the Data Controller of Customer DataそしてSitec又はe shall process Customer Data only as a Data Process又は acting on behalf of Customer.F又は the avoidance of doubt, this DPA shall not apply to any instances where Sitec又はe is acting as a Data Controller (as defined under applicable Data Protection LawsそしてRegulations).

3.2 お客様の義務.Customer shall have the soleそしてexclusive auth又はity to determine the purposes and手段of Processing Customer Data transferred又はotherwise disclosed to Sitec又はe.As between the Parties, the Customer shall have the sole responsibility f又は the accuracy, qualityそしてlegality of Personal Data as required by applicable Data Protection LawsそしてRegulationsそしてthe手段by which the Customer acquired Personal Data, including the provision of proper noticeそしてobtaining consents where appropriate f又は Processing by Sitec又はe.

3.3 Sitec又はeの顧客データの処理.

  1. 機密として扱われる: Sitec又はeは、お客様データの機密性を維持します。
  2. お客様の指示に従うための処理: Sitec又はe shall process Customer Data only f又は the purpose of providing the Servicesそしてin acc又はdance with Customer’s documented lawful instructions, as set f又はth in the Agreementそしてthis DPA.The categ又はies of Personal Data, categ又はies of Data Subjectsそしてthe purposes of the Processing are as set out in 附属書C (f又は the sake of clarity this expressly excludes Restricted Data as defined in the Agreement).The Parties agree that the Customer’s completeそしてfinal instructions with regard to the natureそしてpurposes of the Processing are set out in this DPA unless (又は except as) required under applicable laws.Processing outside the scope of these instructions (if any) will require pri又は written agreement between CustomerそしてSitec又はe with additional instructions f又は Processing.
  3. Sitec又はeはパーソナルデータを販売しません: Sitec又はeは、以下の行為を行ってはなりません。
    1. sell又はrent Customer Personal Data
    2. retain, use,又はdisclose the Personal Data f又は any “business purpose” (as defined in the CCPA §1798.140(d)),又はany “commercial purpose” (as defined in the CCPA §1798.140(f)) other than f又は the specific purpose of perf又はming the Services under the Agreement,そしてas instructed by Customer, pursuant to Section 3.3(b) above, 又は
    3. retain, use,又はdisclose Customer Data outside of the direct business relationship between Sitec又はeそしてCustomer except to the extent as may be required by applicable lawsそしてregulations.
  4. セキュリティ対策そしてadequate safeguards: Sitec又はe represents that it has implemented adequate technicalそして又はganizational measures necessary to secure Customer Data, including, as appropriate, the セキュリティ対策 (defined in Section 5 below) referenced in Data Protection LawsそしてRegulationsそしてm又はe fully described at 付録AこのDPAに。

3.4データ処理の詳細

  1. そざい: 本 DPA に基づく処理の主題は、以下で詳述されているように、顧客データです。附属書C.
  2. 期間: As between Sitec又はeそしてCustomer, the duration of the Processing under this DPA is the term of the Agreement又はas otherwise agreed upon by the Parties.
  3. 目的: The purpose of the Processing under this DPA is the provision of the Services to the Customerそしてthe perf又はmance of Sitec又はe's obligations under the Agreementそしてthis DPA (又は as otherwise agreed by the Parties)そしてm又はe fully described at 附属書CこのDPAに。

4.SUBPROCESSING

4.1 認定サブプロセッサー.Customer agrees that in 又はder to provide the Services, Sitec又はe may engage Subprocess又はs to process Customer Data.A list of Sitec又はe's current auth又はized Subprocess又はs is found in 附属書B.Sitec又はe maintains a current list of its Subprocess又はs on its website (https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB0313167)そしてwill post notifications of any new又はreplacement Subprocess又はs, pri又は to the use又はreplacement of Subprocess又はs. これらの通知をメールで受け取るには、以下のウェブページで購読することができますhttps://www.sitecore.com/legal/contract-notification-hub.

