SDL Privacy Policy Cloud Services

Similar documents
Google Cloud & the General Data Protection Regulation (GDPR)

SECURITY & PRIVACY DOCUMENTATION

Data Processing Agreement for Oracle Cloud Services

HPE DATA PRIVACY AND SECURITY

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Data Processing Agreement

DATA PROCESSING TERMS

ADIENT VENDOR SECURITY STANDARD

Workday s Robust Privacy Program

Blue Alligator Company Privacy Notice (Last updated 21 May 2018)

Data Processing Agreement

German Data Processing Addendum MailChimp

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Privacy Policy Effective May 25 th 2018

Data Processing Clauses

PRIVACY STATEMENT +41 (0) Rue du Rhone , Martigny, Switzerland.

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Version 1/2018. GDPR Processor Security Controls

Eco Web Hosting Security and Data Processing Agreement

DATA PROCESSING AGREEMENT

EU-US PRIVACY SHIELD POLICY (Updated April 11, 2018)

Customer EU Data Processing Addendum

Protecting your data. EY s approach to data privacy and information security

SOC 3 for Security and Availability

DATA PROCESSING AGREEMENT

Data Processing Amendment to Google Apps Enterprise Agreement

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

TechTarget, Inc. Privacy Policy

Security Principles for Stratos. Part no. 667/UE/31701/004

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Emsi Privacy Shield Policy

Baseline Information Security and Privacy Requirements for Suppliers

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

Data Processing Agreement

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

Data Security and Privacy Principles IBM Cloud Services

OSIsoft PI Cloud Services Privacy Statement

EU Data Protection Agreement

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

1 About GfK and the Survey What are personal data? Use of personal data How we share personal data... 3

General Data Protection Regulation

Employee Security Awareness Training Program

Data Protection Policy

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

2. Who we collect information (data) from & why we collect it

A company built on security

ARBOR DDoS PRODUCTS IN A GDPR COMPLIANT ENVIRONMENT. Guidelines and Frequently Asked Questions

Site Builder Privacy and Data Protection Policy

Online Ad-hoc Privacy Notice

Saba Hosted Customer Privacy Policy

Checklist: Credit Union Information Security and Privacy Policies

Plus500UK Limited. Website and Platform Privacy Policy

Motorola Mobility Binding Corporate Rules (BCRs)

ETSY.COM - PRIVACY POLICY

Twilio cloud communications SECURITY

INFORMATION ASSET MANAGEMENT POLICY

Overview of Akamai s Personal Data Processing Activities and Role

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

SANMINA CORPORATION PRIVACY POLICY. Effective date: May 25, 2018

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

Privacy Shield Policy

DATA PRIVACY & PROTECTION POLICY POLICY INFORMATION WE COLLECT AND RECEIVE. Quality Management System

Whitepaper on EU Data Protection October 2014

GDPR: A QUICK OVERVIEW

SAFE-BioPharma RAS Privacy Policy

AWS Webinar. Navigating GDPR Compliance on AWS. Christian Hesse Amazon Web Services

WORKSHARE SECURITY OVERVIEW

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Juniper Vendor Security Requirements

PRIVACY COMMITMENT. Information We Collect and How We Use It. Effective Date: July 2, 2018

This website is managed by Club Systems International on behalf of the Hoburne and Burry and Knight Groups.

Privacy Policy. You may exercise your rights by sending a registered mail to the Privacy Data Controller.

Magento GDPR Frequently Asked Questions

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Cybersecurity Considerations for GDPR

PRIVACY POLICY QUICK GUIDE TO CONTENTS

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

Smart Software Licensing tools and Smart Account Management Privacy DataSheet

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

1. Muscat & Co Mortgage Solutions Ltd - Privacy Notice

EU General Data Protection Regulation (GDPR) Achieving compliance

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

What is cloud computing? The enterprise is liable as data controller. Various forms of cloud computing. Data controller

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Act CXII of 2011 on the right to information self-determination and freedom of information. Act ;

PS Mailing Services Ltd Data Protection Policy May 2018

Learning Management System - Privacy Policy

Subject: Kier Group plc Data Protection Policy

Subscriber Name: Title: CEO. Business Name: Date: Address:

Oracle Data Cloud ( ODC ) Inbound Security Policies

Privacy Policy. Effective as of October 5, 2017

Data Processing Agreement

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

The City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.

