Sitecore Data Processing Addendum
v4.3 (May 2023)
This Customer Data Processing Addendum ("DPA") forms part of the Agreement between the Sitecore entity which has entered into the Agreement (“Sitecore”) and Customer ("Customer"), together referred to as the Parties (“Parties”) and applies where Sitecore will process Customer Data (including Personal Data, as defined below) when providing Services under the Agreement. All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
This DPA becomes binding on the Parties on the Effective Date of the Agreement.
"Agreement" means the written or electronic agreement between Customer and Sitecore for the provision of the Services to Customer.
"CCPA" means the California Consumer Privacy Act, Cal. Civ. Code §1798.100 et seq., and its implementing regulations.
"Customer Data" is defined in the Agreement.
“Data Subject” or “Data Subjects” means an identified or identifiable natural person who can be identified directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data or an online identifier or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. A legal person may qualify as a Data Subject under Data Protection Laws and Regulations of specific jurisdictions. This includes, to the extent applicable, any analogous variations of such terminology, such as “Consumer” as may be relevant under US state laws.
“Data Exporter” means the Party identified as “Customer” in the Agreement, a customer of the Services of the Data Importer.
“Data Importer” is Sitecore, a provider of experience management software, and its Affiliates.
“Data Protection Laws and Regulations” means all laws and regulations, including the laws and regulations of the European Union, the European Economic Area (hereinafter, the “EEA”) and their member states, Switzerland, the United Kingdom, Australia, Canada, and the United States and its states, applicable to the Processing of Personal Data under the Agreement as amended from time to time.
“Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller, including as applicable any “Service Provider” as defined herein.
“International Data Transfer Addendum” (hereinafter, “IDTA”) means the UK Addendum to the Standard Contractual Clauses, which is considered to provide appropriate safeguards to the transfer of Personal Data from the United Kingdom to third countries in accordance with the Data Protection Laws and Regulations of the UK.
"Personal Data" means any Customer Data relating to an identified or an identifiable natural person or as otherwise defined under Data Protection Laws and Regulations. For the sake of clarity, where applicable, this includes “Personal Information” or analogous variations of such terminology within the meaning of applicable US state laws, to the extent that these may be applicable.
“Processing” or “Process” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Security Incident" means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data transmitted, stored, or otherwise Processed. Security Incident does not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
"Service Provider" has the meaning set forth in Section 1798.140(v) of the CCPA.
"Services" as used in this DPA means the “SaaS Products” and/or “Hosted Services” as defined in the Agreement.
"Subprocessor" means any Data Processor or Service Provider (where applicable) engaged by Sitecore or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Subprocessors may include third parties detailed on Annex B or Affiliates of Sitecore.
“Standard Contractual Clauses” means the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
2. SCOPE OF THIS DPA
This DPA applies where Sitecore processes Customer Data, including Personal Data, on behalf of Customer in the course of providing Services to the Customer pursuant to the Agreement.
3. ROLES AND SCOPE OF PROCESSING
3.1 Role of the Parties. As between Sitecore and Customer, Customer is the Data Controller of Customer Data and Sitecore shall process Customer Data only as a Data Processor acting on behalf of Customer. For the avoidance of doubt, this DPA shall not apply to any instances where Sitecore is acting as a Data Controller (as defined under applicable Data Protection Laws and Regulations).
3.2 Customer’s obligations. Customer shall have the sole and exclusive authority to determine the purposes and means of Processing Customer Data transferred or otherwise disclosed to Sitecore. As between the Parties, the Customer shall have the sole responsibility for the accuracy, quality and legality of Personal Data as required by applicable Data Protection Laws and Regulations and the means by which the Customer acquired Personal Data, including the provision of proper notice and obtaining consents where appropriate for Processing by Sitecore.
3.3 Sitecore Processing of Customer Data.
- Treated as confidential: Sitecore will maintain confidentiality of Customer Data.