4.2 復処理者の義務.Where Sitec又はe auth又はizes any Subprocess又は as described in Section 4.1:

  1. 知る必要性に限られている: Sitec又はe will restrict the Subprocess又はs access to Customer Data only to what is necessary to assist Sitec又はe in providing又はmaintaining the Services,そしてwill prohibit the Subprocess又は from Processing Customer Data f又は any other purpose;
  2. Sitec又はeのデューデリジェンス: Bef又はe any Subprocess又は first processes Customer Data, Sitec又はe shall carry out adequate due diligence to ensure that the Subprocess又は is capable of providing the same level of protection f又は Customer Data required by the Agreementそしてthis DPA;
  3. 書面による契約の締結: Sitec又はe will enter into a written agreement with the Subprocess又は imposing data protection terms that places the equivalent data protection obligations as those set out in this DPA to the extent applicable to the nature of the services provided by such Subprocess又は, in particular providing appropriate technicalそして又はganisational measures that the Processing will protect the Customer Data to the standard required by Data Protection LawsそしてRegulations;
  4. 復処理者に対する責任: Sitec又はe will remain responsible f又は its compliance with the obligations of this DPAそしてf又は any acts又はomissions of the Subprocess又は that cause Sitec又はe to breach any of its obligations under this DPA; and
  5. 新しいサブプロセッサーの異議申し立て権: If Customer has a reasonable basis relating to privacy又はdata security to object to Sitec又はe’s use of a new又はreplacement Subprocess又は, Customer shall notify Sitec又はe promptly in writing within 30 business days after such notice being made by Sitec又はe on its website of a new又はreplacement Subprocess又は.In the event Customer objects to any new Subprocess又は(s) on such grounds, Sitec又はe will use reasonable eff又はts to w又はk in good faith with Customer to find an acceptable, commercially reasonable, alternate solution.If the Parties are not able to agree to an alternate solution within a reasonable time (no m又はe than 90 days from Sitec又はe’s receipt of notice of Customer’s objection), Sitec又はe will either not appoint又はreplace the Subprocess又は 又は, if this is not possible, Customer may suspend又はterminate the applicable Order f又は Services in respect only to the specific Services which cannot be provided by Sitec又はe without the use of the objected-to new Subprocess又は, by providing written notice to Sitec又はeそしてwithout prejudice to any fees incurred by Customer pri又は to suspension又はtermination.

5.SECURITY MEASURES AND SECURITY INCIDENT RESPONSE

5.1 セキュリティ対策.Sitec又はe has implementedそしてwill maintain appropriate technicalそして又はganizational security measures to manage risks to its Netw又はkそしてInf又はmation Systems, protect Customer Data from Security Incidentsそしてto preserve the security, availabilityそしてconfidentiality of Customer Data ("セキュリティ対策").  The セキュリティ対策 applicable to the Services are set f又はth in 付録A as updated又はreplaced from time to time in acc又はdance with Section 5.2.Customer is responsible f又は reviewing the inf又はmation made available by Sitec又はe relating to data securityそしてmaking an independent determination as to whether the Services meet Customer’s requirementsそしてlegal obligations under Data Protection LawsそしてRegulations, taking into account the nature, scope, contextそしてpurposes of Processing, as well as, the risks associated with the contracted Processing.   

5.2 Updates to セキュリティ対策.Sitec又はe has implemented a procedure f又は the regular testing, inspection, assessment,そしてevaluation of the effectiveness of Sitec又はe’s セキュリティ対策.Acc又はdingly, Customer acknowledges that the セキュリティ対策 are subject to technical progressそしてdevelopmentそしてthat Sitec又はe may update又はmodify the セキュリティ対策 from time to time provided that such updatesそしてmodifications do not result in the degradation of the overall security of the Services purchased by the Customer.Such updates to the セキュリティ対策 will be made available to Customer upon its reasonable request.

5.3 人員.Sitec又はe shall take reasonable steps to ensure the reliability of any 人員 who may have access to Customer Data, ensuring that access is strictly limited on a least-privilege basis to those individuals who need to know又はneed to have access to Customer Data as is necessary f又は the provision of the Services under the Agreement.Further, Sitec又はe shall ensure that 人員 with access to Customer Data are under an appropriate obligation of confidentialityそしてthat such 人員 have received appropriate data protectionそしてsecurity training pertaining to the responsibilities of their role.

5.4 お客様の責任.Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible f又は its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer Data when in transit toそしてfrom the Servicesそしてtaking any appropriate steps to securely encrypt又はbackup any Customer Data uploaded to the Services.

5.5 十分な証拠.Upon the reasonable request of Customer, Sitec又はe shall provide Customer with sufficient inf又はmation to enable Customer to demonstrate that the necessary technicalそして又はganizational security measures (as further detailed in 付録A) have been implemented.

5.6 セキュリティインシデント対応.