MASTERCARD PRICELESS SPECIALS INDIA PRIVACY POLICY

Transcription:

SDL Privacy Policy Cloud Services Software-As-A-Service Products Version 11-04-2017 v1.4 SDL plc Globe House Clivemont Road, Maidenhead SL6 7DY England www.sdl.com SDL Tridion Infrastructure

Summary This privacy policy is an appendix to the Master Subscription Services Agreement to give clients insight into security measures SDL has in place to assure confidentiality, integrity and availability of client s information. The policy is based on industry best practices, and fulfills an important role in executing the European Data Protection Directive. In addition to this policy, a Data Processing Agreement as necessary can be added as an Addendum, for our European customers for which SDL processes information. Privacy Policy V1 2 SAAS Policy V14 Final.Docx.3 2

Table of contents Version Management... 4 Version history... 4 Approval... 4 1. 2. 2.1. 2.2. 2.3. 2.4. 2.5. 2.6. 2.7. INTRODUCTION... 5 PRIVACY POLICY... 5 DEFINITIONS... 5 SCOPE AND CATEGORIES... 6 Locations and 3 rd party service provider... 7 DATA TRANSFERS... 8 DATA SECURITY... 9 Platforms and Infrastructure management... 9 Managed services department... 10 MONITORING... 11 DATA BREACHES... 11 DATA PROCESSING AGREEMENT... 12 Privacy Policy V1 2 SAAS Policy V14 Final.Docx.3 3

Version Management This document can be obtained from the author. Version history Version Date Author Distribution 0.0 initial document 06-08-2014 Security SDL Internal 0.1 08-08-2014 Security 0.2 21-08-2014 Security 0.9 15-09-2014 Security 1.0 03-10-2014 Security 1.1 30-10-2014 Security 1.2 15-10-2015 Security 1.3 24-11-2016 Data Privacy 1.4 11-04-2017 Data Privacy SDL Internal SDL Internal SDL Internal SDL Internal SDL Internal Publically Publically Publically Approval This document requires the following approval: Department Cloud Services Title/Position Director, Cloud Operations Privacy Policy V1 2 SAAS Policy V14 Final.Docx.3 4

Legal Maidenhead Head of Group Legal Services 1. 2. Introduction This Privacy Policy is incorporated into the Master Subscription Services Agreement (MSSA) for SaaS products. The purpose of the policy is to provide Clients with insight into the security measures SDL have in place to protect their information. Details on how SDL employees handle personal Client information are set out in security policies and procedures. These documents are classified as SDL Internal and therefore only available for SDL representatives. In addition to this Privacy Policy for Cloud Services information about collecting, processing or handling personal information can be found on SDL s corporate website (www.sdl.com/aboutus/privacypolicy.html). Privacy Policy This Policy applies to SaaS Products. The policy describes the level of privacy and data protection SDL undertakes to maintain for the security of data during data processing. This policy covers all SDL Core Products available via SaaS. In terms of the Data Protection Directive, SDL operates as a Data Processor of data, for which the Client is the Data Controller. This policy shall be deemed to take effect from the Effective Date of the Master Subscription Services Agreement and shall continue in full force and effect until the termination of the Agreement or return of all information assets to the Client or deletion of the data has occurred. In respect of data protection SDL processes in the capacity of data processor, the Client is the data controller and will remain so at all stages of processing. 2.1. Definitions Terms in the Master Subscription Services Agreement shall have the same meaning when used in this privacy policy. In addition, definitions below apply in the document. Client The customer who purchases Services from SDL, listed on the executed Master Subscription Service Agreement DPD (Data Protection Directive) Means the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; Privacy Policy V1 2 SAAS Policy V14 Final.Docx.3 5

