SITECORE TRUST CENTER
Sitecore Data Processing Addendum
SITECORE CUSTOMER DATA PROCESSING ADDENDUM
[For a signed copy click here]
Last modified: April 2022
This Customer Data Processing Addendum ("DPA") forms part of the Order for Services (“Agreement”) between the Sitecore entity which has entered into the Agreement (“Sitecore”) and Customer ("Customer"), together referred to as the Parties (“Parties”), and applies where Sitecore will process Customer Data when providing Services under the Agreement. All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
Upon Sitecore’s receipt of a validly completed DPA by Customer, this DPA will become effective and is legally binding.
1. Definitions
"Affiliate" means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.
"Agreement" means the written or electronic agreement between Customer and Sitecore for the provision of the Services to Customer.
"CCPA" means the California Consumer Privacy Act, Cal. Civ. Code §1798.100 et seq., and its implementing regulations.
"Control" means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term "Controlled" will be construed accordingly.
"Customer Data" means any data, including Personal Data, that Sitecore processes on behalf of Customer through Customer’s use of the Services.
"Controller" means the entity which determines the purposes and means of the Processing of Personal Data.
"Data Exporter” means the entity identified as “Customer” in this DPA, a customer of the Data Importer’s services.
"Data Importer" is Sitecore, a provider of experience management software, and its Affiliates.
“Data Subjects” means Data Exporter’s employees, end-users, and customers.
"Data Subject" or “Data Subjects” means an identified or identifiable natural person who can be identified directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data or an online identifier or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. A legal person may qualify as a Data Subject under the Data Protection Laws of specific jurisdictions. This includes, to the extent applicable, any analogous variations of such terminology, such as “Consumer” as may be relevant under US state laws.
"Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom, Australia, Canada, and the United States and its states, applicable to the Processing of Personal Data under the Agreement as amended from time to time.
"Processor" means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.
"Standard Contractual Clauses" means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
"International Data Transfer Addendum (IDTA)" means the UK Addendum to the Standard Contractual Clauses, which is considered to provide appropriate safeguards to the transfer of Personal Data from the United Kingdom to third countries in accordance with the UK Data Protection Laws.
"Processing" or “Process” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Processor" means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.
"EEA" means the European Economic Area.
"Personal Data" means any Customer Data relating to an identified or an identifiable natural person or as otherwise defined under Data Protection Laws. For the sake of clarity, this includes “Personal Information” or analogous variations of such terminology within the meaning of applicable US state laws, to the extent that these may be applicable. "Security Incident" means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data transmitted, stored or otherwise Processed.
"Security Incident" does not include unsuccessful attempts or activities that do not compromise the security of personal data, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
"Service Provider" has the meaning set forth in Section 1798.140(v) of the CCPA.
"Services" as used in this DPA means the “SaaS Products” and/or “Hosted Services” as defined in the Agreement.
"Subprocessor" means any Data Processor or Service Provider engaged by Sitecore or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Subprocessors may include third parties or Affiliates of Sitecore.
2. Scope of this DPA
This DPA applies where Sitecore processes Customer Data, including Personal Data, on behalf of Customer in the course of providing Services to the Customer pursuant to the Agreement.
3. Roles and Scope of Processing
3.1 Role of the Parties. As between Sitecore and Customer, Customer is the Data Controller of Customer Data and Sitecore shall process Customer Data only as a Data Processor acting on behalf of Customer. For the avoidance of doubt, this DPA shall not apply to any instances where Sitecore is acting as a Controller (as defined under applicable Data Protection Laws).
3.2 Customer’s obligations. Customer shall have the sole and exclusive authority to determine the purposes and means of Processing Customer Data transferred or otherwise disclosed to Sitecore. As between the Parties, the Customer shall have the sole responsibility for the accuracy, quality and legality of Personal Data as required by applicable Data Protection Laws and the means by which the Customer acquired Personal Data, including the provision of proper notice and obtaining consents where appropriate for Sitecore’s Processing.
3.3 Data Protection Laws. Customer agrees and acknowledges that it understands its compliance obligations with respect to Customer Data as required by Data Protection Laws.
3.4 Sitecore Processing of Customer Data.
(a) Treated as Confidential Information: Sitecore will treat Customer Data as Confidential Information pursuant to the terms of the Agreement.
(b) Processing to follow Customer instructions: Sitecore shall process Customer Data only for the purpose of providing the Services and in accordance with Customer’s documented lawful instructions, as set forth in the Agreement and this DPA. The categories of Personal Data, categories of Data Subjects and the purposes of the Processing are as set out in Annex C. The Parties agree that the Customer’s complete and final instructions with regard to the nature and purposes of the Processing are set out in this DPA unless (or except as) required under applicable laws. Processing outside the scope of these instructions (if any) will require prior written agreement between Customer and Sitecore with additional instructions for Processing.
(c) Sitecore does not sell Personal Data: Sitecore shall not:
(i) sell or rent Customer Personal Data;
(ii) retain, use, or disclose the Personal Data for any “business purpose” (as defined in the CCPA §1798.140(d)), or any “commercial purpose” (as defined in the CCPA §1798.140(f)) other than for the specific purpose of performing the Services under the Agreement, and as instructed by Customer, pursuant to Section 3.3 (b) above, or
(iii) retain, use or disclose Customer Data outside of the direct business relationship between Sitecore and Customer except to the extent as may be required by applicable laws.
(d) Security Measures and adequate safeguards: Sitecore represents that it has implemented adequate technical and organizational measures necessary to secure Customer Data, including, as appropriate, the measures referred to by Data Protection Laws, in accordance with Annex A.
3.5 Details of Data Processing
(a) Subject matter: The subject matter of the Processing under this DPA is Customer Data, as detailed in Annex C.
(b) Duration: As between Sitecore and Customer, the duration of the Processing under this DPA is the term of the Agreement or as otherwise agreed upon by the Parties.
(c) Purpose: The purpose of the Processing under this DPA is the provision of the Services to the Customer and the performance of Sitecore's obligations under the Agreement and this DPA (or as otherwise agreed by the Parties) and more fully described in Annex C.
4. Subprocessing
4.1 Authorized Subprocessors. Customer agrees that in order to provide the Services, Sitecore may engage Subprocessors to process Customer Data. A list of Sitecore's current authorized Subprocessors is found in Annex B . Sitecore maintains a current list of its Subprocessors on its website (https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB0313167) and will post notifications of any new or replacement Subprocessors, prior to the use or replacement of Subprocessors. To receive these notifications by email, Customer can subscribe to our KB page.
4.2 Subprocessor Obligations. Where Sitecore authorizes any Subprocessoras described in Section 4.1:
(a) Restricted to a need-to-know: Sitecore will restrict the Subprocessors access to Customer Data only to what is necessary to assist Sitecore in providing or maintaining the Services, and will prohibit the Subprocessor from accessing Customer Data for any other purpose;
(b) Sitecore due diligence: Before any Subprocessor first processes Customer Data, Sitecore shall carry out adequate due diligence to ensure that the Subprocessor is capable of providing the same level of protection for Customer Data required by the Agreementand this DPA;
(c) Entry into written agreements: Sitecore will enter into a written agreement with the Subprocessor imposing data protection terms that places the equivalent data protection obligations as those set out in this DPA to the extent applicable to the nature of the services provided by such sub-processor, in particular providing appropriate technical and organisational measures that the processing will protect the Customer Data to the standard required by Data Protection Laws;
(d) Liability for Subprocessors: Sitecore will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Sitecore to breach any of its obligations under this DPA; and
(e) Objection Right for new Subprocessors: If Customer has a reasonable basis relating to privacy or data security to object to Sitecore’s use of a new Subprocessor, Customer shall notify Sitecore promptly in writing within 30 business days after such notice being made by Sitecore on its website of a new Subprocessor. In the event Customer objects to any new Subprocessor(s) on such grounds, Sitecore will use reasonable efforts to work in good faith with Customer to find an acceptable, commercially reasonable, alternate solution. If the Parties are not able to agree to an alternate solution within a reasonable time (no more than 90 days from Sitecore’s receipt of notice of Customer’s objection), Sitecore will either not appoint or replace the Subprocessor or, if this is not possible, Customer may suspend or terminate the applicable Order for Services in respect only to the specific Services which cannot be provided by Customer without the use of the objected-to new Subprocessor, by providing written notice to Sitecore and without prejudice to any fees incurred by Customer prior to suspension or termination.
5. Security Measures and Security Incident Response
5.1 Security Measures. Sitecore has implemented and will maintain appropriate technical and organizational security measures to protect Customer Data from Security Incidents and to preserve the security and confidentiality of the Customer Data ("Security Measures"). The Security Measures applicable to the Services are set forth in Annex A as updated or replaced from time to time in accordance with Section 5.2. Customer is responsible for reviewing the information made available by Sitecore relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws, taking into account the nature, scope, context and purposes of processing, the risks associated with the Personal Data and the Data Protection Laws.
5.2 Updates to Security Measures. Sitecore has implemented a procedure for the regular testing, inspection, assessment and evaluation of the effectiveness of Sitecore’s Security Measures. Accordingly, Customer acknowledges that the Security Measures are subject to technical progress and development and that Sitecore may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer. Such updates to the Security Measures will be made available to Customer upon its reasonable request.
5.3 Personnel. Sitecore shall take reasonable steps to ensure the reliability of any employee, agent, contractor or Subprocessor who may have access to Customer Data, ensuring that access is strictly limited on a least-privilege basis to those individuals who need to know or need to have access to Customer Data as is necessary for the provision of the Services under the Agreement. Further, Sitecore shall ensure that personnel with access to Customer Data are under an appropriate obligation of confidentiality and that such personnel have received appropriate data protection and security training pertaining to the responsibilities of their role.
5.4 Customer Responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Services.
5.5 Sufficient Evidence. Upon the reasonable request of Customer, Sitecore shall provide Customer with sufficient information to enable Customer to demonstrate that the necessary technical and organizational security measures (as further detailed in Annex A) have been implemented.
5.6 Security Incident Response. Upon becoming aware of a Security Incident, Sitecore will notify Customer without undue delay (and no later than 48 hours after becoming aware of the Security Incident) and will provide information relating to the Security Incident as it becomes known or as is reasonably requested by Customer including (i) details of the Customer Data compromised, including whether the Customer Data had been encrypted, hashed or otherwise rendered incomprehensible, inaccessible or unintelligible for unauthorized persons, (ii) information on the Data Subjects affected, such as categories and the number of Data Subjects affected, (iii) the categories and number of information data records affected, (iv) description of the nature of the unlawful disclosure, (v) identity and contact details of Sitecore’s Privacy contact, (vi) when the Security Incident took place (date or time period) and suspected cause, (vii) the likely consequences of the security incident, and (viii) any recommendations to minimize harm. Sitecore will also take reasonable steps to mitigate and, where possible, to remedy the effects of, any Security Incident. Sitecore shall provide reasonable assistance to Customer, in the event Customer is required under Data Protection Laws to notify a supervisory authority or any Data Subjects of a Security Incident. Sitecore reserves the right to charge Customer for this assistance should it become overly burdensome.
6. Reports and Audit
6.1 Upon Customer’s request, Sitecore will make available a statement from its Security Team containing all information necessary to demonstrate compliance with this DPA (a “Sitecore Report”) and any documentation pursuant to Section 10.1.
6.2 No more than once per year, Customer may conduct reviews of Sitecore’s documents and systems, by way of desk-based questionnaires and phone conferences with Sitecore personnel.
