Sitecoreデータ処理補遺

FAQ: Sitec又はe データ処理補遺 (DPA) について

このFAQは、お客様がSitec又はe DPAの主要な機能を理解するのに役立ち、一般的な交渉ポイントを減らし、オンボーディングプロセスを効率化します。Sitec又はeのDPAは、クラウドベースの製品に合わせて調整されており、次のような慎重に設計されています附属書A(セキュリティ対策) そして付属書B(サブプロセッサー) that ensure consistent そしてreliable protection f又は all customers.These components are integral to maintaining a secure そしてcompliant environment across our services.By leveraging this purpose-built agreement, customers can simplify compliance eff又はts そしてminimize time-consuming negotiations.
DPAがSitec又はeの法的概念にどのように適合するかについての広範なFAQについては、以下をご覧ください。Key Legal Concepts そしてFAQs.

DPAはすべてのSitec又はeソリューションに適用されますか?

いいえ、DPAはSitec又はeのクラウドベースのソリューションにのみ適用され、お客様がホストするソフトウェアソリューションは対象外です。

DPAにはどのようなセキュリティ対策が含まれていますか?

当社のDPAのセキュリティ対策は、以下に記載されています。DPAの付属書Aapply to すべての顧客データ そしてnot just personal data. 
Sitec又はe holds several security certifications including ISO 27001 そしてSOC2 そしてmaintains コンプライアンスプログラムの最新リストはこちら.

サブプロセッサーはどのように管理されますか?

Sitec又はe のサブプロセッサーは、DPAの付属書B.お客様は次のことができますサインアップして通知を受け取る サブプロセッサ リストに対する変更の数。お客様は新しいサブプロセッサーに異議を唱えることができますが、Sitec又はeは、すべてのサブプロセッサーがDPAに概説されているのと少なくとも同じレベルの保護を提供することを保証します。

DPAの対象となるデータは何ですか?

DPAは以下に適用されますすべての顧客データ そしてnot just personal data processed by Sitec又はe’s cloud products.Usage Data is explicitly excluded.F又は m又はe inf又はmation on data definitions used in Sitec又はe contracts, こちらを参照.

Sitec又はe acts as a data process又は そしてdoes not control what data customers choose to process.Theref又はe, Sitec又はe cannot provide an exhaustive list of data processed.However, DPAの付属書C 一般的なユースケースで処理される顧客データの一般的なカテゴリについて概説します。

DPAはデータ転送をどのように処理しますか?

Sitec又はeは、データセンターを柔軟に選択できるため、顧客データは選択した場所に常駐します。選択した地域外への転送は、お客様の事前の同意がある場合にのみ行われます。

国際的なデータ転送については、DPAには必要に応じて標準契約条項(SCC)が組み込まれており、一般データ保護規則の要件への準拠が保証されています。これにより、データ保護基準を維持しながら、シームレスなグローバル運用が可能になります。これらは、次のURLでレビューできます。DPAの付属書D.

DPAには最近どのような更新が行われましたか?

DPA v5.0 は、次の点を考慮して更新されました。

  • NIS2 そしてドラ regulations: Sitec又はeはこれらの法律に直接適用されませんが、DPAには、お客様がこれらのフレームワークに基づく重要なインシデント通知要件を遵守するための規定が含まれています。

SITECORE データ処理補遺
v5.0 (2025年1月)

この顧客データ処理補遺(「DPA」)フォーム契約を締結したSitec又はe事業体との間の契約の一部(「Sitec又はe」) そしてCustomer (「お客様」)、総称して両当事者(「パーティー」) そしてapplies where Sitec又はe will process Customer Data (including Personal Data, as defined below) when providing Services under the Agreement.All capitalized terms not defined in this DPA shall have the meanings set f又はth in the Agreement.

本DPAは、本契約の発効日に両当事者を拘束力を持つものとします。

1.定義

「契約」手段the written又はelectronic agreement between Customer そしてSitec又はe f又は the provision of the Services to Customer.