- Processing to follow Customer instructions: Sitecore shall process Customer Data only for the purpose of providing the Services and in accordance with Customer’s documented lawful instructions, as set forth in the Agreement and this DPA. The categories of Personal Data, categories of Data Subjects and the purposes of the Processing are as set out in Annex C (for the sake of clarity this expressly excludes Restricted Data (as defined in the Agreement). The Parties agree that the Customer’s complete and final instructions with regard to the nature and purposes of the Processing are set out in this DPA unless (or except as) required under applicable laws. Processing outside the scope of these instructions (if any) will require prior written agreement between Customer and Sitecore with additional instructions for Processing.
- Sitecore does not sell Personal Data: Sitecore shall not:
- sell or rent Customer Personal Data
- retain, use, or disclose the Personal Data for any “business purpose” (as defined in the CCPA §1798.140(d)), or any “commercial purpose” (as defined in the CCPA §1798.140(f)) other than for the specific purpose of performing the Services under the Agreement, and as instructed by Customer, pursuant to Section 3.3 (b) above, or
- retain, use, or disclose Customer Data outside of the direct business relationship between Sitecore and Customer except to the extent as may be required by applicable laws and regulations.
- Security Measures and adequate safeguards: Sitecore represents that it has implemented adequate technical and organizational measures necessary to secure Customer Data, including, as appropriate, the Security Measures (defined in Section 5 below) referenced in Data Protection Laws and Regulations and more fully described at Annex A to this DPA.
3.4 Details of Data Processing
- Subject matter: The subject matter of the Processing under this DPA is Customer Data, as detailed in Annex C.
- Duration: As between Sitecore and Customer, the duration of the Processing under this DPA is the term of the Agreement or as otherwise agreed upon by the Parties.
- Purpose: The purpose of the Processing under this DPA is the provision of the Services to the Customer and the performance of Sitecore's obligations under the Agreement and this DPA (or as otherwise agreed by the Parties) and more fully described at Annex C to this DPA.
4.1 Authorized Subprocessors. Customer agrees that in order to provide the Services, Sitecore may engage Subprocessors to process Customer Data. A list of Sitecore's current authorized Subprocessors is found in Annex B. Sitecore maintains a current list of its Subprocessors on its website (https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB0313167) and will post notifications of any new or replacement Subprocessors, prior to the use or replacement of Subprocessors. To receive these notifications by email, Customer can subscribe to our KB page.
4.2 Subprocessor Obligations. Where Sitecore authorizes any Subprocessor as described in Section 4.1:
- Restricted to a need-to-know: Sitecore will restrict the Subprocessors access to Customer Data only to what is necessary to assist Sitecore in providing or maintaining the Services, and will prohibit the Subprocessor from Processing Customer Data for any other purpose;
- Sitecore due diligence: Before any Subprocessor first processes Customer Data, Sitecore shall carry out adequate due diligence to ensure that the Subprocessor is capable of providing the same level of protection for Customer Data required by the Agreement and this DPA;
- Entry into written agreements: Sitecore will enter into a written agreement with the Subprocessor imposing data protection terms that places the equivalent data protection obligations as those set out in this DPA to the extent applicable to the nature of the services provided by such Subprocessor, in particular providing appropriate technical and organisational measures that the Processing will protect the Customer Data to the standard required by Data Protection Laws and Regulations;
- Liability for Subprocessors: Sitecore will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Sitecore to breach any of its obligations under this DPA; and
- Objection Right for new Subprocessors: If Customer has a reasonable basis relating to privacy or data security to object to Sitecore’s use of a new or replacement Subprocessor, Customer shall notify Sitecore promptly in writing within 30 business days after such notice being made by Sitecore on its website of a new or replacement Subprocessor. In the event Customer objects to any new Subprocessor(s) on such grounds, Sitecore will use reasonable efforts to work in good faith with Customer to find an acceptable, commercially reasonable, alternate solution. If the Parties are not able to agree to an alternate solution within a reasonable time (no more than 90 days from Sitecore’s receipt of notice of Customer’s objection), Sitecore will either not appoint or replace the Subprocessor or, if this is not possible, Customer may suspend or terminate the applicable Order for Services in respect only to the specific Services which cannot be provided by Sitecore without the use of the objected-to new Subprocessor, by providing written notice to Sitecore and without prejudice to any fees incurred by Customer prior to suspension or termination.
5. SECURITY MEASURES AND SECURITY INCIDENT RESPONSE
5.1 Security Measures. Sitecore has implemented and will maintain appropriate technical and organizational security measures to protect Customer Data from Security Incidents and to preserve the security and confidentiality of Customer Data ("Security Measures"). The Security Measures applicable to the Services are set forth in Annex A as updated or replaced from time to time in accordance with Section 5.2.Customer is responsible for reviewing the information made available by Sitecore relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws and Regulations, taking into account the nature, scope, context and purposes of Processing, as well as, the risks associated with the contracted Processing.
5.2 Updates to Security Measures. Sitecore has implemented a procedure for the regular testing, inspection, assessment, and evaluation of the effectiveness of Sitecore’s Security Measures. Accordingly, Customer acknowledges that the Security Measures are subject to technical progress and development and that Sitecore may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer. Such updates to the Security Measures will be made available to Customer upon its reasonable request.
5.3 Personnel. Sitecore shall take reasonable steps to ensure the reliability of any Personnel who may have access to Customer Data, ensuring that access is strictly limited on a least-privilege basis to those individuals who need to know or need to have access to Customer Data as is necessary for the provision of the Services under the Agreement. Further, Sitecore shall ensure that Personnel with access to Customer Data are under an appropriate obligation of confidentiality and that such Personnel have received appropriate data protection and security training pertaining to the responsibilities of their role.
5.4 Customer Responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Services.
5.5 Sufficient Evidence. Upon the reasonable request of Customer, Sitecore shall provide Customer with sufficient information to enable Customer to demonstrate that the necessary technical and organizational security measures (as further detailed in Annex A) have been implemented.
5.6 Security Incident Response.
- Notification: Upon becoming aware of a Security Incident, Sitecore will notify Customer without undue delay (and no later than 48 hours after becoming aware of the Security Incident) and will provide information relating to the Security Incident as it becomes known or as is reasonably requested by Customer including (i) details of the Customer Data compromised, including whether the Customer Data had been encrypted, hashed or otherwise rendered incomprehensible, inaccessible or unintelligible for unauthorized persons, (ii) information on the Data Subjects affected, such as categories and the number of Data Subjects affected, (iii) the categories and number of information data records affected, (iv) description of the nature of the Security Incident, (v) identity and contact details of Sitecore’s Privacy contact, (vi) when the Security Incident took place (date or time period) and suspected cause, (vii) the likely consequences of the Security Incident, and (viii) any recommendations to minimize harm.
- Assistance: Sitecore will also take reasonable steps to mitigate and, where possible, to remedy the effects of, any Security Incident. Sitecore shall provide reasonable assistance to Customer, in the event Customer is required under Data Protection Laws and Regulations to notify a data protection authority or any Data Subjects of a Security Incident. Sitecore reserves the right to charge Customer for this assistance should it become overly burdensome.
6. REPORTS AND AUDITS
6.1 Upon Customer’s request, Sitecore will make available a statement from its Security Team containing all information necessary to demonstrate compliance with this DPA (a “Sitecore Report”) and any documentation pursuant to Section 10.
6.2 No more than once per year, Customer may conduct reviews of Sitecore’s documents and systems, by way of desk-based questionnaires and phone conferences with Sitecore Personnel.
6.3 Notwithstanding the foregoing, Customer will have the right, at its expense, to conduct an onsite audit, only in the event that (a) Customer reasonably believes that Sitecore is out of compliance with this DPA, or (b) Customer is subject to a regulatory audit, government investigation, court order or otherwise mandatory audit under applicable Data Protection Laws and Regulations that includes the scope of this DPA. Any on-site audit will be conducted during normal business hours, at a date and time as mutually agreed between the Parties, and only if such an audit at Sitecore’s premises is necessary to prove facts or otherwise demonstrate applicable compliance that Sitecore cannot otherwise evidence through a Sitecore Report, desk-based questionnaires, phone conferences, third-party certification programs or third-party audit reports. Customer agrees that with respect to any Sitecore Confidential Information received in connection with such audit, Customer will be subject to the same confidentiality obligations as set forth in the Agreement.
7. INTERNATIONAL TRANSFERS
7.1 Data Centre Locations. Customer understands that Customer Data within the Services will be processed, transferred to and stored wherever Customer chooses to have Customer Data hosted, and Sitecore shall store Customer Data only in the Customer selected data centre (and as detailed on any applicable Order Form) locations unless notified otherwise. Sitecore further confirms that Customer Data will not be transferred from the data centre location chosen by Customer without Customer’s prior consent.
7.2 Data Transfers. If applicable, Sitecore will at all times ensure that any Customer Data which is transferred is done so in compliance with adequate transfer mechanisms. Where applicable, Sitecore has put in place supplemental technical and organisational measures to ensure that any Customer Data being transferred using our services is afforded an adequate level of protection in the destination country in accordance with the requirements of Data Protection Laws and Regulations. Details of these supplemental measures are located in Section 9, below, and at Annex A of this DPA.
7.3 Data Transfer Mechanisms (to the extent applicable). The Parties agree that the Standard Contractual Clauses in Annex D to this DPA shall be the adequate transfer mechanism pursuant to Section 7.2 above and apply to Personal Data that is transferred from the EEA and/or Switzerland to outside the EEA and Switzerland, either directly or via onward transfer, to any country or recipient not recognized by the European Commission as providing an adequate level of protection for Personal Data (as described in the Data Protection Laws and Regulations).
7.4 Swiss Addendum to the EU Commission Standard Contractual Clauses (to the extent applicable). For transfers of Personal Data in compliance with the Federal Act on Data Protection 1992 ("FADP"), the parties agree that the Standard Contractual Clauses supplemented by the Swiss Addendum to the EU Commission Standard Contractual Clauses are the appropriate transfer mechanism.
7.5 Restricted Transfers Under UK GDPR (to the extent applicable). For transfers of Personal Data in compliance with section 119(A)and article 46 of the Data Protection Act 2018, the parties agree that the Standard Contractual Clauses supplemented by the UK International Data Transfer Addendum (IDTA) are the appropriate transfer mechanism.
8. RETURN OR DELETION OF DATA
Return or Deletion of Customer Data. Sitecore’s obligations regarding the return or deletion of Customer Data are as set forth in the Agreement. Upon termination of the Agreement, Sitecore may retain Customer Data in a manner that restricts the Processing solely to the extent that it may be necessary to comply with applicable law or regulation. This should not apply to Customer Data that has been archived on back-up systems, which Customer Data Sitecore shall securely isolate and protect from any further Processing, except to the extent required by applicable laws and regulations.
9. PRIVACY RIGHTS
9.1 To the extent that Customer is unable to independently access the relevant Customer Data within the Services, Sitecore shall provide reasonable and timely cooperation to assist Customer to respond to any requests from individuals, applicable supervisory authorities or relevant regulators relating to the Processing of Personal Data under the Agreement. In the case of complex or voluminous enquiries that can be managed by Customer through access within the Services but where Customer is requesting additional assistance beyond Sitecore’s compliance requirements, Sitecore reserves the right to charge Customer for reasonable expenses. In the event any such request is made directly to Sitecore, a Sitecore Affiliate or any Subprocessor, Sitecore shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. If Sitecore is required to respond to such a request, Sitecore will promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so, for example to preserve the confidentiality of an investigation by law enforcement authorities.
