Skip to main content

 

Sitecore Data Processing Addendum

Annex C

ANNEX C: Data Processing

Sitecore OrderCloud

Categories of data subjects whose Personal Data is transferred
Employees, Customers, End Users
Categories of Personal Data transferred

Employees:

  • Contact details: Address, Telephone Number (Fixed and Mobile), Email Address.
  • Employment Details: Job Title, Geographic Location, Area of Responsibility.
  • IT Related Data: Computer ID, User ID and Password, Domain Name, IP Address, Log Files, Software Hardware Inventory, Software Usage Pattern Tracking Information (i.e., cookies and information recorded for operation training purposes).
  • Financial Details: Credit Card Numbers.

End Users:

  • Website Activities: ID Session Data, Session Duration, Referring Website, Source IP Address, Source Geographical Data, User Agent, Pages Viewed, Events Triggered, Other Calculated Metrics.
  • Order Information: Information relating to any orders purchased by End Users.
Data Controller/ Data Processor roles
Data Processor
Sensitive data transferred?
Sitecore does not knowingly collect (and Customer or End Users shall not submit or upload) any special categories of data (as defined under applicable Data Protection Laws and Regulations).
Frequency of the transfer
Data will be transferred on a continuous basis.
Nature of the processing
  • Use of Personal Data to set up, operate, monitor, and provide the Services (including operational and technical support).
  • Continuous improvement of service features and functionalities provided as part of the Services.
  • Storage of Personal Data in dedicated data centers.
  • Release, development and upload of any fixes or upgrades to Services.
  • Back up and restoration of Personal Data stored in the dedicated data centers and CloudService.
  • Computer processing of Personal Data, including data transmission, data retrieval, data access.
  • Network access to allow Personal Data transfer.
  • Monitoring, troubleshooting, and administering the underlying Cloud Service infrastructure and database.
  • Security monitoring, network-based intrusion detection support, penetration testing.
  • Execution of instructions of Customer in accordance with the Agreement.
Purpose of the data transfer
  • Provide the service and associated features.
  • Deliver and provide operational support for the Service.
  • Communicate with you on status and availability of the Service.
  • Support billing for the Service.
  • Authenticate and authorize access to the Service.
  • Diagnose technical issues.
  • Conduct analytics and statistical analysis in aggregate form to improve the technical performance of the Service.
  • Respond to Customer support requests.
  • Enforce and monitor compliance with contractual terms and applicable laws in connection with legal claims, compliance, regulatory and investigatory purposes, including prevention and detection of fraud.
Duration of processing
User Interaction Data:
Data Set
Retention Period
 
Live Storage Data:
Submitted Orders, Products, Pricing schedules, Shipping information, Payment/Tax management, Content management
Contract duration or defined by customers by using OrderCloud APIs to delete data
 
Live Storage Data:
Unsubmitted Orders
All (without line items) 24 hours Anonymous (with line items) 7 days Profiled (with line items) 90 days from Last Updated date
 
Live Log Data:
Application logs
30 Days

 

Sitecore Discover and Sitecore Search

Categories of data subjects whose Personal Data is transferred
Employees, Customers, End Users
Categories of Personal Data transferred

Employees:

  • Contact details: First Name, Last Name, Email Address.

End Users:

  • Identifiers: IP address, Email address, Unique personal identifier, Cookie data, tags, beacons, pixels, Device data (device name, browser/OS version, device configuration, settings, etc.),Online Identifiers.
  • Commercial Information: Records of personal property, products or services purchased, obtained, or considered, Other purchasing or consuming, histories or tendencies.
  • Internet or Other Similar Network Activity: Browsing history, Search history, Information on a consumer's interaction with a website, application, or advertisement, Referring URLs, Searchterms/queries.
Data Controller/ Data Processor roles
Data Processor
Sensitive data transferred?
Sitecore does not knowingly collect (and Customer or End Users shall not submit or upload) any special categories of data (as defined under applicable Data Protection Laws and Regulations).
Frequency of the transfer
Data will be transferred on a continuous basis.
Nature of the processing
  • Use of Personal Data to set up, operate, monitor, and provide the Services (including operational and technical support).
  • Continuous improvement of service features and functionalities provided as part of the Services.
  • Storage of Personal Data in dedicated data centers.
  • Release, development and upload of any fixes or upgrades to Services.
  • Back up and restoration of Personal Data stored in the dedicated data centers and CloudService.
  • Computer processing of Personal Data, including data transmission, data retrieval, data access.
  • Network access to allow Personal Data transfer.
  • Monitoring, troubleshooting, and administering the underlying Cloud Service infrastructure and database.
  • Security monitoring, network-based intrusion detection support, penetration testing.
  • Execution of instructions of Customer in accordance with the Agreement.
Purpose of the data transfer
  • Provide the service and associated features.
  • Deliver and provide operational support for the Service.
  • Communicate with you on status and availability of the Service.
  • Support billing for the Service.
  • Authenticate and authorize access to the Service.
  • Diagnose technical issues.
  • Conduct analytics and statistical analysis in aggregate form to improve the technical performance of the Service.
  • Respond to Customer support requests.
  • Enforce and monitor compliance with contractual terms and applicable laws in connection with legal claims, compliance, regulatory and investigatory purposes, including prevention and detection of fraud.
Duration of processing
  • User Interaction Data: 90 Days
  • Analytics Data: None
  • Raw Data: 1 Year
  • Aggregated Learned Data: 30 days

 

Sitecore Email Experience Manager (EXM)

Categories of data subjects whose Personal Data is transferred
Employees, Customers, End Users
Categories of Personal Data transferred

Employees:

  • Contact Details: Address, Telephone Number (Fixed and Mobile), Email Addresses.
  • Employment Details: Job Details, Geographic Location, Area of Responsibility.
  • IT Related Data: License ID.
Data Controller/ Data Processor roles
Data Processor
Sensitive data transferred?
Sitecore does not knowingly collect (and Customer or End Users shall not submit or upload) any special categories of data (as defined under applicable Data Protection Laws and Regulations).
Frequency of the transfer
Data will be transferred on a continuous basis.
Nature of the processing
  • Use of Personal Data to set up, operate, monitor, and provide the Services (including operational and technical support).
  • Continuous improvement of service features and functionalities provided as part of the Services.
  • Storage of Personal Data in dedicated data centers.
  • Release, development and upload of any fixes or upgrades to Services.
  • Back up and restoration of Personal Data stored in the dedicated data centers and CloudService.
  • Computer processing of Personal Data, including data transmission, data retrieval, data access.
  • Network access to allow Personal Data transfer.
  • Monitoring, troubleshooting, and administering the underlying Cloud Service infrastructure and database.
  • Security monitoring, network-based intrusion detection support, penetration testing.
  • Execution of instructions of Customer in accordance with the Agreement.
Purpose of the data transfer
  • Provide the service and associated features.
  • Deliver and provide operational support for the Service.
  • Communicate with you on status and availability of the Service.
  • Support billing for the Service.
  • Authenticate and authorize access to the Service.
  • Diagnose technical issues.
  • Conduct analytics and statistical analysis in aggregate form to improve the technical performance of the Service.
  • Respond to Customer support requests.
  • Enforce and monitor compliance with contractual terms and applicable laws in connection with legal claims, compliance, regulatory and investigatory purposes, including prevention and detection of fraud.
Duration of processing
Sitecore will Process Customer Data for the duration of the Agreement, unless otherwise agreed upon in writing.

 

Sitecore CDP (Segmentation & Insights)

Categories of data subjects whose Personal Data is transferred
Employees, Customers, End Users
Categories of Personal Data transferred

Employees:

  • Contact Details: Address, Telephone Number (Fixed and Mobile), Email Address.
  • Employment Details: Job Title, Geographic Location, Area of Responsibility.
  • IT Related Data: Computer ID, User ID and Password, Domain Name, IP Address, Log Files, Software and Hardware Inventory, Software Usage Pattern Tracking Information (i.e., cookies and information recorded for operation training purposes).

End Users:

  • Website Activities: ID Session Data, Creation Timestamp, Update Timestamp, Session Duration, Referring Website, Source IP Address, Source Geographical Data, User Agent, Pages Viewed, Events Triggered, Other Calculated Metrics, OS type and version.
  • Order Information: Information relating to any orders purchased by End Users.
Data Controller/ Data Processor roles
Data Processor
Sensitive data transferred?
Sitecore does not knowingly collect (and Customer or End Users shall not submit or upload) any special categories of data (as defined under applicable Data Protection Laws and Regulations).
Frequency of the transfer
Data will be transferred on a continuous basis.
Nature of the processing
  • Use of Personal Data to set up, operate, monitor, and provide the Services (including operational and technical support).
  • Continuous improvement of service features and functionalities provided as part of the Services.
  • Storage of Personal Data in dedicated data centers.
  • Release, development and upload of any fixes or upgrades to Services.
  • Back up and restoration of Personal Data stored in the dedicated data centers and CloudService.
  • Computer processing of Personal Data, including data transmission, data retrieval, data access.
  • Network access to allow Personal Data transfer.
  • Monitoring, troubleshooting, and administering the underlying Cloud Service infrastructure and database.
  • Security monitoring, network-based intrusion detection support, penetration testing.
  • Execution of instructions of Customer in accordance with the Agreement.
Purpose of the data transfer
  • Provide the service and associated features.
  • Deliver and provide operational support for the Service.
  • Communicate with you on status and availability of the Service.
  • Support billing for the Service.
  • Authenticate and authorize access to the Service.
  • Diagnose technical issues.
  • Conduct analytics and statistical analysis in aggregate form to improve the technical performance of the Service.
  • Respond to Customer support requests.
  • Enforce and monitor compliance with contractual terms and applicable laws in connection with legal claims, compliance, regulatory and investigatory purposes, including prevention and detection of fraud.
Duration of processing
Customer determines the duration of processing by configuring its own storage and deletion of data via the Service. Sitecore can delete Customer Data upon request and termination of the Agreement.