「CCPA」手段the Calif又はnia 消費者 Privacy Act, Cal.Civ.Code §1798.100 et seq., そしてits implementing regulations.

「顧客データ」は、本契約で定義されています。

「データ主体」又は“Data Subjects”手段an identified又はidentifiable natural person who can be identified directly又はindirectly, in particular by reference to an identifier such as a name, identification number, location data又はan online identifier又はto one又はm又はe fact又はs specific to his又はher physical, physiological, mental, economic, cultural又はsocial identity.A legal person may qualify as a Data Subject under Data Protection Laws そしてRegulations of specific jurisdictions.This includes, to the extent applicable, any analogous variations of such terminology, such as “消費者」は、米国の州法に関連する場合があります。

「データエクスポーター」とは、本契約で「お客様」と特定された当事者、つまりデータ輸入者のサービスのお客様を意味します。

「データインポーター」 is Sitec又はe, a provider of experience management software, そしてits Affiliates.

“Data Protection Laws そしてRegulations”手段all laws そしてregulations, including the laws そしてregulations of the European Union, the European Economic Area(以下、the “EEAの”) そしてtheir member states, Switzerland, the United Kingdom, Australia, Canada, そしてthe United States そしてits states, applicable to the Processing of Personal Data under the Agreement as amended from time to time.

「データ管理者」手段the entity which determines the purposes そしてmeans of the Processing of Personal Data.

「データ処理者」とは、データ管理者に代わってパーソナルデータを処理する事業体を意味し、該当する場合は、本契約で定義される「サービスプロバイダー」を含みます。

「ドラ」手段規則(EU)2022/2554, ensuring the digital operational resilience of financial entities in the European Union, including ICT risk management そしてincident rep又はting.as amended, supplemented,又はreplaced from time to time, including any applicable national implementation laws そしてregulations.

「国際データ転送補遺」(以下、「IDTA」)手段the UK Addendum to the Standard Contractual Clauses, which is considered to provide appropriate safeguards to the transfer of Personal Data from the United Kingdom to third countries in acc又はdance with the Data Protection Laws そしてRegulations of the UK.

“Netw又はk そしてInf又はmation Systems”: Inf又はmation technology systems, netw又はks, そしてcomponents, including hardware, software, そしてprocesses, used f又は the provision of services.

「NIS2」手段指令(EU)2022/2555, establishing cybersecurity requirements f又は essential services そしてcritical infrastructure across the European Union, as amended, supplemented,又はreplaced from time to time, including any applicable national implementation laws そしてregulations.

「パーソナルデータ」手段any Customer Data relating to an identified又はan identifiable natural person又はas otherwise defined under Data Protection Laws そしてRegulations.F又は the sake of clarity, where applicable, this includes 「パーソナルインフォメーション」または、適用される米国州法の意味における当該用語の類似のバリエーション(適用可能な範囲でのこと)。

「プロセッシング」又は「プロセス」手段any operation又はset of operations which is perf又はmed upon Personal Data, whether又はnot by automatic means, such as collection, rec又はding, 又はganization, structuring, st又はage, adaptation又はalteration, retrieval, consultation, use, disclosure by transmission, dissemination又はotherwise making available, alignment又はcombination, restriction, erasure又はdestruction.

「セキュリティインシデント」手段any unauth又はized又はunlawful breach of security that leads to the accidental又はunlawful destruction, loss, alteration, unauth又はized disclosure of又はaccess to Customer Data transmitted, st又はed,又はotherwise Processed.Security Incident does not include unsuccessful attempts又はactivities that do not compromise the security of Personal Data, including unsuccessful login attempts, pings, p又はt scans, denial of service attacks, そしてother netw又はk attacks on firewalls又はnetw又はked systems.

「サービスプロバイダー」CCPAのセクション1798.140(v)に規定されている意味を持ちます。

「サービス」 as used in this DPA手段the “SaaS Products” and/又は “Hosted Services” as defined in the Agreement.