9.2 If a law enforcement agency sends Sitecore a demand for Customer Data (for example, through a subpoena or court order), Sitecore will attempt to redirect the law enforcement agency to request such Customer Data directly from Customer. As part of this effort, Sitecore may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Customer Data to a law enforcement agency, then Sitecore will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Sitecore is legally prohibited from doing so.
9.3 Sitecore shall, upon Customer request and at Customer’s expense, provide reasonable assistance to Customer needed to fulfil any Customer obligation under the applicable Data Protection Laws and Regulations to perform any data protection impact assessments. Sitecore shall, upon Customer request, provide reasonable assistance to Customer in any prior consultations with supervising authorities or other competent data privacy authorities, which Customer reasonably considers to be required of Customer under Data Protection Laws and Regulations.
10. PRIVACY AND DATA PROTECTION
Sitecore maintains a privacy program that includes dedicated resourcing, audit, and review processes designed to implement appropriate privacy controls and procedures, including but not limited to:
- Designated individual: The designation of an employee or employees to coordinate, provide oversight and be responsible for the privacy program;
- Privacy risk assessments: The identification of reasonably foreseeable, material risks, both internal and external, that could result in unauthorized collection, use, or disclosure of Personal Data, and an assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this privacy risk assessment should include consideration of risks in (1) employee training and management, (2) product design, development, and research and (3) adequacy of security controls;
- Testing of Effectiveness: The design and implementation of reasonable privacy controls and procedures to address the risks identified through the privacy risk assessment, will be subject to and regular testing and monitoring of the effectiveness of those privacy controls and procedures; and
- Reviews: Sitecore will evaluate and adjust the privacy program to address any known change of circumstances that may have a material impact on the effectiveness of the privacy program.
11. COMPLIANCE WITH THIS DPA
11.1 Sitecore shall maintain appropriate documentation necessary to demonstrate Sitecore’s compliance with this DPA (including certifications, independent audit report summaries and policy tables of content) and make such documentation, subject to redaction of Confidential Information not relevant to the requirements of this DPA, available to Customer upon its reasonable request.
11.2 Customer may request on annual basis, that Sitecore shall provide to Customer such copies of Sitecore’s agreements with Subprocessors referred to in Section 4 (which may be redacted to remove Confidential Information not relevant to the requirements of this DPA).
11.3 Each Party shall appoint an individual within its organisation authorised to respond from time to time to enquiries regarding the Personal Data and each Party shall deal with such enquiries promptly.
11.4 Sitecore shall make reasonable efforts to notify Customer if it becomes aware of any possible violation of, or inability to comply with, this DPA, Data Protection Laws and Regulations or Customer instructions.
12.1 Customer may contact Sitecore’s Security Team in relation to any Security Incident, notification or security question by emailing [email protected].
12.2 All other queries relating to this DPA should be directed to [email protected].
13.1 For the avoidance of doubt, any claim or remedies either party may have against the other party arising under or in connection with this DPA, will be subject to the limitation of liability provisions set forth in the Agreement.
13.2 Any claims against Sitecore or its Affiliates under this DPA shall be brought solely against the entity that is a Party to the Agreement. In no event shall any Party limit its liability with respect to any individuals’ data protection rights under this DPA or otherwise.
13.3 This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws and Regulations.
13.4 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.
13.5 Upon termination of the Agreement, and the cessation of any Services to the Customer, the respective rights and obligations of the Parties shall survive until Customer Data is deleted.
IN WITNESS WHEREOF, the Parties have caused this DPA to be executed by their authorized representative effective as at the date last executed below.
- ANNEX A: Technical and Organizational Security Measures.
- ANNEX B: Subprocessors.
- ANNEX C: Data Processing.
- ANNEX D: Mechanisms for Personal Data Transfers.