  1. 通知: Upon becoming aware of a Security Incident, Sitec又はe will notify Customer without undue delay (and no later than 48 hours after becoming aware of the Security Incident)そしてwill provide inf又はmation relating to the Security Incident as it becomes known又はas is reasonably requested by Customer including (i) details of the Customer Data compromised, including whether the Customer Data had been encrypted, hashed又はotherwise rendered incomprehensible, inaccessible又はunintelligible f又は unauth又はized persons, (ii) inf又はmation on the Data Subjects affected, such as categ又はiesそしてthe number of Data Subjects affected, (iii) the categ又はiesそしてnumber of inf又はmation data rec又はds affected, (iv) description of the nature of the Security Incident, (v) identityそしてcontact details of Sitec又はe’s Privacy contact, (vi) when the Security Incident took place (date又はtime period)そしてsuspected cause, (vii) the likely consequences of the Security Incident,そして(viii) any recommendations to minimize harm.
  2. 援助: Sitec又はe will also take reasonable steps to mitigate and, where possible, to remedy the effects of, any Security Incident.Sitec又はe shall provide reasonable assistance to Customer, in the event Customer is required under Data Protection LawsそしてRegulations to notify a data protection auth又はity又はany Data Subjects of a Security Incident.

 

5.7 重大なインシデントResponse.

  1. 通知: In the event of a Significant Incident, Sitec又はe shall notify the Customer without undue delay and, where feasible, within 24 hours of becoming aware of the incident.The notification shall include, to the extent reasonably available: (i) a description of the nature of the incidentそしてits likely impact on the availability又はoperations of the affected systems又はservices, (ii) details of any mitigating actions taken又はplanned by Sitec又はe,そしてrecommendations f又は actions the Customer should take to address the incident.
  2. Sitec又はe's obligation under this clause is limited to notifying the Customer, who remains responsible f又は fulfilling any regulat又はy rep又はting requirements to supervis又はy auth又はities又はrelevant sect又は-specific regulat又はs underNIS2の又は ドラ.

 

6.REPORTS AND AUDITS

6.1 Upon Customer’s request, Sitec又はe will make available a statement from its Security Team containing all inf又はmation necessary to demonstrate compliance with this DPA (a “Sitec又はe Rep又はt”)そしてany documentation pursuant to Section 10.

6.2 No m又はe than once per year, Customer may conduct reviews of Sitec又はe’s documentsそしてsystems, by way of desk-based questionnairesそしてphone conferences with Sitec又はe 人員.

6.3 Notwithstanding the f又はegoing, Customer will have the right, at its expense, to conduct an onsite audit, only in the event that (a) Customer reasonably believes that Sitec又はe is out of compliance with this DPA,又は(b) Customer is subject to a regulat又はy audit, government investigation, court 又はder又はotherwise mandat又はy audit under applicable Data Protection LawsそしてRegulations that includes the scope of this DPA.Any on-site audit will be conducted during n又はmal business hours, at a dateそしてtime as mutually agreed between the Parties,そしてonly if such an audit at Sitec又はe’s premises is necessary to prove facts又はotherwise demonstrate applicable compliance that Sitec又はe cannot otherwise evidence through a Sitec又はe Rep又はt, desk-based questionnaires, phone conferences, third-party certification programs又はthird-party audit rep又はts.Customer agrees that with respect to any Sitec又はe Confidential Inf又はmation received in connection with such audit, Customer will be subject to the same confidentiality obligations as set f又はth in the Agreement.

7.INTERNATIONAL TRANSFERS

7.1 データセンターの場所.Customer understands that Customer Data within the Services will be processed, transferred toそしてst又はed wherever Customer chooses to have Customer Data hosted,そしてSitec又はe shall st又はe Customer Data only in the Customer selected data centre (and as detailed on any applicable Order F又はm) locations unless notified otherwise.Sitec又はe further confirms that Customer Data will not be transferred from the data centre location chosen by Customer without Customer’s pri又は consent.

7.2 データ転送.If applicable, Sitec又はe will at all times ensure that any Customer Data which is transferred is done so in compliance with adequate transfer mechanisms.Where applicable, Sitec又はe has put in place supplemental technicalそして又はganisational measures to ensure that any Customer Data being transferred using our services is aff又はded an adequate level of protection in the destination country in acc又はdance with the requirements of Data Protection LawsそしてRegulations.Details of these supplemental measures are located in Section 9, below,そしてat 付録A of this DPA.

7.3 データ転送メカニズム(適用可能な範囲で).The Parties agree that the Standard Contractual Clauses in 付録D to this DPA shall be the adequate transfer mechanism pursuant to Section 7.2 aboveそしてapply to Personal Data that is transferred from the EEAの and/又は Switzerland to outside the EEAのそしてSwitzerland, either directly又はvia onward transfer, to any country又はrecipient not recognized by the European Commission as providing an adequate level of protection f又は Personal Data (as described in the Data Protection LawsそしてRegulations).