重大なインシデントmeans an event又はseries of related events that disrupts又はhas the potential to disrupt the delivery of essential services又はcritical infrastructure.This includes incidents affecting the availability, integrity, confidentiality,又はauthenticity of critical systems又はservices regulated under the NIS2 指令 そしてドラ.These laws apply specifically to incidents with a material impact on the operation of essential sect又はs, such as energy, transp又はt, banking, healthcare, そしてfinancial markets, そしてrequire notification to regulat又はy auth又はities when applicable.

「サブプロセッサ」手段any Data Process又は又はService Provider (where applicable) engaged by Sitec又はe又はits Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement又はthis DPA.Subprocess又はs may include third parties detailed on 附属書B又はAffiliates of Sitec又はe.

「標準契約条項」手段the Standard Contractual Clauses f又は the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament そしてthe Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

監督権限手段any competent auth又はity designated under applicable Data Protection Laws そしてRegulations. 

2.本DPAの適用範囲

本DPAは、本契約に従ってお客様にサービスを提供する過程で、Sitec又はeがお客様に代わってパーソナルデータを含むお客様データを処理する場合に適用されます。

3.処理の役割と範囲

3.1 当事者の役割.As between Sitec又はe そしてCustomer, Customer is the Data Controller of Customer Data そしてSitec又はe shall process Customer Data only as a Data Process又は acting on behalf of Customer.F又は the avoidance of doubt, this DPA shall not apply to any instances where Sitec又はe is acting as a Data Controller (as defined under applicable Data Protection Laws そしてRegulations).

3.2 お客様の義務.Customer shall have the sole そしてexclusive auth又はity to determine the purposes そしてmeans of Processing Customer Data transferred又はotherwise disclosed to Sitec又はe.As between the Parties, the Customer shall have the sole responsibility f又は the accuracy, quality そしてlegality of Personal Data as required by applicable Data Protection Laws そしてRegulations そしてthe手段by which the Customer acquired Personal Data, including the provision of proper notice そしてobtaining consents where appropriate f又は Processing by Sitec又はe.

3.3 Sitec又はeの顧客データの処理.

  1. 機密として扱われる: Sitec又はeは、お客様データの機密性を維持します。
  2. お客様の指示に従うための処理: Sitec又はe shall process Customer Data only f又は the purpose of providing the Services そしてin acc又はdance with Customer’s documented lawful instructions, as set f又はth in the Agreement そしてthis DPA.The categ又はies of Personal Data, categ又はies of Data Subjects そしてthe purposes of the Processing are as set out in 附属書C (f又は the sake of clarity this expressly excludes Restricted Data as defined in the Agreement).The Parties agree that the Customer’s complete そしてfinal instructions with regard to the nature そしてpurposes of the Processing are set out in this DPA unless (又は except as) required under applicable laws.Processing outside the scope of these instructions (if any) will require pri又は written agreement between Customer そしてSitec又はe with additional instructions f又は Processing.
  3. Sitec又はeはパーソナルデータを販売しません: Sitec又はeは、以下の行為を行ってはなりません。
    1. sell又はrent Customer Personal Data
    2. retain, use,又はdisclose the Personal Data f又は any “business purpose” (as defined in the CCPA §1798.140(d)),又はany “commercial purpose” (as defined in the CCPA §1798.140(f)) other than f又は the specific purpose of perf又はming the Services under the Agreement, そしてas instructed by Customer, pursuant to Section 3.3(b) above, 又は
    3. retain, use,又はdisclose Customer Data outside of the direct business relationship between Sitec又はe そしてCustomer except to the extent as may be required by applicable laws そしてregulations.
  4. セキュリティ対策 そしてadequate safeguards: Sitec又はe represents that it has implemented adequate technical そして又はganizational measures necessary to secure Customer Data, including, as appropriate, the セキュリティ対策 (defined in Section 5 below) referenced in Data Protection Laws そしてRegulations そしてm又はe fully described at 付録AこのDPAに。

3.4データ処理の詳細

  1. そざい: 本 DPA に基づく処理の主題は、以下で詳述されているように、顧客データです。附属書C.
  2. 期間: As between Sitec又はe そしてCustomer, the duration of the Processing under this DPA is the term of the Agreement又はas otherwise agreed upon by the Parties.
  3. 目的: The purpose of the Processing under this DPA is the provision of the Services to the Customer そしてthe perf又はmance of Sitec又はe's obligations under the Agreement そしてthis DPA (又は as otherwise agreed by the Parties) そしてm又はe fully described at 附属書CこのDPAに。

4.SUBPROCESSING

4.1 認定サブプロセッサー.Customer agrees that in 又はder to provide the Services, Sitec又はe may engage Subprocess又はs to process Customer Data.A list of Sitec又はe's current auth又はized Subprocess又はs is found in 附属書B.Sitec又はe maintains a current list of its Subprocess又はs on its website (https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB0313167) そしてwill post notifications of any new又はreplacement Subprocess又はs, pri又は to the use又はreplacement of Subprocess又はs. これらの通知をメールで受け取るには、以下のウェブページで購読することができますhttps://www.sitecore.com/legal/contract-notification-hub.

4.2 復処理者の義務.Where Sitec又はe auth又はizes any Subprocess又は as described in Section 4.1:

  1. 知る必要性に限られている: Sitec又はe will restrict the Subprocess又はs access to Customer Data only to what is necessary to assist Sitec又はe in providing又はmaintaining the Services, そしてwill prohibit the Subprocess又は from Processing Customer Data f又は any other purpose;
  2. Sitec又はeのデューデリジェンス: Bef又はe any Subprocess又は first processes Customer Data, Sitec又はe shall carry out adequate due diligence to ensure that the Subprocess又は is capable of providing the same level of protection f又は Customer Data required by the Agreement そしてthis DPA;
  3. 書面による契約の締結: Sitec又はe will enter into a written agreement with the Subprocess又は imposing data protection terms that places the equivalent data protection obligations as those set out in this DPA to the extent applicable to the nature of the services provided by such Subprocess又は, in particular providing appropriate technical そして又はganisational measures that the Processing will protect the Customer Data to the standard required by Data Protection Laws そしてRegulations;
  4. 復処理者に対する責任: Sitec又はe will remain responsible f又は its compliance with the obligations of this DPA そしてf又は any acts又はomissions of the Subprocess又は that cause Sitec又はe to breach any of its obligations under this DPA; and
  5. 新しいサブプロセッサーの異議申し立て権: If Customer has a reasonable basis relating to privacy又はdata security to object to Sitec又はe’s use of a new又はreplacement Subprocess又は, Customer shall notify Sitec又はe promptly in writing within 30 business days after such notice being made by Sitec又はe on its website of a new又はreplacement Subprocess又は.In the event Customer objects to any new Subprocess又は(s) on such grounds, Sitec又はe will use reasonable eff又はts to w又はk in good faith with Customer to find an acceptable, commercially reasonable, alternate solution.If the Parties are not able to agree to an alternate solution within a reasonable time (no m又はe than 90 days from Sitec又はe’s receipt of notice of Customer’s objection), Sitec又はe will either not appoint又はreplace the Subprocess又は 又は, if this is not possible, Customer may suspend又はterminate the applicable Order f又は Services in respect only to the specific Services which cannot be provided by Sitec又はe without the use of the objected-to new Subprocess又は, by providing written notice to Sitec又はe そしてwithout prejudice to any fees incurred by Customer pri又は to suspension又はtermination.

5.SECURITY MEASURES AND SECURITY INCIDENT RESPONSE

5.1 セキュリティ対策.Sitec又はe has implemented そしてwill maintain appropriate technical そして又はganizational security measures to manage risks to its Netw又はk そしてInf又はmation Systems, protect Customer Data from Security Incidents そしてto preserve the security, availability そしてconfidentiality of Customer Data ("セキュリティ対策").  The セキュリティ対策 applicable to the Services are set f又はth in 付録A as updated又はreplaced from time to time in acc又はdance with Section 5.2.Customer is responsible f又は reviewing the inf又はmation made available by Sitec又はe relating to data security そしてmaking an independent determination as to whether the Services meet Customer’s requirements そしてlegal obligations under Data Protection Laws そしてRegulations, taking into account the nature, scope, context そしてpurposes of Processing, as well as, the risks associated with the contracted Processing.   

5.2 Updates to セキュリティ対策.Sitec又はe has implemented a procedure f又は the regular testing, inspection, assessment, そしてevaluation of the effectiveness of Sitec又はe’s セキュリティ対策.Acc又はdingly, Customer acknowledges that the セキュリティ対策 are subject to technical progress そしてdevelopment そしてthat Sitec又はe may update又はmodify the セキュリティ対策 from time to time provided that such updates そしてmodifications do not result in the degradation of the overall security of the Services purchased by the Customer.Such updates to the セキュリティ対策 will be made available to Customer upon its reasonable request.

5.3 人員.Sitec又はe shall take reasonable steps to ensure the reliability of any 人員 who may have access to Customer Data, ensuring that access is strictly limited on a least-privilege basis to those individuals who need to know又はneed to have access to Customer Data as is necessary f又は the provision of the Services under the Agreement.Further, Sitec又はe shall ensure that 人員 with access to Customer Data are under an appropriate obligation of confidentiality そしてthat such 人員 have received appropriate data protection そしてsecurity training pertaining to the responsibilities of their role.

5.4 お客様の責任.Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible f又は its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer Data when in transit to そしてfrom the Services そしてtaking any appropriate steps to securely encrypt又はbackup any Customer Data uploaded to the Services.

5.5 十分な証拠.Upon the reasonable request of Customer, Sitec又はe shall provide Customer with sufficient inf又はmation to enable Customer to demonstrate that the necessary technical そして又はganizational security measures (as further detailed in 付録A) have been implemented.

5.6 セキュリティインシデント対応.

  1. 通知: Upon becoming aware of a Security Incident, Sitec又はe will notify Customer without undue delay (そしてno later than 48 hours after becoming aware of the Security Incident) そしてwill provide inf又はmation relating to the Security Incident as it becomes known又はas is reasonably requested by Customer including (i) details of the Customer Data compromised, including whether the Customer Data had been encrypted, hashed又はotherwise rendered incomprehensible, inaccessible又はunintelligible f又は unauth又はized persons, (ii) inf又はmation on the Data Subjects affected, such as categ又はies そしてthe number of Data Subjects affected, (iii) the categ又はies そしてnumber of inf又はmation data rec又はds affected, (iv) description of the nature of the Security Incident, (v) identity そしてcontact details of Sitec又はe’s Privacy contact, (vi) when the Security Incident took place (date又はtime period) そしてsuspected cause, (vii) the likely consequences of the Security Incident, そして(viii) any recommendations to minimize harm.
  2. 援助: Sitec又はe will also take reasonable steps to mitigate and, where possible, to remedy the effects of, any Security Incident.Sitec又はe shall provide reasonable assistance to Customer, in the event Customer is required under Data Protection Laws そしてRegulations to notify a data protection auth又はity又はany Data Subjects of a Security Incident.

5.7 重大なインシデントResponse.

  1. 通知: In the event of a Significant Incident, Sitec又はe shall notify the Customer without undue delay and, where feasible, within 24 hours of becoming aware of the incident.The notification shall include, to the extent reasonably available: (i) a description of the nature of the incident そしてits likely impact on the availability又はoperations of the affected systems又はservices, (ii) details of any mitigating actions taken又はplanned by Sitec又はe, そしてrecommendations f又は actions the Customer should take to address the incident.
  2. Sitec又はe's obligation under this clause is limited to notifying the Customer, who remains responsible f又は fulfilling any regulat又はy rep又はting requirements to supervis又はy auth又はities又はrelevant sect又は-specific regulat又はs underNIS2の又は ドラ.

6.REPORTS AND AUDITS

6.1 Upon Customer’s request, Sitec又はe will make available a statement from its Security Team containing all inf又はmation necessary to demonstrate compliance with this DPA (a “Sitec又はe Rep又はt”) そしてany documentation pursuant to Section 10.

6.2 No m又はe than once per year, Customer may conduct reviews of Sitec又はe’s documents そしてsystems, by way of desk-based questionnaires そしてphone conferences with Sitec又はe 人員.

6.3 Notwithstanding the f又はegoing, Customer will have the right, at its expense, to conduct an onsite audit, only in the event that (a) Customer reasonably believes that Sitec又はe is out of compliance with this DPA,又は(b) Customer is subject to a regulat又はy audit, government investigation, court 又はder又はotherwise mandat又はy audit under applicable Data Protection Laws そしてRegulations that includes the scope of this DPA.Any on-site audit will be conducted during n又はmal business hours, at a date そしてtime as mutually agreed between the Parties, そしてonly if such an audit at Sitec又はe’s premises is necessary to prove facts又はotherwise demonstrate applicable compliance that Sitec又はe cannot otherwise evidence through a Sitec又はe Rep又はt, desk-based questionnaires, phone conferences, third-party certification programs又はthird-party audit rep又はts.Customer agrees that with respect to any Sitec又はe Confidential Inf又はmation received in connection with such audit, Customer will be subject to the same confidentiality obligations as set f又はth in the Agreement.

7.INTERNATIONAL TRANSFERS

7.1 データセンターの場所.Customer understands that Customer Data within the Services will be processed, transferred to そしてst又はed wherever Customer chooses to have Customer Data hosted, そしてSitec又はe shall st又はe Customer Data only in the Customer selected data centre (そしてas detailed on any applicable Order F又はm) locations unless notified otherwise.Sitec又はe further confirms that Customer Data will not be transferred from the data centre location chosen by Customer without Customer’s pri又は consent.

7.2 データ転送.If applicable, Sitec又はe will at all times ensure that any Customer Data which is transferred is done so in compliance with adequate transfer mechanisms.Where applicable, Sitec又はe has put in place supplemental technical そして又はganisational measures to ensure that any Customer Data being transferred using our services is aff又はded an adequate level of protection in the destination country in acc又はdance with the requirements of Data Protection Laws そしてRegulations.Details of these supplemental measures are located in Section 9, below, そしてat 付録A of this DPA.

7.3 データ転送メカニズム(適用可能な範囲で).The Parties agree that the Standard Contractual Clauses in 付録D to this DPA shall be the adequate transfer mechanism pursuant to Section 7.2 above そしてapply to Personal Data that is transferred from the EEAの and/又は Switzerlそしてto outside the EEAの そしてSwitzerland, either directly又はvia onward transfer, to any country又はrecipient not recognized by the European Commission as providing an adequate level of protection f又は Personal Data (as described in the Data Protection Laws そしてRegulations).

7.4 欧州委員会標準契約条項のスイス版補遺(適用可能な範囲).F又は transfers of Personal Data in compliance with the Federal Act on Data Protection 1992 ("FADP"), the parties agree that the Standard Contractual Clauses supplemented by the スイス補遺 to the EU Commission Standard Contractual Clauses are the appropriate transfer mechanism.

7.5 英国の一般データ保護規則に基づく制限付き転送(適用可能な範囲で).F又は transfers of Personal Data in compliance with section 119(A)そしてarticle 46 of the Data Protection Act 2018, the parties agree that the Standard Contractual Clauses supplemented by the UK 国際データ転送補遺 (IDTA) are the appropriate transfer mechanism.

8.RETURN OR DELETION OF DATA

Sitec又はe’s obligations regarding the return又はdeletion of Customer Data are as set f又はth in the Agreement.Upon termination of the Agreement, Sitec又はe may retain Customer Data in a manner that restricts the Processing solely to the extent that it may be necessary to comply with applicable law又はregulation.This should not apply to Customer Data that has been archived on back-up systems, which Customer Data Sitec又はe shall securely isolate そしてprotect from any further Processing, except to the extent required by applicable laws そしてregulations.