6.3 Notwithstanding the foregoing, Customer will have the right, at its expense, to conduct an onsite audit, only in the event that (a) Customer reasonably believes that Sitecore is out of compliance with this DPA, or (b) Customer is subject to a regulatory audit or government investigation or court order that includes the scope of this DPA. Any on-site audit will be conducted during normal business hours, at a date and time as mutually agreed between the Parties, and only if such an audit at Sitecore’s premises is necessary to prove facts or otherwise demonstrate applicable compliance that Sitecore cannot otherwise evidence through a Sitecore Report, questionnaires, phone conferences, third-party certification programs or third-party audit reports. Customer agrees that with respect to any Sitecore Confidential Information received in connection with such audit, Customer will be subject to the same confidentiality obligations as set forth in the Agreement.
7. International Transfers
7.1 Data Centre locations. Sitecore shall store Customer Data only in the Customer selected data centre (and as detailed on any applicable Order Form) locations unless notified otherwise.
7.2 Data Transfers. If applicable, Sitecore will at all times ensure that any Customer Data which is transferred is done so in compliance with adequate transfer mechanisms. Further, Sitecore will ensure that an adequate level of protection is provided for the Customer Data Processed, and that processing is done in accordance with the requirements of Data Protection Laws.
7.3 Data Transfer Mechanisms. The Parties agree that the Standard Contractual Clauses in Annex Dto this DPA shall be the adequate transfer mechanism pursuant to Section 7.3 above and apply to Customer Data that is transferred from the EEA and/or Switzerland to outside the EEA and Switzerland, either directly or via onward transfer, to any country or recipient not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the Data Protection Laws). The parties agree that where the British Information Commissioner Office adopts an agreement that would be used as a safeguarding mechanism for restricted transfers of data covered by the UK GDPR, such as the International Data Transfer Addendum (IDTA), this must be used by the Parties together with the Standard Contractual Clauses to govern the handling and safeguarding of Customer Personal Data in line with the UK GDPR. This section only applies to the extent it is applicable.
8. Return or Deletion of Data
8.1 Return or Deletion of Customer Data. Sitecore will, upon termination or expiration of the agreement, within commercially reasonable time, delete or assist the customer with the deletion or return of data to the extent this is applicable to the services provided under this agreement. Upon termination of the agreement, Sitecore may retain Customer Data in a manner that restricts the processing solely to the extent that it may be necessary to comply with applicable law or regulation. This should not apply to Customer Data that has been archived on back-up systems, which Customer Data Sitecore shall securely isolate and protect from any further processing, except to the extent required by applicable law.
8.2 For Managed Cloud and Sitecore Content Hub Only. Upon termination or expiration of the Agreement, Customer may, within 30 days of the contract expiration date, require Sitecore to a) return a complete copy of all Customer Data to Customer, at Customer’s expense and within a commercially reasonable time, by secure file transfer in an industry-standard file format and/ or b) delete and procure the deletion of all other copies of Customer Data Processed by any Processor or Subprocessor, provided that Sitecore may retain Customer Data in a manner that restricts further processing solely to the extent that it may be necessary to comply with applicable law. Sitecore shall comply with any such written request within 30 days of the Agreement’s termination date.
8.3 For EXM Delivery Cloud only. Sitecore shall assist Customer with any deletion or return of data requests that are submitted to Sitecore’s EXM Subprocessor.
9. Privacy Rights
9.1 To the extent that Customer is unable to independently access the relevant Customer Data within the Services, Sitecore shall provide reasonable and timely cooperation to assist Customer to respond to any requests from individuals or applicable data protection authorities relating to the Processing of Personal Data under the Agreement. In the case of complex or voluminous enquiries that can be managed by Customer through access within the Services but where Customer is requesting additional assistance beyond Sitecore’s compliance requirements, Sitecore reserves the right to charge Customer for reasonable expenses. In the event that any such request is made directly to Sitecore, a Sitecore Affiliate or any Subprocessor, Sitecore shall not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so. If Sitecore is required to respond to such a request, Sitecore will promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so, for example to preserve the confidentiality of an investigation by law enforcement authorities.
9.2 If a law enforcement agency sends Sitecore a demand for Customer Data (for example, through a subpoena or court order), Sitecore will attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, Sitecore may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Customer Data to a law enforcement agency, then Sitecore will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Sitecore is legally prohibited from doing so.
9.3 Sitecore shall, upon Customer request and at Customer’s expense, provide reasonable assistance to Customer needed to fulfil any Customer obligation under the applicable Data Protection Laws to perform any data protection impact assessments. Sitecore shall, upon Customer request, provide reasonable assistance to Customer in any prior consultations with supervising authorities or other competent data privacy authorities, which Customer reasonably considers to be required of Customer under Data Protection Laws.
10. Privacy and Data Protection
10.1 Sitecore maintains a privacy program that includes dedicated resourcing, audit and review processes designed to implement appropriate privacy controls and procedures, including but not limited to:
(a) Designated individual: The designation of an employee or employees to coordinate, provide oversight and be responsible for the privacy program;
(b) Privacy risk assessments: The identification of reasonably foreseeable, material risks, both internal and external, that could result in unauthorized collection, use, or disclosure of Personal Data, and an assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this privacy risk assessment should include consideration of risks in (1) employee training and management, (2) product design, development, and research and (3) adequacy of security controls;
(c) Testing of Effectiveness: The design and implementation of reasonable privacy controls and procedures to address the risks identified through the privacy risk assessment, will be subject to and regular testing and monitoring of the effectiveness of those privacy controls and procedures; and
(d) Reviews: Sitecore will evaluate and adjust the privacy program to address any known change of circumstances that may have a material impact on the effectiveness of the privacy program.
11. Compliance with this DPA
11.1 Sitecore shall maintain appropriate documentation necessary to demonstrate Sitecore’s compliance with the terms of the Agreement (including certifications, independent audit report summaries and policy tables of content) and make such documentation, subject to redaction of non-relevant Confidential Information, available to Customer upon request.
11.2 Upon Customer request, Sitecore shall provide to Customer such copies of Sitecore’s agreements with Subprocessors referred to in Section 4 (which may be redacted to remove Confidential information not relevant to the requirements of this DPA) as Customer may request annually.
11.3 Each Party shall appoint an individual within its organisation authorised to respond from time to time to enquiries regarding the Personal Data and each Party shall deal with such enquiries promptly.
11.4 Sitecore shall make reasonable efforts to notify Customer if it becomes aware of any possible violation of, or inability to comply with, this DPA, Data Protection Laws or customer instructions.
12. Contact
12.1 Customer may contact Sitecore’s security team in relation to any security incident, notification or security question by emailing security@sitecore.com.
12.2 All other queries relating to this DPA should be directed to privacy@sitecore.com.
13. General
13.1 For the avoidance of doubt, any claim or remedies either party may have against the other party, any of its Affiliates and their respective employees, agents and Subprocessors arising under or in connection with this DPA, including any fines or damages payable under Data Protection Laws will be subject to the limitation of liability provisions (including any agreed aggregate financial cap) set forth in the Agreement.
13.2 Any claims against Sitecore or its Affiliates under this DPA shall be brought solely against the entity that is a Party to the Agreement. In no event shall any Party limit its liability with respect to any individual's data protection rights under this DPA or otherwise.
13.3 No one other than a Party to this DPA, their successors and permitted assignees shall have any right to enforce any of its terms.
13.4 This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.
13.5 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.
13.6 Upon termination of the Agreement, and the cessation of any Services to the Customer, the respective rights and obligations of the Parties shall survive until Customer Data is deleted.
13.7 The provisions of this DPA are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision, and the rest of this DPA shall remain in full force and effect.