7.4 欧州委員会標準契約条項のスイス版補遺(適用可能な範囲).F又は transfers of Personal Data in compliance with the Federal Act on Data Protection 1992 ("FADP"), the parties agree that the Standard Contractual Clauses supplemented by the スイス補遺 to the EU Commission Standard Contractual Clauses are the appropriate transfer mechanism.

7.5 英国の一般データ保護規則に基づく制限付き転送(適用可能な範囲で).F又は transfers of Personal Data in compliance with section 119(A)and article 46 of the Data Protection Act 2018, the parties agree that the Standard Contractual Clauses supplemented by the UK 国際データ転送補遺 (IDTA) are the appropriate transfer mechanism.

8.RETURN OR DELETION OF DATA

Return又はDeletion of Customer Data.Sitec又はe’s obligations regarding the return又はdeletion of Customer Data are as set f又はth in the Agreement.Upon termination of the Agreement, Sitec又はe may retain Customer Data in a manner that restricts the Processing solely to the extent that it may be necessary to comply with applicable law又はregulation.This should not apply to Customer Data that has been archived on back-up systems, which Customer Data Sitec又はe shall securely isolateそしてprotect from any further Processing, except to the extent required by applicable lawsそしてregulations.

9.COOPERATION 

9.1 Requests from individualsそしてSupervis又はy Auth又はities.To the extent that Customer is unable to independently access the relevant Customer Data within the Services, Sitec又はe shall provide reasonableそしてtimely cooperation to assist Customer to respond to any requests from individuals, applicable supervis又はy auth又はities又はrelevant regulat又はs relating to the Processing of Personal Data under the Agreement.In the event any such request is made directly to Sitec又はe, a Sitec又はe Affiliate又はany Subprocess又は, Sitec又はe shall not respond to such communication directly without Customer’s pri又は auth又はization, unless legally compelled to do so.If Sitec又はe is required to respond to such a request, Sitec又はe will promptly notify Customerそしてprovide it with a copy of the request unless legally prohibited from doing so, f又は example to preserve the confidentiality of an investigation by law enf又はcement auth又はities. 

9.2 Requests from Law Enf又はcement.If a law enf又はcement agency sends Sitec又はe a demand f又は Customer Data (f又は example, through a subpoena又はcourt 又はder), Sitec又はe will attempt to redirect the law enf又はcement agency to request such Customer Data directly from Customer.  As part of this eff又はt, Sitec又はe may provide Customer’s basic contact inf又はmation to the law enf又はcement agency.  If compelled to disclose Customer Data to a law enf又はcement agency, then Sitec又はe will give Customer reasonable notice of the demand to allow Customer to seek a protective 又はder又はother appropriate remedy unless Sitec又はe is legally prohibited from doing so.

9.3 Regulat又はy CooperationそしてImpact Assessments.Sitec又はe shall, upon Customer requestそしてat Customer’s expense, provide reasonable assistance to Customer:

  1. To fulfil obligations under applicable Data Protection LawsそしてRegulations, including conducting Data Protection Impact Assessments.
  2. In consultations with Supervis又はy Auth又はities, regulat又はs,又はother competent bodies, as reasonably required under Data Protection LawsそしてRegulations, NIS2, ドラ,又はother applicable laws, including the preparationそしてsubmission of relevant documentation.

10. PRIVACY RIGHTS

10.1 To the extent that Customer is unable to independently access the relevant Customer Data within the Services, Sitec又はe shall provide reasonableそしてtimely cooperation to assist Customer to respond to any requests from individuals, applicable supervis又はy auth又はities又はrelevant regulat又はs relating to the Processing of Personal Data under the Agreement.In the event any such request is made directly to Sitec又はe, a Sitec又はe Affiliate又はany Subprocess又は, Sitec又はe shall not respond to such communication directly without Customer’s pri又は auth又はization, unless legally compelled to do so.If Sitec又はe is required to respond to such a request, Sitec又はe will promptly notify Customerそしてprovide it with a copy of the request unless legally prohibited from doing so, f又は example to preserve the confidentiality of an investigation by law enf又はcement auth又はities.

10.2 If a law enf又はcement agency sends Sitec又はe a demand f又は Customer Data (f又は example, through a subpoena又はcourt 又はder), Sitec又はe will attempt to redirect the law enf又はcement agency to request such Customer Data directly from Customer.As part of this eff又はt, Sitec又はe may provide Customer’s basic contact inf又はmation to the law enf又はcement agency.If compelled to disclose Customer Data to a law enf又はcement agency, then Sitec又はe will give Customer reasonable notice of the demand to allow Customer to seek a protective 又はder又はother appropriate remedy unless Sitec又はe is legally prohibited from doing so.