9.COOPERATION 

9.1 Requests from Individuals そしてSupervis又はy Auth又はities. To the extent that Customer is unable to independently access the relevant Customer Data within the Services, Sitec又はe shall provide reasonable そしてtimely cooperation to assist Customer to respond to any requests from individuals, applicable supervis又はy auth又はities又はrelevant regulat又はs relating to the Processing of Personal Data under the Agreement.In the event any such request is made directly to Sitec又はe, a Sitec又はe Affiliate又はany Subprocess又は, Sitec又はe shall not respond to such communication directly without Customer’s pri又は auth又はization, unless legally compelled to do so.If Sitec又はe is required to respond to such a request, Sitec又はe will promptly notify Customer そしてprovide it with a copy of the request unless legally prohibited from doing so, f又は example to preserve the confidentiality of an investigation by law enf又はcement auth又はities. 

9.2 Requests from Law Enf又はcement. If a law enf又はcement agency sends Sitec又はe a demそしてf又は Customer Data (f又は example, through a subpoena又はcourt 又はder), Sitec又はe will attempt to redirect the law enf又はcement agency to request such Customer Data directly from Customer.  As part of this eff又はt, Sitec又はe may provide Customer’s basic contact inf又はmation to the law enf又はcement agency.  If compelled to disclose Customer Data to a law enf又はcement agency, then Sitec又はe will give Customer reasonable notice of the demそしてto allow Customer to seek a protective 又はder又はother appropriate remedy unless Sitec又はe is legally prohibited from doing so.

9.3 Regulat又はy Cooperation そしてImpact Assessments. Sitec又はe shall, upon Customer request そしてat Customer’s expense, provide reasonable assistance to Customer:

  1. To fulfil obligations under applicable Data Protection Laws そしてRegulations, including conducting Data Protection Impact Assessments.
  2. In consultations with Supervis又はy Auth又はities, regulat又はs,又はother competent bodies, as reasonably required under Data Protection Laws そしてRegulations, NIS2, ドラ,又はother applicable laws, including the preparation そしてsubmission of relevant documentation.

10. PRIVACY RIGHTS

10.1 To the extent that Customer is unable to independently access the relevant Customer Data within the Services, Sitec又はe shall provide reasonable そしてtimely cooperation to assist Customer to respond to any requests from individuals, applicable supervis又はy auth又はities又はrelevant regulat又はs relating to the Processing of Personal Data under the Agreement.In the event any such request is made directly to Sitec又はe, a Sitec又はe Affiliate又はany Subprocess又は, Sitec又はe shall not respond to such communication directly without Customer’s pri又は auth又はization, unless legally compelled to do so.If Sitec又はe is required to respond to such a request, Sitec又はe will promptly notify Customer そしてprovide it with a copy of the request unless legally prohibited from doing so, f又は example to preserve the confidentiality of an investigation by law enf又はcement auth又はities.

10.2 If a law enf又はcement agency sends Sitec又はe a demそしてf又は Customer Data (f又は example, through a subpoena又はcourt 又はder), Sitec又はe will attempt to redirect the law enf又はcement agency to request such Customer Data directly from Customer.As part of this eff又はt, Sitec又はe may provide Customer’s basic contact inf又はmation to the law enf又はcement agency.If compelled to disclose Customer Data to a law enf又はcement agency, then Sitec又はe will give Customer reasonable notice of the demそしてto allow Customer to seek a protective 又はder又はother appropriate remedy unless Sitec又はe is legally prohibited from doing so.

10.3 Sitec又はe shall, upon Customer request そしてat Customer’s expense, provide reasonable assistance to Customer needed to fulfil any Customer obligation under the applicable Data Protection Laws そしてRegulations to perf又はm any data protection impact assessments.Sitec又はe shall, upon Customer request, provide reasonable assistance to Customer in any pri又は consultations with supervising auth又はities又はother competent data privacy auth又はities, which Customer reasonably considers to be required of Customer under Data Protection Laws そしてRegulations.

11. PRIVACY AND DATA PROTECTION

Sitec又はe maintains a privacy program that includes dedicated resourcing, audit, そしてreview processes designed to implement appropriate privacy controls そしてprocedures, including but not limited to:

  1. 指定者: The designation of an employee又はemployees to co又はdinate, provide oversight そしてbe responsible f又は the privacy program;
  2. プライバシーリスク評価: The identification of reasonably f又はeseeable, material risks, both internal そしてexternal, that could result in unauth又はized collection, use,又はdisclosure of Personal Data, そしてan assessment of the sufficiency of any safeguards in place to control these risks.At a minimum, this privacy risk assessment should include consideration of risks in (1) employee training そしてmanagement, (2) product design, development, そしてresearch そして(3) adequacy of security controls;
  3. 有効性のテスト: The design そしてimplementation of reasonable privacy controls そしてprocedures to address the risks identified through the privacy risk assessment, will be subject to そしてregular testing そしてmonit又はing of the effectiveness of those privacy controls そしてprocedures; and
  4. レビュー: Sitec又はe will evaluate そしてadjust the privacy program to address any known change of circumstances that may have a material impact on the effectiveness of the privacy program.
  5. データ保護責任者: Sitec又はe has appointed a Data Protection Officer, they can be reached at privacy@sitec又はe.com.

12. COMPLIANCE WITH THIS DPA

12.1 Sitec又はe shall maintain appropriate documentation necessary to demonstrate Sitec又はe’s compliance with this DPA (including certifications, independent audit rep又はt summaries そしてpolicy tables of content) そしてmake such documentation, subject to redaction of Confidential Inf又はmation not relevant to the requirements of this DPA, available to Customer upon its reasonable request.

12.2 Customer may request on annual basis, that Sitec又はe shall provide to Customer such copies of Sitec又はe’s agreements with Subprocess又はs referred to in Section 4 (which may be redacted to remove Confidential Inf又はmation not relevant to the requirements of this DPA).

12.3 Each Party shall appoint an individual within its 又はganisation auth又はised to respond from time to time to enquiries regarding the Personal Data そしてeach Party shall deal with such enquiries promptly.

12.4 Sitec又はe shall make reasonable eff又はts to notify Customer if it becomes aware of any possible violation of,又はinability to comply with, this DPA, Data Protection Laws そしてRegulations又はCustomer instructions.

13. CONTACT

13.1 Customer may contact Sitec又はe’s Security Team in relation to any Security Incident, notification又はsecurity question by emailing security@sitec又はe.com.

13.2 本DPAに関連するその他のすべてのお問い合わせは、以下までお願いいたしますprivacy@sitec又はe.com.

14. GENERAL

14.1 F又は the avoidance of doubt, any claim又はremedies either party may have against the other party arising under又はin connection with this DPA, will be subject to the limitation of liability provisions set f又はth in the Agreement.

14.2 Any claims against Sitec又はe又はits Affiliates under this DPA shall be brought solely against the entity that is a Party to the Agreement.In no event shall any Party limit its liability with respect to any individuals’ data protection rights under this DPA又はotherwise.

14.3 This DPA will be governed by そしてconstrued in acc又はdance with governing law そしてjurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws そしてRegulations.

14.4 Except f又は the changes made by this DPA, the Agreement remains unchanged そしてin full f又はce そしてeffect.If there is any conflict between this DPA そしてthe Agreement, this DPA shall prevail to the extent of that conflict.

14.5 Upon termination of the Agreement, そしてthe cessation of any Services to the Customer, the respective rights そしてobligations of the Parties shall survive until Customer Data is deleted.

IN WITNESS WHEREOF, the Parties have caused this DPA to be executed by their auth又はized representative effective as at the date last executed below.

附属 書

  1. ANNEX A: Technical そしてOrganizational セキュリティ対策.
  2. ANNEX B: Subprocess又はs.
  3. 付録C:データ処理。
  4. ANNEX D: Mechanisms f又は Personal データ転送. 

アーカイブされたバージョン:

Sitecoreデータ処理補遺|Sitecore 042025