Data subject Data controller Means any identified or identifiable natural person as defined in the DPD Organization that determines the purpose and means of the processing of Personal Data, having the ability to decide how Personal Data is collected, used, altered and disclosed. Individual or organization that processes Personal Data on behalf of the Data Controller. Data processor Personal Data SaaS Products Means personal data as defined in the DPD that the Data Processor (SDL) processes on behalf of Data Controller (Client) in connection with the Master Subscription Services Agreement The Service SDL will provide is provision, management and service delivery of specific SDL Products by SDL, or on behalf of SDL, in a SaaS environment, with related information storage capability for the use of the Licensee, provided solely for storage of data used in the product or generated through use of the product. 2.2. Scope and Categories This policy describes the, processing of personal data in Services and SaaS products offered by SDL as Data Processor. SDL s default position is that processing of personal data in the SaaS products is prohibited (see Acceptable Usage Policy in Master Subscription Services Agreement Schedule B). However, it is recognized that in some cases Clients do require the ability to process personal data. When required, such processing will be contractually agreed. The details on processing of personal data are provided below for information as applicable. The Software applications are offered as a service and will potentially collect (collection occurs in respect of authentication and usage but also in respect of client data in limited and strictly defined conditions restricted to named applications), process and use personal data. The Data Controller determines the purpose for which the data is processed, initiates and controls the processing. SDL provides or configures the Software to enable the Software to perform such processing in accordance with the Client s instructions. SDL shall not use the personal data for any other purpose than those agreed with the Client. The table below lists the Software and whether the Software processes/stores personal data. (Note: in all instances the security applied will be the standard of security SDL describes in this Policy) Software Web Content Management Processes Personal Data for Data Controller Personal Data could be stored in Web at the Client s option, as contractually agreed. Privacy Policy V1 2 SAAS Policy V14 Final.Docx.3 6

Software Customer Journey Analytics Digital Media Management BeGlobal Language Cloud TMS and WorldServer Groupshare Knowledge Center MultiTerm Processes Personal Data for Data Controller Personal Data is processed and stored. Processing of Personal Data is possible at the Client s option, as contractually agreed. Processing of Personal Data is possible at the Client s option, as contractually agreed. Processing of Personal Data is possible at the Client s option, as contractually agreed. Processing of Personal Data is possible at the Client s option, as contractually agreed. Processing of Personal Data is possible at the Client s option, as contractually agreed. It is not anticipated Personal Data will be processed. It is not anticipated Personal Data will be processed. Note in respect of all Software: i. All services, applications and components will collect Personal Data based on service usage. This (technical) log-information is collected only for systems administration, troubleshooting and fraud monitoring purposes. Log-information will not be disclosed outside of the SDL Group of companies. ii. Authentication data provided to SDL to enable access to the Software either for administrative purposes or processing may contain Personal Data which is only obtained for the purpose of authenticating access to the Software. The nature of the data, which the Service can be used to transmit or disseminate, is restricted and varies by product. The details of the restriction appear in the Acceptable Usage Policy at Schedule B of the MSSA. Locations and 3 rd party service provider SDL uses third party service providers for its infrastructure and platform services. All SDL service providers follow the highest industry standards (for example certified on ISO27001 or SSAE 16 SOC 2) on physical and information security. The table below describes the subcontractors used for hosting services and their datacenter locations for data storage. Backups of databases containing Personal Data are stored in a backup location for business continuity purposes. Privacy Policy V1 2 SAAS Policy V14 Final.Docx.3 7

Data Centre Location Service Provider Certification Software Location/Type of Back-Up San Jose (USA) NTT ISO 27001 SSAE 16 SOC 2 Groupshare Knowledge Center MultiTerm TMS WorldServer BeGlobal Language Cloud Slough (UK) Slough (UK) NTT ISO 27001 Groupshare MultiTerm TMS WorldServer Knowledge Center San Jose (USA) From May 2017 Germany Denver CO (USA) Fortrust (Note: being migrated to AWS expected to be SSAE16 SOC Customer Journey Analytics Off-site storage tapes. of completed end of April) Region EU Region JP Region US Amazon ISO 27001 SSAE16 SOC 1, 2 and 3 EU-US Privacy Shield Web Content Management Worldserver Digital Media Management Customer Journey Analytics Amazon Akamai Digital Media Management Services generate log-information, which is stored and processed at the same datacenter as the service is running. SDL employees undertake all application and system administration together with third party service providers of their element of the infrastructure. As part of Services delivery, employees may process personal data on behalf of the Client (Data Controller). 2.3. Data transfers Electronic offsite backups as described above are transferred between different SDL datacenters provided and managed by the same third party, such transfers are take place over a private link between the data centers. SDL has entered into appropriate contractual arrangements with such providers to ensure adequate protection of personal data. Privacy Policy V1 2 SAAS Policy V14 Final.Docx.3 8

Data is not transferred or shared between different SDL customers. SDL Inc. and its subsidiaries and affiliates complies with the EU-US Privacy Shield as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries. SDL Inc. has certified that it adheres to the EU-US Privacy Shield Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. Within 42 days of termination of the Agreement, SDL will securely delete Client s data. When agreed, SDL can provide a copy of Client s data to Client, (SDL reserves the right to charge a fee), after which Client s data will be securely deleted in accordance with policies. If SDL receives a demand from a law enforcement agency to disclose Client s Personal Data or Personal Data provided by the Client, where possible, SDL will direct the law enforcement agency to Client, providing the Client s basic contact information. SDL will inform Client, unless prohibited, of a law enforcement agency s request to access personal data. If SDL is compelled to disclose data, SDL will comply with the obligation to disclose and unless prohibited inform Client afterwards. SDL s legal department will consider any such requests received and determine SDL s response. 2.4. Data security For security of personal data a layered architecture is implemented which facilitates different platform, infrastructure, and/or application layers. The following paragraphs give Clients an overview of security measures. Physical Security For platforms and infrastructure, SDL uses IaaS and PaaS services from NTT, Amazon Web Services, Akamai, and/or Fortrust. These companies comply with highest industry standards (ISO 27001 and/or SSAE 16 SOC2) for both information security and physical security. Platforms and Infrastructure management All data in transit over public networks is secured by use of encrypted protocols (e.g. HTTPS, SFTP, etc.). Communication between components in different locations (i.e. source and destination) traverses SDL firewalls. All communication between end-users and services is secured with encrypted communication. Independent and trusted 3 rd party digital certificates are used on services to prove integrity and identity of the service. Infrastructure and platforms are periodically tested for vulnerabilities, by industry standard vulnerability assessment tests. Besides testing, SDL services are secured by anti-virus and antimalware software (where required and security risks are identified). Updates to operating Privacy Policy V1 2 SAAS Policy V14 Final.Docx.3 9

systems, anti-virus, anti-malware and applications are installed via a patch and release management process on a regular basis. Multifactor authentication on management interfaces is active for system administration at Amazon Web Services. System administrators follow policies and guidelines when administering systems containing Personal Data. These policies are part of the SDL Security Program and updated regularly. As part of ISO 27001 certification controls are implemented in certain parts of the organization (see below). ITIL processes are implemented within the Cloud Operations and Service Delivery department for incident, change and release management. Managed services department As a part of managed services, SDL employees access to Client data including Personal Data is restricted. Only the Cloud Operations and Service Delivery teams can perform management of the Services during which they will have access to the Personal Data stored. These employees receive additional training on handling personal and/or Client data. In any event processing of any Personal Data is only performed on behalf of the Client as described in the Master Subscription Services Agreement. Privacy and security awareness within SDL a) Privacy Training Within the Cloud Operations and Service Delivery teams, all employees receive both mandatory privacy and security awareness training throughout the year. Different topics are covered, with content mapped to the job role of the employee. This training is undertaken in addition to the annual general security awareness training. Attendance and effectiveness is monitored and tracked for audit purposes. b) Information Security Team A Global Information Security is responsible for the security strategy of SDL. Together with an Information Security in the NASA region, SDL's Security Program is maintained and improved. Both security officers are certified against industry recognized security organizations. To execute the security program a security engineer performs security tests and works with the Development and Operations teams to implement the security program. c) Data Privacy SDL s Data Privacy is part of the Information Security, Privacy and Compliance Team. He is responsible for management of the confidentiality and integrity of Personal Data within the SaaS products. He implements and maintains the privacy policy. The Data Privacy must hold or be working towards a Certified Information Privacy Professional European Union (CIPP-E) and Certified Information Privacy Professional United States (CIPP-US) certification and should attend training and conferences to keep knowledge up to date. Privacy Policy V1 2 SAAS Policy V14 Final.Docx.3 10