 

Sitecore Personalize

Categories of data subjects whose Personal Data is transferred
Employees, Customers, End Users
Categories of Personal Data transferred

Employees:

  • Contact Information: Name, Email Address.
  • Identifiers: Unique personal identifier, Device data (device name, browser / OS version, device configuration, settings, etc.), Online Identifiers.
  • Commercial Information: Business Logic Information, Data Lookups (Operational Systems),Offer Information, Results from external connections (hosted AI / Machine Learning models or data systems) used in decision models.
  • Internet or Other Similar Network Activity: Browsing History, Search History, Information on a consumer's interaction with a website, application, or advertisement, Referring URLs.
Data Controller/ Data Processor roles
Data Processor
Sensitive data transferred?
Sitecore does not knowingly collect (and Customer or End Users shall not submit or upload) any special categories of data (as defined under applicable Data Protection Laws and Regulations).
Frequency of the transfer
Data will be transferred on a continuous basis.
Nature of the processing
  • Use of Personal Data to set up, operate, monitor, and provide the Services (including operational and technical support).
  • Continuous improvement of service features and functionalities provided as part of the Services.
  • Storage of Personal Data in dedicated data centers.
  • Release, development and upload of any fixes or upgrades to Services.
  • Back up and restoration of Personal Data stored in the dedicated data centers and CloudService.
  • Computer processing of Personal Data, including data transmission, data retrieval, data access.
  • Network access to allow Personal Data transfer.
  • Monitoring, troubleshooting, and administering the underlying Cloud Service infrastructure and database.
  • Security monitoring, network-based intrusion detection support, penetration testing.
  • Execution of instructions of Customer in accordance with the Agreement.
Purpose of the data transfer
  • Provide the service and associated features.
  • Deliver and provide operational support for the Service.
  • Communicate with you on status and availability of the Service.
  • Support billing for the Service.
  • Authenticate and authorize access to the Service.
  • Diagnose technical issues.
  • Conduct analytics and statistical analysis in aggregate form to improve the technical performance of the Service.
  • Respond to Customer support requests.
  • Enforce and monitor compliance with contractual terms and applicable laws in connection with legal claims, compliance, regulatory and investigatory purposes, including prevention and detection of fraud.
Duration of processing
  • Live Storage Data:
    • Sessions-Latest 40 or up to 90 days.
    • Events-100 per session or up to 90 days.
    • Anonymous Guests-inactive profiles purged after 6 months.
  • Analytics Data: Contract duration or to an agreed data retention policy.
  • Archival Storage Data: Contract duration or to an agreed data retention policy.
  • Live Log Data (Application Logs): 30 days.
  • Archive Storage Data (Application Logs): Duration of Contract.

 

Sitecore Send

Categories of data subjects whose Personal Data is transferred
Website Guests (Unregistered), Employees, Customers, End Users
Categories of Personal Data transferred

Employees:

  • Website Guest Data (Unregistered): Email Address, Initial Traffic Source Data.
  • Contact Details: Email address, Login name, Password, First name/Last Name, Company Name, Address (city, country), Industry, Company size, Number of subscribers, Postal Code (optional)
  • IT Related Data: Consent Timestamp, Cookie, IP Address, Browser agent (where Customer logged in), Log Files.
  • Payment Information: Braintree Token (containing billing agreement ID, Gateway Account and Email Address.)
  • Website Activities: Session ID, Creation Timestamp, Update Timestamp, OS Type and Version, Last Session Date and Time.