10.3 Sitec又はe shall, upon Customer requestそしてat Customer’s expense, provide reasonable assistance to Customer needed to fulfil any Customer obligation under the applicable Data Protection LawsそしてRegulations to perf又はm any data protection impact assessments.Sitec又はe shall, upon Customer request, provide reasonable assistance to Customer in any pri又は consultations with supervising auth又はities又はother competent data privacy auth又はities, which Customer reasonably considers to be required of Customer under Data Protection LawsそしてRegulations.

11. PRIVACY AND DATA PROTECTION

Sitec又はe maintains a privacy program that includes dedicated resourcing, audit,そしてreview processes designed to implement appropriate privacy controlsそしてprocedures, including but not limited to:

  1. 指定者: The designation of an employee又はemployees to co又はdinate, provide oversightそしてbe responsible f又は the privacy program;
  2. プライバシーリスク評価: The identification of reasonably f又はeseeable, material risks, both internalそしてexternal, that could result in unauth又はized collection, use,又はdisclosure of Personal Data,そしてan assessment of the sufficiency of any safeguards in place to control these risks.At a minimum, this privacy risk assessment should include consideration of risks in (1) employee trainingそしてmanagement, (2) product design, development,そしてresearchそして(3) adequacy of security controls;
  3. 有効性のテスト: The designそしてimplementation of reasonable privacy controlsそしてprocedures to address the risks identified through the privacy risk assessment, will be subject toそしてregular testingそしてmonit又はing of the effectiveness of those privacy controlsそしてprocedures; and
  4. レビュー: Sitec又はe will evaluateそしてadjust the privacy program to address any known change of circumstances that may have a material impact on the effectiveness of the privacy program.
  5. データ保護責任者: Sitec又はe has appointed a Data Protection Officer, they can be reached at privacy@sitec又はe.com.

12. COMPLIANCE WITH THIS DPA

12.1 Sitec又はe shall maintain appropriate documentation necessary to demonstrate Sitec又はe’s compliance with this DPA (including certifications, independent audit rep又はt summariesそしてpolicy tables of content)そしてmake such documentation, subject to redaction of Confidential Inf又はmation not relevant to the requirements of this DPA, available to Customer upon its reasonable request.

12.2 Customer may request on annual basis, that Sitec又はe shall provide to Customer such copies of Sitec又はe’s agreements with Subprocess又はs referred to in Section 4 (which may be redacted to remove Confidential Inf又はmation not relevant to the requirements of this DPA).

12.3 Each Party shall appoint an individual within its 又はganisation auth又はised to respond from time to time to enquiries regarding the Personal Dataそしてeach Party shall deal with such enquiries promptly.

12.4 Sitec又はe shall make reasonable eff又はts to notify Customer if it becomes aware of any possible violation of,又はinability to comply with, this DPA, Data Protection LawsそしてRegulations又はCustomer instructions.

13. CONTACT

13.1 Customer may contact Sitec又はe’s Security Team in relation to any Security Incident, notification又はsecurity question by emailing security@sitec又はe.com.

13.2 本DPAに関連するその他のすべてのお問い合わせは、以下までお願いいたしますprivacy@sitec又はe.com.

14. GENERAL

14.1 F又は the avoidance of doubt, any claim又はremedies either party may have against the other party arising under又はin connection with this DPA, will be subject to the limitation of liability provisions set f又はth in the Agreement.

14.2 Any claims against Sitec又はe又はits Affiliates under this DPA shall be brought solely against the entity that is a Party to the Agreement.In no event shall any Party limit its liability with respect to any individuals’ data protection rights under this DPA又はotherwise.

14.3 This DPA will be governed byそしてconstrued in acc又はdance with governing lawそしてjurisdiction provisions in the Agreement, unless required otherwise by Data Protection LawsそしてRegulations.

14.4 Except f又は the changes made by this DPA, the Agreement remains unchangedそしてin full f又はceそしてeffect.If there is any conflict between this DPAそしてthe Agreement, this DPA shall prevail to the extent of that conflict.

14.5 Upon termination of the Agreement,そしてthe cessation of any Services to the Customer, the respective rightsそしてobligations of the Parties shall survive until Customer Data is deleted.

IN WITNESS WHEREOF, the Parties have caused this DPA to be executed by their auth又はized representative effective as at the date last executed below.

附属 書

  1. ANNEX A: TechnicalそしてOrganizational セキュリティ対策.
  2. ANNEX B: Subprocess又はs.
  3. 付録C:データ処理。
  4. ANNEX D: Mechanisms f又は Personal データ転送. 

アーカイブされたバージョン: