Sitecoreデータ処理補遺

この顧客データ処理補遺(「DPA」)フォーム契約を締結したSitecore事業体との間の契約の一部(「Sitecore」)およびお客様(「お客様」)、総称して両当事者(「パーティー」)および、Sitecoreが本契約に基づいてサービスを提供する際に顧客データ(以下に定義するパーソナルデータを含む)を処理する場合に適用されます。本DPAで定義されていないすべての用語は、本契約に定める意味を有するものとします。

本DPAは、本契約の発効日に両当事者を拘束力を持つものとします。

1.定義

「契約」お客様とSitecoreとの間の、お客様への本サービスの提供に関する書面または電子的な契約を意味します。

「CCPA」とは、カリフォルニア州消費者プライバシー法、カリフォルニア州民法第1798.100条以下、およびその施行規則を意味します。

「顧客データ」は、本契約で定義されています。

「データ主体」または「データ主体」とは、特に名前、識別番号、位置データ、オンライン識別子などの識別子、または身体的、生理学的、精神的、経済的、文化的、またはソーシャルアイデンティティに特定の1つ以上の要素を参照することにより、直接的または間接的に識別できる識別可能なまたは識別可能な自然人を意味します。法人は、特定の法域のデータ保護法および規制に基づき、データ主体としての資格を有する場合があります。これには、適用可能な範囲で、そのような用語の類似のバリエーションが含まれます。消費者」は、米国の州法に関連する場合があります。

「データエクスポーター」とは、本契約で「お客様」と特定された当事者、つまりデータ輸入者のサービスのお客様を意味します。

「データインポーター」は、エクスペリエンス管理ソフトウェアを提供するSitecoreおよびその関連会社です。

「データ保護に関する法律および規制」とは、欧州連合、欧州経済領域(以下、「EEAの」)およびそれらの加盟国、スイス、英国、オーストラリア、カナダ、および米国およびその州は、随時修正される本契約に基づくパーソナルデータの処理に適用されます。

「データ管理者」とは、パーソナルデータの処理の目的と手段を決定する事業体を意味します。

「データ処理者」データとは、データ管理者に代わってパーソナルデータを処理する事業体を意味し、該当する場合は以下が含まれます。「サービスプロバイダー」本明細書で定義されるように。

「国際データ転送補遺」(以下、「IDTA」)とは、標準契約条項の英国付属書を意味し、英国のデータ保護法および規制に従って、英国から第三国へのパーソナルデータの転送に適切な保護措置を提供すると考えられています。

「パーソナルデータ」とは、特定された、または識別可能な自然人に関連する、またはデータ保護法および規制に基づいて定義される顧客データを意味します。明確にするために、該当する場合、これには以下が含まれます「パーソナルインフォメーション」または、適用される米国州法の意味における当該用語の類似のバリエーション(適用可能な範囲でのこと)。

「プロセッシング」又は「プロセス」 means any operation又はset of operations which is performed upon Personal Data, whether又はnot by automatic means, such as collection, recording, organization, structuring, storage, adaptation又はalteration, retrieval, consultation, use, disclosure by transmission, dissemination又はotherwise making available, alignment又はcombination, restriction, erasure又はdestruction.

「セキュリティインシデント」 means any unauthorized又はunlawful breach of security that leads to the accidental又はunlawful destruction, loss, alteration, unauthorized disclosure of又はaccess to Customer Data transmitted, stored,又はotherwise Processed.Security Incident does not include unsuccessful attempts又はactivities that do not compromise the security of Personal Data, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls又はnetworked systems.

「サービスプロバイダー」CCPAのセクション1798.140(v)に規定されている意味を持ちます。

「サービス」本 DPA で使用されるとは、本契約で定義される「SaaS 製品」および/または「ホステッド サービス」を意味します。

「サブプロセッサ」 means any Data Processor又はService Provider (where applicable) engaged by Sitecore又はits Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement又はthis DPA.Subprocessors may include third parties detailed on 附属書B又はAffiliates of Sitecore.

「標準契約条項」とは、2021年6月4日の欧州委員会実施決定(EU)2021/914によって承認された欧州議会および理事会の規則(EU)2016/679に基づく第三国へのパーソナルデータの移転に関する標準契約条項を意味します。https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

2.本DPAの適用範囲

本DPAは、本契約に従ってお客様にサービスを提供する過程で、Sitecoreがお客様に代わってパーソナルデータを含むお客様データを処理する場合に適用されます。

3.処理の役割と範囲

3.1 当事者の役割.Sitecoreとお客様の間において、お客様はお客様データのデータ管理者であり、Sitecoreはお客様の代理として行動するデータ処理者としてのみお客様データを処理するものとします。 疑義を避けるために付言すると、本DPAは、Sitecoreがデータ管理者(適用されるデータ保護法および規制で定義)として行動している場合には適用されないものとします。

3.2 お客様の義務.Customer shall have the sole and exclusive authority to determine the purposes and means of Processing Customer Data transferred又はotherwise disclosed to Sitecore.As between the Parties, the Customer shall have the sole responsibility for the accuracy, quality and legality of Personal Data as required by applicable Data Protection Laws and Regulations and the means by which the Customer acquired Personal Data, including the provision of proper notice and obtaining consents where appropriate for Processing by Sitecore.

3.3 Sitecoreの顧客データの処理.

1. 機密として扱われる: Sitecoreは、お客様データの機密性を維持します。
2. お客様の指示に従うための処理: Sitecore shall process Customer Data only for the purpose of providing the Services and in accordance with Customer’s documented lawful instructions, as set forth in the Agreement and this DPA.The categories of Personal Data, categories of Data Subjects and the purposes of the Processing are as set out in 附属書C (for the sake of clarity this expressly excludes Restricted Data (as defined in the Agreement).The Parties agree that the Customer’s complete and final instructions with regard to the nature and purposes of the Processing are set out in this DPA unless (or except as) required under applicable laws.Processing outside the scope of these instructions (if any) will require prior written agreement between Customer and Sitecore with additional instructions for Processing.
3. Sitecoreはパーソナルデータを販売しません: Sitecoreは、以下の行為を行ってはなりません。
1. sell又はrent Customer Personal Data
2. retain, use,又はdisclose the Personal Data for any “business purpose” (as defined in the CCPA §1798.140(d)),又はany “commercial purpose” (as defined in the CCPA §1798.140(f)) other than for the specific purpose of performing the Services under the Agreement, and as instructed by Customer, pursuant to Section 3.3(b) above, or
3. retain, use,又はdisclose Customer Data outside of the direct business relationship between Sitecore and Customer except to the extent as may be required by applicable laws and regulations.
4. セキュリティ対策と適切な保護措置: Sitecoreは、データ保護法および規則で参照され、以下で詳細に説明されているセキュリティ対策(以下の第5条で定義)を含む、顧客データを保護するために必要な適切な技術的および組織的措置を講じていることを表明します。付録AこのDPAに。

3.4データ処理の詳細

1. そざい: 本 DPA に基づく処理の主題は、以下で詳述されているように、顧客データです。附属書C.
2. 期間: As between Sitecore and Customer, the duration of the Processing under this DPA is the term of the Agreement又はas otherwise agreed upon by the Parties.
3. 目的: 本 DPA に基づく処理の目的は、お客様へのサービスの提供、および本契約および本 DPA (または両当事者が別途合意した) に基づく Sitecore の義務の履行であり、以下に詳細に説明されています。附属書CこのDPAに。

4.SUBPROCESSING

4.1 認定サブプロセッサー.Customer agrees that in order to provide the Services, Sitecore may engage Subprocessors to process Customer Data.A list of Sitecore's current authorized Subprocessors is found in 附属書B.Sitecore maintains a current list of its Subprocessors on its website (https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB0313167) and will post notifications of any new又はreplacement Subprocessors, prior to the use又はreplacement of Subprocessors.To receive these notifications by email, Customer can subscribe to our KB page.

4.2 復処理者の義務.Where Sitecore authorizes any Subprocessor as described in Section 4.1:

1. 知る必要性に限られている: Sitecore will restrict the Subprocessors access to Customer Data only to what is necessary to assist Sitecore in providing又はmaintaining the Services, and will prohibit the Subprocessor from Processing Customer Data for any other purpose;

    

2. Sitecoreのデューデリジェンス: 復処理者が最初に顧客データを処理する前に、Sitecoreは、復処理者が本契約および本DPAで要求される同レベルの顧客データの保護を提供できることを確認するために、適切なデューデリジェンスを実施するものとします。
3. 書面による契約の締結Sitecoreは、復処理者と書面による契約を締結し、当該復処理者が提供するサービスの性質に適用される範囲で、本DPAに定めるものと同等のデータ保護義務を課す条件をデータ保護課すものとし、特に、データ処理がデータ保護法および規制で要求される基準に従って顧客データを保護するための適切な技術的および組織的措置を提供するものとします。
4. 復処理者に対する責任: Sitecore will remain responsible for its compliance with the obligations of this DPA and for any acts又はomissions of the Subprocessor that cause Sitecore to breach any of its obligations under this DPA; and
5. 新しいサブプロセッサーの異議申し立て権: If Customer has a reasonable basis relating to privacy又はdata security to object to Sitecore’s use of a new又はreplacement Subprocessor, Customer shall notify Sitecore promptly in writing within 30 business days after such notice being made by Sitecore on its website of a new又はreplacement Subprocessor.In the event Customer objects to any new Subprocessor(s) on such grounds, Sitecore will use reasonable efforts to work in good faith with Customer to find an acceptable, commercially reasonable, alternate solution.If the Parties are not able to agree to an alternate solution within a reasonable time (no more than 90 days from Sitecore’s receipt of notice of Customer’s objection), Sitecore will either not appoint又はreplace the Subprocessor or, if this is not possible, Customer may suspend又はterminate the applicable Order for Services in respect only to the specific Services which cannot be provided by Sitecore without the use of the objected-to new Subprocessor, by providing written notice to Sitecore and without prejudice to any fees incurred by Customer prior to suspension又はtermination.

5.SECURITY MEASURES AND SECURITY INCIDENT RESPONSE

5.1 セキュリティ対策.Sitecore has implemented and will maintain appropriate technical and organizational security measures to protect Customer Data from Security Incidents and to preserve the security and confidentiality of Customer Data ("セキュリティ対策").The セキュリティ対策 applicable to the Services are set forth in 付録A as updated又はreplaced from time to time in accordance with Section 5.2.Customer is responsible for reviewing the information made available by Sitecore relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws and Regulations, taking into account the nature, scope, context and purposes of Processing, as well as, the risks associated with the contracted Processing.

5.2 Updates to セキュリティ対策.Sitecore has implemented a procedure for the regular testing, inspection, assessment, and evaluation of the effectiveness of Sitecore’s セキュリティ対策.Accordingly, Customer acknowledges that the セキュリティ対策 are subject to technical progress and development and that Sitecore may update又はmodify the セキュリティ対策 from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.Such updates to the セキュリティ対策 will be made available to Customer upon its reasonable request.

5.3 人員.Sitecore shall take reasonable steps to ensure the reliability of any 人員 who may have access to Customer Data, ensuring that access is strictly limited on a least-privilege basis to those individuals who need to know又はneed to have access to Customer Data as is necessary for the provision of the Services under the Agreement.Further, Sitecore shall ensure that 人員 with access to Customer Data are under an appropriate obligation of confidentiality and that such 人員 have received appropriate data protection and security training pertaining to the responsibilities of their role.

5.4 お客様の責任.Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Services and taking any appropriate steps to securely encrypt又はbackup any Customer Data uploaded to the Services.

5.5 十分な証拠.Upon the reasonable request of Customer, Sitecore shall provide Customer with sufficient information to enable Customer to demonstrate that the necessary technical and organizational security measures (as further detailed in 付録A) have been implemented.

5.6 セキュリティインシデント対応.

1. 通知: Upon becoming aware of a Security Incident, Sitecore will notify Customer without undue delay (and no later than 48 hours after becoming aware of the Security Incident) and will provide information relating to the Security Incident as it becomes known又はas is reasonably requested by Customer including (i) details of the Customer Data compromised, including whether the Customer Data had been encrypted, hashed又はotherwise rendered incomprehensible, inaccessible又はunintelligible for unauthorized persons, (ii) information on the Data Subjects affected, such as categories and the number of Data Subjects affected, (iii) the categories and number of information data records affected, (iv) description of the nature of the Security Incident, (v) identity and contact details of Sitecore’s Privacy contact, (vi) when the Security Incident took place (date又はtime period) and suspected cause, (vii) the likely consequences of the Security Incident, and (viii) any recommendations to minimize harm.
2. 援助: Sitecore will also take reasonable steps to mitigate and, where possible, to remedy the effects of, any Security Incident.Sitecore shall provide reasonable assistance to Customer, in the event Customer is required under Data Protection Laws and Regulations to notify a data protection authority又はany Data Subjects of a Security Incident.Sitecore reserves the right to charge Customer for this assistance should it become overly burdensome.

6.REPORTS AND AUDITS

6.1お客様の要求に応じて、Sitecoreは、本DPAの遵守を実証するために必要なすべての情報を含む、セキュリティチームからの声明を提供します(「Sitecoreレポート」)および第10条に基づくドキュメント。

6.2 No more than once per year, Customer may conduct reviews of Sitecore’s documents and systems, by way of desk-based questionnaires and phone conferences with Sitecore 人員.

6.3 Notwithstanding the foregoing, Customer will have the right, at its expense, to conduct an onsite audit, only in the event that (a) Customer reasonably believes that Sitecore is out of compliance with this DPA,又は(b) Customer is subject to a regulatory audit, government investigation, court order又はotherwise mandatory audit under applicable Data Protection Laws and Regulations that includes the scope of this DPA.Any on-site audit will be conducted during normal business hours, at a date and time as mutually agreed between the Parties, and only if such an audit at Sitecore’s premises is necessary to prove facts又はotherwise demonstrate applicable compliance that Sitecore cannot otherwise evidence through a Sitecore Report, desk-based questionnaires, phone conferences, third-party certification programs又はthird-party audit reports.Customer agrees that with respect to any Sitecore Confidential Information received in connection with such audit, Customer will be subject to the same confidentiality obligations as set forth in the Agreement.

7.INTERNATIONAL TRANSFERS

7.1 データセンターの場所.Customer understands that Customer Data within the Services will be processed, transferred to and stored wherever Customer chooses to have Customer Data hosted, and Sitecore shall store Customer Data only in the Customer selected data centre (and as detailed on any applicable Order Form) locations unless notified otherwise.Sitecore further confirms that Customer Data will not be transferred from the data centre location chosen by Customer without Customer’s prior consent.

7.2 データ転送.If applicable, Sitecore will at all times ensure that any Customer Data which is transferred is done so in compliance with adequate transfer mechanisms.Where applicable, Sitecore has put in place supplemental technical and organisational measures to ensure that any Customer Data being transferred using our services is afforded an adequate level of protection in the destination country in accordance with the requirements of Data Protection Laws and Regulations.Details of these supplemental measures are located in Section 9, below, and at 付録A of this DPA.

7.3 データ転送メカニズム(適用可能な範囲で).The Parties agree that the Standard Contractual Clauses in 付録D to this DPA shall be the adequate transfer mechanism pursuant to Section 7.2 above and apply to Personal Data that is transferred from the EEAの and/or Switzerland to outside the EEAの and Switzerland, either directly又はvia onward transfer, to any country又はrecipient not recognized by the European Commission as providing an adequate level of protection for Personal Data (as described in the Data Protection Laws and Regulations).

7.4 欧州委員会標準契約条項のスイス版補遺(適用可能な範囲).For transfers of Personal Data in compliance with the Federal Act on Data Protection 1992 ("FADP"), the parties agree that the Standard Contractual Clauses supplemented by the スイス補遺 to the EU Commission Standard Contractual Clauses are the appropriate transfer mechanism.

7.5 英国の一般データ保護規則に基づく制限付き転送(適用可能な範囲で).For transfers of Personal Data in compliance with section 119(A)and article 46 of the Data Protection Act 2018, the parties agree that the Standard Contractual Clauses supplemented by the UK 国際データ転送補遺 (IDTA) are the appropriate transfer mechanism.

8.RETURN OR DELETION OF DATA

Return又はDeletion of Customer Data.Sitecore’s obligations regarding the return又はdeletion of Customer Data are as set forth in the Agreement.Upon termination of the Agreement, Sitecore may retain Customer Data in a manner that restricts the Processing solely to the extent that it may be necessary to comply with applicable law又はregulation.This should not apply to Customer Data that has been archived on back-up systems, which Customer Data Sitecore shall securely isolate and protect from any further Processing, except to the extent required by applicable laws and regulations.

9. PRIVACY RIGHTS

9.1 To the extent that Customer is unable to independently access the relevant Customer Data within the Services, Sitecore shall provide reasonable and timely cooperation to assist Customer to respond to any requests from individuals, applicable supervisory authorities又はrelevant regulators relating to the Processing of Personal Data under the Agreement.In the case of complex又はvoluminous enquiries that can be managed by Customer through access within the Services but where Customer is requesting additional assistance beyond Sitecore’s compliance requirements, Sitecore reserves the right to charge Customer for reasonable expenses.In the event any such request is made directly to Sitecore, a Sitecore Affiliate又はany Subprocessor, Sitecore shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so.If Sitecore is required to respond to such a request, Sitecore will promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so, for example to preserve the confidentiality of an investigation by law enforcement authorities.

9.2 If a law enforcement agency sends Sitecore a demand for Customer Data (for example, through a subpoena又はcourt order), Sitecore will attempt to redirect the law enforcement agency to request such Customer Data directly from Customer.As part of this effort, Sitecore may provide Customer’s basic contact information to the law enforcement agency.If compelled to disclose Customer Data to a law enforcement agency, then Sitecore will give Customer reasonable notice of the demand to allow Customer to seek a protective order又はother appropriate remedy unless Sitecore is legally prohibited from doing so.

9.3 Sitecore shall, upon Customer request and at Customer’s expense, provide reasonable assistance to Customer needed to fulfil any Customer obligation under the applicable Data Protection Laws and Regulations to perform any data protection impact assessments.Sitecore shall, upon Customer request, provide reasonable assistance to Customer in any prior consultations with supervising authorities又はother competent data privacy authorities, which Customer reasonably considers to be required of Customer under Data Protection Laws and Regulations.

10. PRIVACY AND DATA PROTECTION

Sitecoreは、以下を含むがこれらに限定されない、適切なプライバシー管理と手順を導入するために設計された専用のリソース、監査、およびレビュープロセスを含むプライバシープログラムを維持しています。

1. 指定者: The designation of an employee又はemployees to coordinate, provide oversight and be responsible for the privacy program;
2. プライバシーリスク評価: The identification of reasonably foreseeable, material risks, both internal and external, that could result in unauthorized collection, use,又はdisclosure of Personal Data, and an assessment of the sufficiency of any safeguards in place to control these risks.At a minimum, this privacy risk assessment should include consideration of risks in (1) employee training and management, (2) product design, development, and research and (3) adequacy of security controls;
3. 有効性のテスト:プライバシーリスク評価を通じて特定されたリスクに対処するための合理的なプライバシー管理および手順の設計および導入は、これらのプライバシー管理および手順の有効性に関する定期的なテストおよび監視の対象となります。そして
4. レビュー：Sitecoreは、プライバシープログラムの有効性に重大な影響を与える可能性のある既知の状況の変化に対処するために、プライバシープログラムを評価および調整します。

11. COMPLIANCE WITH THIS DPA

11.1 Sitecore shall maintain appropriate documentation necessary to demonstrate Sitecore’s compliance with this DPA (including certifications, independent audit report summaries and policy tables of content) and make such documentation, subject to redaction of Confidential Information not relevant to the requirements of this DPA, available to Customer upon its reasonable request.

11.2 お客様は、Sitecoreが第4条で言及したSitecoreと復処理者との契約の写しをお客様に提供するよう、毎年要求することができます(これは、本DPAの要件に関連する機密情報を削除するために編集される場合があります)。

11.3 各当事者は、パーソナルデータに関する問い合わせに随時対応する権限を与えられた個人を組織内に任命するものとし、各当事者はそのような問い合わせに迅速に対処するものとします。

11.4 Sitecore shall make reasonable efforts to notify Customer if it becomes aware of any possible violation of,又はinability to comply with, this DPA, Data Protection Laws and Regulations又はCustomer instructions.

12. CONTACT

12.1 Customer may contact Sitecore’s Security Team in relation to any Security Incident, notification又はsecurity question by emailing security@sitecore.com.

12.2 本DPAに関連するその他のすべてのお問い合わせは、以下までお願いいたしますprivacy@sitecore.com.

13. GENERAL

13.1 For the avoidance of doubt, any claim又はremedies either party may have against the other party arising under又はin connection with this DPA, will be subject to the limitation of liability provisions set forth in the Agreement.

13.2 Any claims against Sitecore又はits Affiliates under this DPA shall be brought solely against the entity that is a Party to the Agreement.In no event shall any Party limit its liability with respect to any individuals’ data protection rights under this DPA又はotherwise.

13.3 This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws and Regulations.

13.4 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect.If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.

13.5 Upon termination of the Agreement, and the cessation of any Services to the Customer, the respective rights and obligations of the Parties shall survive until Customer Data is deleted.

以上の証拠として、両当事者は、本DPAを、以下に最後に締結された日付から、権限を与えられた代表者によって締結させました。

附属 書

1. ANNEX A: Technical and Organizational セキュリティ対策.
2. 付属書B:サブプロセッサー。
3. 付録C:データ処理。
4. ANNEX D: Mechanisms for Personal データ転送.

SITECOREのオンライン顧客DPA – ガイド

アーカイブされたバージョン:

• V4.0 2022年4月