SITECOREトラストセンター
Sitecoreデータ処理補遺
SITECORE顧客データ処理補遺
[署名付きコピーの場合は、ここは]
最終更新日:2022年4月
この顧客データ処理補遺(「DPAの)フォームサービスの注文の一部(「合意”) between the Sitecore entity which has entered into the 合意 (“Sitecore」)および顧客(「顧客「」といい、総称して「両当事者」(「当事者”), and applies wここは Sitecore will process 顧客 Data when providing サービス under the 合意. All capitalized terms not defined in this DPAの shall have the meanings set forth in the 合意.
Upon Sitecore’s receipt of a validly completed DPAの by 顧客, this DPAの will become effective and is legally binding.
1. 定義
"アフィリエイト「」とは、直接的または間接的に事業体を支配する、事業体によって支配される、または事業体と共通の支配下にある事業体を意味します。
"合意" means the written or electronic agreement between 顧客 and Sitecore for the provision of the サービス to 顧客.
"CCPAのとは、カリフォルニア州消費者プライバシー法、カリフォルニア州民法第1798.100条以下、およびその施行規則を意味します。
"コントロール「所有権、議決権、またはそれに類する持分で、当該事業体のその時点で発行済みの総持分の50%以上を占めるものをいいます。用語 "コントロールled」はそれに応じて解釈されます。
"顧客 Data" means any data, including パーソナルデータ, that Sitecore processes on behalf of 顧客 through 顧客’s use of the サービス.
"コントロールler「」とは、パーソナルデータの処理の目的と手段を決定する事業体を意味します。
"データエクスポーター「」とは、「顧客” in this DPAの, a customer of the データインポーター’s services.
"データインポーター" is Sitecore, a provider of experience management software, and its アフィリエイトs.
“データ主体” means データエクスポーター’s employees, end-users, and customers.
"データ主体」または「データ主体” means an identified or identifiable natural person who can be identified directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data or an online identifier or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. A legal person may qualify as a データ主体 under the データ保護法 of specific jurisdictions. This includes, to the extent applicable, any analogous variations of such terminology, such as “Consumer” as may be relevant under US state laws.
"データ保護に関する法律および規制” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom, Australia, Canada, and the United States and its states, applicable to the 加工 of パーソナルデータ under the 合意 as amended from time to time.
"プロセッサー" means the entity which 過程es パーソナルデータ on behalf of the コントロールler, including as applicable any “service provider” as that term is defined by the CCPAの.
"標準契約条項" means 標準契約条項 for the transfer of パーソナルデータ to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
"国際データ転送補遺(IDTA)" means the UK Addendum to the 標準契約条項, which is considered to provide appropriate safeguards to the transfer of パーソナルデータ from the United Kingdom to third countries in accordance with the UK データ保護法.
"加工」または「過程「収集、記録、整理、構造化、保存、適応または変更、検索、参照、使用、送信による開示、配布またはその他の方法で利用可能にすること、整列または組み合わせ、制限、消去または破壊など、自動的な手段によるかどうかにかかわらず、パーソナルデータに対して実行される操作または一連の操作を意味します。
"プロセッサー" means the entity which 過程es パーソナルデータ on behalf of the コントロールler, including as applicable any “service provider” as that term is defined by the CCPAの.
"EEAの」とは、欧州経済領域を意味します。
"パーソナルデータ" means any 顧客 Data relating to an identified or an identifiable natural person or as otherwise defined under データ保護法. For the sake of clarity, this includes “Personal Information” or analogous variations of such terminology within the meaning of applicable US state laws, to the extent that these may be applicable. "セキュリティインシデント" means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to 顧客 Data transmitted, stored or otherwise 過程ed.
"セキュリティインシデント「失敗したログイン試行、ping、ポートスキャン、サービス拒否攻撃、およびファイアウォールまたはネットワークシステムに対するその他のネットワーク攻撃を含む、失敗した試みまたは個人データのセキュリティを損なわない活動は含まれません。
"サービスプロバイダー" has the meaning set forth in Section 1798.140(v) of the CCPAの.
"サービス" as used in this DPAの means the “SaaS Products” and/or “Hosted サービス” as defined in the 合意.
"サブプロセッサ" means any Data プロセッサー or サービスプロバイダー engaged by Sitecore or its アフィリエイトs to assist in fulfilling its obligations with respect to providing the サービス pursuant to the 合意 or this DPAの. サブプロセッサs may include third parties or アフィリエイトs of Sitecore.
2. 本DPAの適用範囲の
This DPAの applies wここは Sitecore processes 顧客 Data, including パーソナルデータ, on behalf of 顧客 in the course of providing サービス to the 顧客 pursuant to the 合意.
3. Roles and Scope of 加工
3.1Role of the 当事者. As between Sitecore and 顧客, 顧客 is the Data コントロールler of 顧客 Data and Sitecore shall process 顧客 Data only as a Data プロセッサー acting on behalf of 顧客. For the avoidance of doubt, this DPAの shall not apply to any instances wここは Sitecore is acting as a コントロールler (as defined under applicable データ保護法).
3.2顧客’s obligations. 顧客 shall have the sole and exclusive authority to determine the purposes and means of 加工 顧客 Data transferred or otherwise disclosed to Sitecore. As between the 当事者, the 顧客 shall have the sole responsibility for the accuracy, quality and legality of パーソナルデータ as required by applicable データ保護法 and the means by which the 顧客 acquired パーソナルデータ, including the provision of proper notice and obtaining consents wここは appropriate for Sitecore’s 加工.
3.3データ保護法. 顧客 agrees and acknowledges that it understands its compliance obligations with respect to 顧客 Data as required by データ保護法.
3.4Sitecore 加工 of 顧客 Data.
(ア)機密情報として扱われる: Sitecore will treat 顧客 Data as Confidential Information pursuant to the terms of the 合意.
(イ)加工 to follow 顧客 instructions: Sitecore shall process 顧客 Data only for the purpose of providing the サービス and in accordance with 顧客’s documented lawful instructions, as set forth in the 合意 and this DPAの. The categories of パーソナルデータ, categories of データ主体 and the purposes of the 加工 are as set out in 附属書C. The 当事者 agree that the 顧客’s complete and final instructions with regard to the nature and purposes of the 加工 are set out in this DPAの unless (or except as) required under applicable laws. 加工 outside the scope of these instructions (if any) will require prior written agreement between 顧客 and Sitecore with additional instructions for 加工.
(ハ)Sitecore does not sell パーソナルデータ: Sitecoreは、以下の行為を行ってはなりません。
(i) sell or rent 顧客 パーソナルデータ;
(ii) retain, use, or disclose the パーソナルデータ for any “business purpose” (as defined in the CCPAの §1798.140(d)), or any “commercial purpose” (as defined in the CCPAの §1798.140(f)) other than for the specific purpose of performing the サービス under the 合意, and as instructed by 顧客, pursuant to Section 3.3(イ)above, or
(iii) retain, use or disclose 顧客 Data outside of the direct business relationship between Sitecore and 顧客 except to the extent as may be required by applicable laws.
(エ)セキュリティ対策と適切な保護措置: Sitecore represents that it has implemented adequate technical and organizational measures necessary to secure 顧客 Data, including, as appropriate, the measures referred to by データ保護法, in accordance with 付録A.
3.5Details of Data 加工
(ア) そざい: The subject matter of the 加工 under this DPAの is 顧客 Data, as detailed in 附属書C.
(イ)期間: As between Sitecore and 顧客, the duration of the 加工 under this DPAの is the term of the 合意 or as otherwise agreed upon by the 当事者.
(ハ)目的: The purpose of the 加工 under this DPAの is the provision of the サービス to the 顧客 and the performance of Sitecore's obligations under the 合意 and this DPAの (or as otherwise agreed by the 当事者) and more fully described in 附属書C.
4. サブプロセッシング
4.1 Authorized サブプロセッサs. 顧客 agrees that in order to provide the サービス, Sitecore may engage サブプロセッサs to process 顧客 Data. A list of Sitecore's current authorized サブプロセッサs is found in 附属書B . Sitecore maintains a current list of its サブプロセッサs on its website (https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB0313167) and will post notifications of any new or replacement サブプロセッサs, prior to the use or replacement of サブプロセッサs. To receive these notifications by email, 顧客 can subscribe to our KB page.
4.2サブプロセッサ Obligations. Wここは Sitecore authorizes any サブプロセッサas described in Section 4.1:
(ア) 知る必要性に限られている: Sitecore will restrict the サブプロセッサs access to 顧客 Data only to what is necessary to assist Sitecore in providing or maintaining the サービス, and will prohibit the サブプロセッサ from accessing 顧客 Data for any other purpose;
(イ)Sitecoreのデューデリジェンス: Before any サブプロセッサ first processes 顧客 Data, Sitecore shall carry out adequate due diligence to ensure that the サブプロセッサ is capable of providing the same level of protection for 顧客 Data required by the 合意and this DPAの;
(ハ)書面による契約の締結: Sitecore will enter into a written agreement with the サブプロセッサ imposing data protection terms that places the equivalent data protection obligations as those set out in this DPAの to the extent applicable to the nature of the services provided by such sub-processor, in particular providing appropriate technical and organisational measures that the processing will protect the 顧客 Data to the standard required by データ保護法;
(エ)Liability for サブプロセッサs: Sitecore will remain responsible for its compliance with the obligations of this DPAの and for any acts or omissions of the サブプロセッサ that cause Sitecore to breach any of its obligations under this DPAの; and
(イ) Objection Right for new サブプロセッサs: If 顧客 has a reasonable basis relating to privacy or data security to object to Sitecore’s use of a new サブプロセッサ, 顧客 shall notify Sitecore promptly in writing within 30 business days after such notice being made by Sitecore on its website of a new サブプロセッサ. In the event 顧客 objects to any new サブプロセッサ(s) on such grounds, Sitecore will use reasonable efforts to work in good faith with 顧客 to find an acceptable, commercially reasonable, alternate solution. If the 当事者 are not able to agree to an alternate solution within a reasonable time (no more than 90 days from Sitecore’s receipt of notice of 顧客’s objection), Sitecore will either not appoint or replace the サブプロセッサ or, if this is not possible, 顧客 may suspend or terminate the applicable Order for サービス in respect only to the specific サービス which cannot be provided by 顧客 without the use of the objected-to new サブプロセッサ, by providing written notice to Sitecore and without prejudice to any fees incurred by 顧客 prior to suspension or termination.
5. セキュリティ対策 and セキュリティインシデント Response
5.1セキュリティ対策. Sitecore has implemented and will maintain appropriate technical and organizational security measures to protect 顧客 Data from セキュリティインシデントs and to preserve the security and confidentiality of the 顧客 Data ("セキュリティ対策"). The セキュリティ対策 applicable to the サービス are set forth in 付録A as updated or replaced from time to time in accordance with Section 5.2. 顧客 is responsible for reviewing the information made available by Sitecore relating to data security and making an independent determination as to whether the サービス meet 顧客’s requirements and legal obligations under データ保護法, taking into account the nature, scope, context and purposes of processing, the risks associated with the パーソナルデータ and the データ保護法.
5.2Updates to セキュリティ対策. Sitecore has implemented a procedure for the regular testing, inspection, assessment and evaluation of the effectiveness of Sitecore’s セキュリティ対策. Accordingly, 顧客 acknowledges that the セキュリティ対策 are subject to technical progress and development and that Sitecore may update or modify the セキュリティ対策 from time to time provided that such updates and modifications do not result in the degradation of the overall security of the サービス purchased by the 顧客. Such updates to the セキュリティ対策 will be made available to 顧客 upon its reasonable request.
5.3人員. Sitecore shall take reasonable steps to ensure the reliability of any employee, agent, contractor or サブプロセッサ who may have access to 顧客 Data, ensuring that access is strictly limited on a least-privilege basis to those individuals who need to know or need to have access to 顧客 Data as is necessary for the provision of the サービス under the 合意. Further, Sitecore shall ensure that personnel with access to 顧客 Data are under an appropriate obligation of confidentiality and that such personnel have received appropriate data protection and security training pertaining to the responsibilities of their role.
5.4顧客 Responsibilities. Notwithstanding the above, 顧客 agrees that except as provided by this DPAの, 顧客 is responsible for its secure use of the サービス, including securing its account authentication credentials, protecting the security of 顧客 Data when in transit to and from the サービス and taking any appropriate steps to securely encrypt or backup any 顧客 Data uploaded to the サービス.
5.5十分な証拠. Upon the reasonable request of 顧客, Sitecore shall provide 顧客 with sufficient information to enable 顧客 to demonstrate that the necessary technical and organizational security measures (as further detailed in 付録A)が実装されました。
5.6セキュリティインシデント Response. Upon becoming aware of a セキュリティインシデント, Sitecore will notify 顧客 without undue delay (and no later than 48 hours after becoming aware of the セキュリティインシデント) and will provide information relating to the セキュリティインシデント as it becomes known or as is reasonably requested by 顧客 including (i) details of the 顧客 Data compromised, including whether the 顧客 Data had been encrypted, hashed or otherwise rendered incomprehensible, inaccessible or unintelligible for unauthorized persons, (ii) information on the データ主体 affected, such as categories and the number of データ主体 affected, (iii) the categories and number of information data records affected, (iv) description of the nature of the unlawful disclosure, (v) identity and contact details of Sitecore’s Privacy contact, (vi) when the セキュリティインシデント took place (date or time period) and suspected cause, (vii) the likely consequences of the security incident, and (viii) any recommendations to minimize harm. Sitecore will also take reasonable steps to mitigate and, wここは possible, to remedy the effects of, any セキュリティインシデント. Sitecore shall provide reasonable assistance to 顧客, in the event 顧客 is required under データ保護法 to notify a supervisory authority or any データ主体 of a セキュリティインシデント. Sitecore reserves the right to charge 顧客 for this assistance should it become overly burdensome.
6. 報告と監査
6.1 Upon 顧客’s request, Sitecore will make available a statement from its Security Team containing all information necessary to demonstrate compliance with this DPAの (a “Sitecore レポート」)および第10.1条に基づくドキュメント。
6.2 No more than once per year, 顧客 may conduct reviews of Sitecore’s documents and systems, by way of desk-based questionnaires and phone conferences with Sitecore personnel.
6.3 Notwithstanding the foregoing, 顧客 will have the right, at its expense, to conduct an onsite audit, only in the event that (ア) 顧客 reasonably believes that Sitecore is out of compliance with this DPAの, or (イ)顧客 is subject to a regulatory audit or government investigation or court order that includes the scope of this DPAの. Any on-site audit will be conducted during normal business hours, at a date and time as mutually agreed between the 当事者, and only if such an audit at Sitecore’s premises is necessary to prove facts or otherwise demonstrate applicable compliance that Sitecore cannot otherwise evidence through a Sitecore レポート, questionnaires, phone conferences, third-party certification programs or third-party audit reports. 顧客 agrees that with respect to any Sitecore Confidential Information received in connection with such audit, 顧客 will be subject to the same confidentiality obligations as set forth in the 合意.
7. 国際送金
7.1データセンターの場所. Sitecore shall store 顧客 Data only in the 顧客 selected data centre (and as detailed on any applicable Order Form) locations unless notified otherwise.
7.2データ転送. If applicable, Sitecore will at all times ensure that any 顧客 Data which is transferred is done so in compliance with adequate transfer mechanisms. Further, Sitecore will ensure that an adequate level of protection is provided for the 顧客 Data 過程ed, and that processing is done in accordance with the requirements of データ保護法.
7.3データ転送メカニズム. The 当事者 agree that the 標準契約条項 in Annex Dto this DPAの shall be the adequate transfer mechanism pursuant to Section 7.3above and apply to 顧客 Data that is transferred from the EEAの and/or Switzerland to outside the EEAの and Switzerland, either directly or via onward transfer, to any country or recipient not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the データ保護法). The parties agree that wここは the British Information Commissioner Office adopts an agreement that would be used as a safeguarding mechanism for restricted transfers of data covered by the UK GDPR, such as the 国際データ転送補遺(IDTA), this must be used by the 当事者 together with the 標準契約条項 to govern the handling and safeguarding of 顧客 パーソナルデータ in line with the UK GDPR. This section only applies to the extent it is applicable.
8. データの返却または削除
8.1Return or Deletion of 顧客 Data. Sitecore will, upon termination or expiration of the agreement, within commercially reasonable time, delete or assist the customer with the deletion or return of data to the extent this is applicable to the services provided under this agreement. Upon termination of the agreement, Sitecore may retain 顧客 Data in a manner that restricts the processing solely to the extent that it may be necessary to comply with applicable law or regulation. This should not apply to 顧客 Data that has been archived on back-up systems, which 顧客 Data Sitecore shall securely isolate and protect from any further processing, except to the extent required by applicable law.
8.2Managed Cloud と Sitecore Content Hub のみ. Upon termination or expiration of the 合意, 顧客 may, within 30 days of the contract expiration date, require Sitecore to a) return a complete copy of all 顧客 Data to 顧客, at 顧客’s expense and within a commercially reasonable time, by secure file transfer in an industry-standard file format and/ or b) delete and procure the deletion of all other copies of 顧客 Data 過程ed by any プロセッサー or サブプロセッサ, provided that Sitecore may retain 顧客 Data in a manner that restricts further processing solely to the extent that it may be necessary to comply with applicable law. Sitecore shall comply with any such written request within 30 days of the 合意’s termination date.
8.3EXM Delivery Cloud のみ. Sitecore shall assist 顧客 with any deletion or return of data requests that are submitted to Sitecore’s EXM サブプロセッサ.
9. プライバシー権
9.1 To the extent that 顧客 is unable to independently access the relevant 顧客 Data within the サービス, Sitecore shall provide reasonable and timely cooperation to assist 顧客 to respond to any requests from individuals or applicable data protection authorities relating to the 加工 of パーソナルデータ under the 合意. In the case of complex or voluminous enquiries that can be managed by 顧客 through access within the サービス but wここは 顧客 is requesting additional assistance beyond Sitecore’s compliance requirements, Sitecore reserves the right to charge 顧客 for reasonable expenses. In the event that any such request is made directly to Sitecore, a Sitecore アフィリエイト or any サブプロセッサ, Sitecore shall not respond to such communication directly without 顧客's prior authorization, unless legally compelled to do so. If Sitecore is required to respond to such a request, Sitecore will promptly notify 顧客 and provide it with a copy of the request unless legally prohibited from doing so, for example to preserve the confidentiality of an investigation by law enforcement authorities.
9.2 If a law enforcement agency sends Sitecore a demand for 顧客 Data (for example, through a subpoena or court order), Sitecore will attempt to redirect the law enforcement agency to request that data directly from 顧客. As part of this effort, Sitecore may provide 顧客’s basic contact information to the law enforcement agency. If compelled to disclose 顧客 Data to a law enforcement agency, then Sitecore will give 顧客 reasonable notice of the demand to allow 顧客 to seek a protective order or other appropriate remedy unless Sitecore is legally prohibited from doing so.
9.3 Sitecore shall, upon 顧客 request and at 顧客’s expense, provide reasonable assistance to 顧客 needed to fulfil any 顧客 obligation under the applicable データ保護法 to perform any data protection impact assessments. Sitecore shall, upon 顧客 request, provide reasonable assistance to 顧客 in any prior consultations with supervising authorities or other competent data privacy authorities, which 顧客 reasonably considers to be required of 顧客 under データ保護法.
10. プライバシーとデータ保護
10.1 Sitecoreは、以下を含むがこれらに限定されない、適切なプライバシー管理および手順を導入するために設計された専用のリソース、監査およびレビュープロセスを含むプライバシープログラムを維持しています。
(ア) 指定個人:プライバシープログラムを調整し、監督し、責任を負う従業員または従業員の指定。
(イ)プライバシーリスク評価: The identification of reasonably foreseeable, material risks, both internal and external, that could result in unauthorized collection, use, or disclosure of パーソナルデータ, and an assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this privacy risk assessment should include consideration of risks in (1) employee training and management, (2) product design, development, and research and (3) adequacy of security controls;
(ハ)有効性のテスト:プライバシーリスク評価を通じて特定されたリスクに対処するための合理的なプライバシー制御および手順の設計および導入は、これらのプライバシー制御および手順の有効性の定期的なテストおよび監視の対象となります。そして
(エ)レビュー:Sitecoreは、プライバシープログラムの有効性に重大な影響を与える可能性のある既知の状況の変化に対処するために、プライバシープログラムを評価および調整します。
11. 本DPAの遵守の
11.1 Sitecore shall maintain appropriate documentation necessary to demonstrate Sitecore’s compliance with the terms of the 合意 (including certifications, independent audit report summaries and policy tables of content) and make such documentation, subject to redaction of non-relevant Confidential Information, available to 顧客 upon request.
11.2 Upon 顧客 request, Sitecore shall provide to 顧客 such copies of Sitecore’s agreements with サブプロセッサs referred to in Section 4 (which may be redacted to remove Confidential information not relevant to the requirements of this DPAの) as 顧客 may request annually.
11.3 Each Party shall appoint an individual within its organisation authorised to respond from time to time to enquiries regarding the パーソナルデータ and each Party shall deal with such enquiries promptly.
11.4 Sitecore shall make reasonable efforts to notify 顧客 if it becomes aware of any possible violation of, or inability to comply with, this DPAの, データ保護法 or customer instructions.
12. お問い合わせ
12.1 顧客 may contact Sitecore’s security team in relation to any security incident, notification or security question by emailing security@sitecore.com.
12.2 All other queries relating to this DPAの should be directed to privacy@sitecore.com.
13. 総則
13.1For the avoidance of doubt, any claim or remedies either party may have against the other party, any of its アフィリエイトs and their respective employees, agents and サブプロセッサs arising under or in connection with this DPAの, including any fines or damages payable under データ保護法 will be subject to the limitation of liability provisions (including any agreed aggregate financial cap) set forth in the 合意.
13.2Any claims against Sitecore or its アフィリエイトs under this DPAの shall be brought solely against the entity that is a Party to the 合意. In no event shall any Party limit its liability with respect to any individual's data protection rights under this DPAの or otherwise.
13.3No one other than a Party to this DPAの, their successors and permitted assignees shall have any right to enforce any of its terms.
13.4This DPAの will be governed by and construed in accordance with governing law and jurisdiction provisions in the 合意, unless required otherwise by データ保護法.
13.5Except for the changes made by this DPAの, the 合意 remains unchanged and in full force and effect. If tここは is any conflict between this DPAの and the 合意, this DPAの shall prevail to the extent of that conflict.
13.6 Upon termination of the 合意, and the cessation of any サービス to the 顧客, the respective rights and obligations of the 当事者 shall survive until 顧客 Data is deleted.
13.7 The provisions of this DPAの are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision, and the rest of this DPAの shall remain in full force and effect.