SITECORE TRUST CENTER
Trust Center FAQ
Like all globally engaged companies, Sitecore took a number of steps to implement the various requirements of the General Data Protection Regulation (GDPR) and California Consumer Protection Act (CCPA) and evolving global privacy laws into Sitecore’s business. This meant building our privacy, security and data governance teams and continuing to build our data strategy to ensure a robust data model for continuing adherence beyond the May 25th 2018 implementation dates of new laws.
These steps included:
- Building an accountable privacy team: With a Data Governance Committee comprised of Sitecore C-suite members from the Legal, HR, Finance, Marketing, Customer Operations, Product, and Sales teams, and supported by a Steering Group, Sitecore has implemented top-down awareness of our privacy and data governance framework to ensure accountability in all of our business processes.
- Organizational measures: We reviewed our internal processes to ensure that we have improved internal guidelines and thresholds on who we work with and engage as vendors, reviewing our contracts to ensure that appropriate contractual mechanisms are in place before sharing data, implementing structures that incorporate privacy by design in our product review cycles and establishing protocols for responding to data subject requests.
- Technical measures: We have improved our internal security measures to ensure greater asset management and encryption on portable devices, as well as updating our internal security policies to deal with new legal requirements. Refer to the Trust Center security page for more information on Sitecore’s security framework.
- Reviews: We have built into our business model reviews and audits to ensure that we continue to assess
The International Organization for Standardization (“ISO”) is an independent, non-governmental international organization that creates and develops global standards.
Sitecore has recently obtained a number of ISO certifications, detailed on the Trust Center security page.
ISO 27001 is a security standard that governs an organization’s Information Security Management System (ISMS) and mandates specific requirements in the implementation, monitoring, maintenance and continuous improvement of the ISMS.
ISO 27017 is a security standard that provides guidance on the information security aspects of cloud computing. Sitecore uses this standard to supplementing the ISO 27001:2013 standard with cloud-specific controls that are applied to its public cloud environment.
ISO 27018 is a code of practice that focuses on protection of personally identifiable information (PII) in the public cloud. By providing cloud services, Sitecore acts as a data processor to its customers. Sitecore uses ISO 27018:2014 standard in order to protect the PII that it processes for its customers
These standards are internationally recognized and demonstrates to our customers, partners and vendors that we have adopted best practices to manage the infrastructure of Sitecore’s ISMS and cloud offerings
To contact Sitecore’s support team, please submit your support ticket via the Sitecore Support Portal at: support.sitecore.net.
Whether Sitecore is a Processor or Controller (as defined by applicable laws) will depend on your relationship with Sitecore and the purpose for which the data is being processed. Generally however, when Sitecore is entering into a relationship with our customers, Sitecore is a processor of personal information and a controller of Other Information. This will be detailed in the applicable Order Form or Agreement with Sitecore. When Sitecore is gathering the information on our website or for marketing activities, Sitecore is generally a controller of data.
Under the CCPA, a “sale” means providing to a third party personal information for valuable consideration. It does not necessarily mean money was exchanged for the transfer of personal information. Based on our current understanding of the CCPA, we do not “sell” your personal information as defined in the CCPA. We will continue to monitor the regulations and clarifying guidance once available so that we can evolve our update our business practices as may be appropriate. If you have any questions on this, please reach out to [email protected].