End Users:

  • Contact Details: Email Address, Name, Optional and User-Defined Customer Fields.
  • Derived Information: IP address and location information (country / city / region / postcode level), Browser agent and device information (device / operating system and version),Website Behavioral data (page views, product views, purchases, carts where applicable.),Email Interaction data (opens / clicks / bounces / complaints / unsubscribes where applicable), Logs and audit information for support purposes.
Data Controller/ Data Processor roles
Data Processor
Sensitive data transferred?
Sitecore does not knowingly collect (and Customer or End Users shall not submit or upload) any special categories of data (as defined under applicable Data Protection Laws and Regulations).
Frequency of the transfer
Data will be transferred on a continuous basis.
Nature of the processing
  • Use of Personal Data to set up, operate, monitor, and provide the Services (including operational and technical support).
  • Continuous improvement of service features and functionalities provided as part of the Services.
  • Storage of Personal Data in dedicated data centers.
  • Release, development and upload of any fixes or upgrades to Services.
  • Back up and restoration of Personal Data stored in the dedicated data centers and CloudService.
  • Computer processing of Personal Data, including data transmission, data retrieval, data access.
  • Network access to allow Personal Data transfer.
  • Monitoring, troubleshooting, and administering the underlying Cloud Service infrastructure and database.
  • Security monitoring, network-based intrusion detection support, penetration testing.
  • Execution of instructions of Customer in accordance with the Agreement.
Purpose of the data transfer
  • Account creation and service activation.
  • Provide the service and associated features.
  • Deliver and provide operational support for the Service.
  • Communicate with you on status and availability of the Service.
  • Support billing for the Service.
  • Authenticate and authorize access to the Service.
  • Diagnose technical issues.
  • Respond to Customer support requests.
  • Enforce and monitor compliance with contractual terms and applicable laws in connection with legal claims, compliance, regulatory and investigatory purposes, including prevention and detection of fraud.
  • Run and improve the website.
  • Assess the appropriate level of Services for Customer.
  • Understand how the Service is used, such as screens viewed, and events triggered.
  • Conduct analytics and statistical analysis in aggregate form to improve the technical performance of the Service
Duration of processing
Sitecore will Process Customer Data for the duration of the Agreement, unless otherwise agreed upon in writing.

 

Experience Manager (Cloud) (Content Management)

Categories of data subjects whose Personal Data is transferred
(Unregistered), Employees, Customers, End Users
Categories of Personal Data transferred

Employees:

  • Contact Details: Address, Telephone Number (Fixed and Mobile) Email Addresses.
  • Employment Details: Job Details, Geographic Location, Area Of Responsibility.
  • IT Related Data

End Users:

  • Identifying Information during a website visit: Full name, Email addresses, Physical address, Phone numbers.
  • Website Activities: Session Duration, Referring Website, Source IP Address, Source Geographical Data, User Agent, Pages Viewed, Events Triggered, Other Calculated Metrics (such as content volume).
Data Controller/ Data Processor roles
Data Processor
Sensitive data transferred?
Sitecore does not knowingly collect (and Customer or End Users shall not submit or upload) any special categories of data (as defined under applicable Data Protection Laws and Regulations).
Frequency of the transfer
Data will be transferred on a continuous basis.
Nature of the processing
  • Use of Personal Data to set up, operate, monitor, and provide the Services (including operational and technical support).
  • Continuous improvement of service features and functionalities provided as part of the Services.
  • Storage of Personal Data in dedicated data centers.
  • Release, development and upload of any fixes or upgrades to Services.
  • Back up and restoration of Personal Data stored in the dedicated data centers and CloudService.
  • Computer processing of Personal Data, including data transmission, data retrieval, data access.
  • Network access to allow Personal Data transfer.
  • Monitoring, troubleshooting, and administering the underlying Cloud Service infrastructure and database.
  • Security monitoring, network-based intrusion detection support, penetration testing.
  • Execution of instructions of Customer in accordance with the Agreement.
Purpose of the data transfer
  • Account creation and service activation.
  • Provide the service and associated features.
  • Deliver and provide operational support for the Service.
  • Communicate with you on status and availability of the Service.
  • Support billing for the Service.
  • Authenticate and authorize access to the Service.
  • Diagnose technical issues.
  • Respond to Customer support requests.
  • Enforce and monitor compliance with contractual terms and applicable laws in connection with legal claims, compliance, regulatory and investigatory purposes, including prevention and detection of fraud.
Duration of processing
Sitecore will Process Customer Data for the duration of the Agreement, unless otherwise agreed upon in writing.

 

Sitecore Content Hub (DAM & Content Operations)

Categories of data subjects whose Personal Data is transferred
(Unregistered), Employees, Customers, End Users
Categories of Personal Data transferred

Employees:

  • Contact Details: Email Addresses
  • Username
  • Profile Information: Avatars, Geographic Location and any other information that end users choose to share.
  • IT Related Data: Computer ID, User ID and Password, Domain Name, IP Address, Log Files, Software and Hardware Inventory, Software Usage Pattern Tracking Information, Session ID,OS Type and Version.
  • Identifying Information during a website visit: Full Name (aliases), Email Address, Physical Address, Phone Numbers.
  • Website activities: Session Duration, Referring Website Source IP Address, Source Geographical Data, User Agent, Pages Viewed, Events Triggered, Creation Timestamp, Update Timestamp, Other Calculated Metrics (such as content volume).
Data Controller/ Data Processor roles
Data Processor
Sensitive data transferred?
Sitecore does not knowingly collect (and Customer or End Users shall not submit or upload) any special categories of data (as defined under applicable Data Protection Laws and Regulations).
Frequency of the transfer
Data will be transferred on a continuous basis.
Nature of the processing
  • Use of Personal Data to set up, operate, monitor, and provide the Services (including operational and technical support).
  • Continuous improvement of service features and functionalities provided as part of the Services.
  • Storage of Personal Data in dedicated data centers.
  • Release, development and upload of any fixes or upgrades to Services.
  • Back up and restoration of Personal Data stored in the dedicated data centers and CloudService.
  • Computer processing of Personal Data, including data transmission, data retrieval, data access.
  • Network access to allow Personal Data transfer.
  • Monitoring, troubleshooting, and administering the underlying Cloud Service infrastructure and database.
  • Security monitoring, network-based intrusion detection support, penetration testing.
  • Execution of instructions of Customer in accordance with the Agreement.
Purpose of the data transfer
  • Provide the service and associated features.
  • Understand how the Service is used, such as screens viewed, and events triggered.
  • Support billing for the Service.
  • Diagnose technical issues.
  • Conduct analytics and statistical analysis in aggregate form to improve the technical performance of the Service.
  • Respond to Customer support requests.
  • with legal claims, compliance, regulatory and investigatory purposes, including fraud prevention and detection.
Duration of processing
Customer determines the duration of processing by configuring its own storage and deletion of data via the Service. Sitecore can delete Customer Data upon request and termination of the Agreement.

 

Sitecore AI

Categories of data subjects whose Personal Data is transferred
Employees, Customers, End Users
Categories of Personal Data transferred

Employees:

  • Contact Details: Address, Telephone Number (Fixed and Mobile), Email Address.
  • Employment Details: Job Title, Geographic Location, Area of Responsibility.
  • IT Related Data: Computer ID, User ID, Password, Domain Name, IP Address, Log Files, Software Hardware Inventory, Software Usage Pattern Tracking, Information (i.e., cookies and information recorded for operation training purposes).

End Users and Customers::

  • Website Activities: Session Duration, Referring website, Source IP Address, Source Geographical Data, User Agent, Pages Viewed, Events Triggered, Other Calculated Metrics.
Data Controller/ Data Processor roles
Data Processor
Sensitive data transferred?
Sitecore does not knowingly collect (and Customer or End Users shall not submit or upload) any special categories of data (as defined under applicable Data Protection Laws and Regulations).
Frequency of the transfer
Data will be transferred on a continuous basis.
Nature of the processing
  • Use of Personal Data to set up, operate, monitor, and provide the Services (including operational and technical support).
  • Continuous improvement of service features and functionalities provided as part of the Services.
  • Storage of Personal Data in dedicated data centers.
  • Release, development and upload of any fixes or upgrades to Services.
  • Back up and restoration of Personal Data stored in the dedicated data centers and CloudService.
  • Computer processing of Personal Data, including data transmission, data retrieval, data access.
  • Network access to allow Personal Data transfer.
  • Monitoring, troubleshooting, and administering the underlying Cloud Service infrastructure and database.
  • Security monitoring, network-based intrusion detection support, penetration testing.
  • Execution of instructions of Customer in accordance with the Agreement.
Purpose of the data transfer
  • Provide the service and associated features.
  • Understand how the Service is used, such as screens viewed, and events triggered.
  • Support billing for the Service.
  • Diagnose technical issues.
  • Conduct analytics and statistical analysis in aggregate form to improve the technical performance of the Service.
  • Respond to Customer support requests.
  • Enforce and monitor compliance with contractual terms and applicable laws in connection with legal claims, compliance, regulatory and investigatory purposes, including fraud prevention and detection.
Duration of processing
Customer determines the duration of processing by configuring its own storage and deletion of data via the Service. Sitecore can delete Customer Data upon request and termination of the Agreement.