The following is a description of the processing activities carried out by Sitecore while acting as a Data Processor on behalf of the Customer, who is the Data Controller. Note that the exact nature of the categories of Personal Data processed using Sitecore’s products will depend on the Customer’s usage of the products.
Definitions:
“Consumer”: for the purposes of this description of processing a “Consumer” refers to “Data Subject” or “Data Subjects”, as defined in the DPA, who consume the products or services offered by the Sitecore Customer identified in the DPA and or the Agreement.
“User”: This means a Sitecore Customers’ employee or authorized third party accessing Sitecore’ SaaS or PaaS products.
| Details of Data Processing |
| Categories of Data Subjects whose Personal Data is transferred |
Customers, Users |
| Categories of Users’ Personal Data Processed |
- Contact Information (e.g., name, email)
- Account and Authentication Data (e.g., username, passwords, session tokens)
- Usage Data (e.g., device IDs, performance and network logs, IP addresses for security)
- Behavioural - Information that describes a User’s behaviour or activity, captured through Users operation of Sitecore Product
- Location data – Geolocation data, country, region, time zone captured through User’s operation of Sitecore Products
|
| Categories of Consumers’ Personal Data Processed |
- Contact Information (e.g., name, phone number, email, username)
- Account and Authentication Data (e.g., passwords, session tokens)
- Usage Data (e.g., device IDs, performance and network logs, IP addresses for security)
- Behavioural - Information that describes a Consumer’s behaviour or activity, captured through Consumer’s engagement with Customer’s deployment of Sitecore’s product(s).
- Preference - Information about a Consumer’s preferences or interests, opinions, intentions, captured through Consumer’s engagement with Customer’s deployment of Sitecore’s product(s). Transactional – Information about a Consumer’s purchases of Customers product(s) and/or service(s) captured through Consumer’s engagement with Customer’s deployment of Sitecore’s product(s).
- Location data- Geolocation data, country, region captured through Consumer’s engagement with Customer’s deployment of Sitecore’s product(s).
|
| Data Controller/ Data Processor roles |
Sitecore is the Data Processor. Customer is the Data Controller. |
| Sensitive data transferred? |
Sitecore does not knowingly collect (and Customer or Users shall not submit or upload) any special categories of data (as defined under applicable Data Protection Laws and Regulations). |
| Nature of the Processing |
- Use of Personal Data to set up, operate, monitor, and provide the Services
- Storage of Personal Data in dedicated data centers.
- Release, development and upload of any fixes or upgrades to Services.
- Back up and restoration of Personal Data stored in the dedicated data centers and Cloud Service.
- Computer Processing of Personal Data, including data transmission, data retrieval, data access.
- Network access to allow Personal Data transfer.
- Monitoring, troubleshooting, and administering the underlying Cloud Service infrastructure and database.
- Security monitoring, network-based intrusion detection support, penetration testing.
- Execution of instructions of Customer in accordance with the Agreement.
- Deletion and disposal of Customer Data
|
| Purpose of the data transfer |
Supporting and enabling Sitecore’s services for the Customer, in accordance with their specific instructions, while ensuring data security, integrity and availability. |
| Duration of Processing |
Sitecore will Process Customer Data for the duration of the Agreement, unless otherwise agreed upon in writing with the Customer. |