d) Lead information Security Auditor The security program is monitored by SDL's Lead Information Security Auditor, who performs the internal and supplier audits against the ISO 27001 standard. All these roles work closely to ensure the confidentiality, integrity and availability of Personal Data is maintained. 2.5. Rectification and Data Subject Requests Rectification, deletion and blocking of data: The accuracy of the data is the Client s responsibility. Any request from a Data Subject directly to SDL, will be directed to the Client and SDL will provide the Data Subject with basic contact information for the Client. As SDL is not involved in the processing of the detail of the data, SDL does not anticipate undertaking any rectification, deletion and blocking of data, which is the responsibility of the Client. However, if Client does require SDL to undertake such rectification, deletion and blocking of data, SDL will undertake such work upon agreement with the Client of a Statement of Work and SDL being paid for the work undertaken at the then prevailing SDL Professional Services rate. Please note, that where the removal of such data means the contractually agreed upon activities between SDL and Client cannot be performed, or puts other individual personal data at undue risk for exposure, SDL retains the right to deny the request. A formal description of reasoning can be supplied upon request. 2.6. Further Information Contact If there is any question, comment, or concern about this Privacy Policy, please contact us as follows: SDL PLC Globe House Clivemont Road Maidenhead SL6 7DY United Kingdom Attention: Data Privacy Tel: +44 (0) 1628 760610 Fax: +44 (0) 1628 760611 Email: privacy@sdl.com 2.7. Data breaches A Personal Data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed in connection with the provision of a service provided by SDL. Privacy Policy V1 2 SAAS Policy V14 Final.Docx.3 11

SDL s service desk will inform Client via e-mail as soon as possible after detection of an actual or suspected Personal Data breach. Additionally, SDL will notify appropriate Regulatory bodies, where applicable and required under applicable law. In the event criminal activity is known to have occurred or suspected to have occurred SDL will notify the appropriate Police Authorities. SDL reserves the right to delay notification under any contractual agreement in the case where law enforcement is investigating the breach, or when the delay is necessary to restore the reasonable integrity of the information system. 2.8. Data processing agreement For all Clients controlling data of European Economic Area and Swiss citizens, SDL can offer a data processing agreement with applicable Standard Contractual Clauses. 2.9. SDL ISO Accreditation: At the date of the latest version of this document, SDL s accreditation extended to the following: ISO 27001:2013 Locations: Maidenhead Sheffield Products: SDL TMS SDL WorldServer SDL Knowledge Center SDL Web SDL is constantly reviewing the scope of the ISO accreditation adding further locations and products over time. Privacy Policy V1 2 SAAS Policy V14 Final.Docx.3 12

About SDL SDL (LSE: SDL) allows companies to optimize their customers experience across the entire buyer journey. Through its web content management, analytics, social intelligence, campaign management and translation services, SDL helps organizations leverage data-driven insights to understand what their customers want, orchestrate relevant content and communications, and deliver engaging and contextual experiences across languages, cultures, channels and devices. SDL has over 1,500 enterprise customers, over 400 partners and a global infrastructure of 70 offices in 38 countries. We also work with 72 of the top 100 global brands. Copyright 2014 SDL plc. All Rights Reserved. All company product or service names referenced herein are properties of their respective owners. Privacy Policy V1 2 SAAS Policy V14 Final.Docx.3 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback