ARIBA DATA POLICY AND PRIVACY STATEMENT
(Referred to as the "Ariba Data Policy")
ARIBA DATA POLICY AND PRIVACY STATEMENT
This document describes Ariba's policy for handling, processing, storing, and otherwise treating transactional and other data of Ariba Customers(which may be referred to as "you" or Buyer Organization throughout this document), the data of Suppliers (referred to as "you" or "Supplier" in this document), and data associated with individual users and employees of the Buyer and Supplier organizations, (collectively and individually also referred to as "you" and "your" elsewhere in this Data Policy) when sent to Ariba as part of your use of the Solution.
CONTENTS
Definitions
Transaction Data Handling
- Data Use By Ariba
- Business Contact Information
- Promoting Your Organization
- Transaction Data and Third Parties
- Ariba's Commitment to Data Security
Personal Information Data Handling and Privacy
- Personal Information
- Use of Personal Information by Ariba
- Other Corporate Entities
- Consent
- Transfer
- Correcting Account Information (Exercising Your Right to Access Personal Information)
- Disclosure by Ariba to Third Parties
- Security
- Data Retention
- Changes
- Safe Harbor Program
Questions (including TrustE Statement)
Miscellaneous
Definitions
"Solution" means the following services (if actually transacted for and paid for by the Ariba Customer):
- 1) the Ariba Supplier Network ("ASN") (including the "Supplier Connectivity" offering) (https://service.ariba.com),
-
2) the Ariba hosted On-Demand Basic and On-Demand Professional offerings (also called, "Ariba Technology Features", "Ariba OnDemand Solutions", or "Ariba Application Services" ) (https://s1.ariba.com),
- 3) project management, market execution, and strategic procurement services provided by Ariba's global sourcing team ("Ariba Sourcing Services") (https://www.sourcingservice.com), and
- 4) Ariba Hosting Service(s) (accessible via customer-specific URLs).
"Trading Partner" means an entity with which you or your company transacts using the Solution.
Ariba Customers may be referred to as "you" or "Buyer" or "Supplier" throughout this document. Individual users of the Solutions (whether employees of the Buyer or Supplier organizations) collectively and individually may also be referred to as "you" and "your" throughout this document.
When using the Solution, Ariba collects information that you, your employer, or a Trading Partner, or other data sources send to the Solution (such as internet-protocol addresses, transaction-related data, and user account information). This data is addressed below in two categories, Transaction Data (as defined below) and Personal Information (data that can identify an individual or that is associated with the identity of an individual).
Transaction Data Handling
Ariba understands the sensitive nature of the transaction data you or your organization may provide while using the Solution. Transaction Data may include information you provide to Ariba or your Trading Partners during the registration, cataloging, displaying, sourcing/negotiating, ordering process, or through any e-mail or other communication sent by you to the Solution as well as other information that you store within the Solution. It may also include data of transactions sent by your Trading Partners to you via the Solution or by you to your Trading Partners via the Solution. Transaction data may include Personal Information addressed more specifically below. You agree that your Transaction Data will not include information regulated under the International Traffic in Arms Regulations (U.S. government regulations addressing defense-related articles and services).
Data Use by Ariba
Ariba will treat your Transaction Data as confidential information and will use it only to: facilitate operation of the Solution and its related services; enhance your use of the Solution and its related web pages; perform internal tracking and Solution improvement; analyze the extent to which you use the Solution (e.g., the volume and history); enable us to contact you; and process your transactions through the Solution.
Ariba may use the bidding information submitted by Suppliers in the course of Ariba Sourcing Services projects to determine general price trends in various supply industries, to create predictive analyses useful for estimating likely market prices, and to evaluate suppliers appropriate for inclusion in future spend management projects in similar markets. Ariba may also use such bidding information in the publication of "high level" sourcing project results, provided that such publication (i) does not directly or indirectly identify Supplier or Buyer by name or provide a third party with sufficient information to allow a third party to identify Supplier or Buyer, (ii) is aggregated with data from at least four (4) comparable suppliers from a single project, (iii) does not specifically identify Supplier's products or services, or the prices of those products or services, and (iv) does not identify Supplier as a participant of any specific project.
If you are a Supplier that objects to submitting transaction data to your Trading Partner via the Solution, please contact the Trading Partner directly to investigate options (e.g. submitting information outside of the Ariba Solution, using anonymous contact information, etc).
Business Contact Information
When a representative of a Buyer or a Supplier organization creates a business account on the Solution, Ariba asks for the name and contact information for an Account Administrator. The Account Administrator's information will be used by Ariba to contact the company with notices, service offerings and Solution administration purposes. If you so choose, your organization may provide additional contacts. Depending on the Solution and the visibility choices selected by you or your company, your user names, phone numbers, and email addresses and other profile information may be visible to other Buyers and Suppliers using the Solution. For example, Suppliers using the Ariba Supplier Network may choose to have their contact information visible only to certain Buyer organizations or to all Buyer organizations.
You should submit only publicly available, business contact information. Individual contact information submitted to the Solution should not include private home contact information. You agree not to enter sensitive government id numbers associated with individual persons (e.g. U.S. Social Security numbers) into the Solution or to send documents over the Solution containing such identifiers. Individual names and personal information associated with an individual is addressed below as "Personal Information.
Promoting Your Organization
You may be given the opportunity to advertise your organization to other users. In addition, other users of the Solution may conduct a search on the Solution by using various criteria (e.g., information in your organization profile or other information you select to be made visible to or searchable by other users) and find your organization. In the interest of promoting suppliers to buyers, Ariba may supplement Supplier profiles with data from Ariba systems or by allowing others to provide feedback on your organization (similar to eBay's™ buyer/seller feedback system). If you so choose, you will be able to opt out of disclosing certain types of this organizational information.
Transaction Data and Third Parties
In using the Solution, you understand that Ariba will send your Transaction Data to your Trading Partners (or others that you or your Trading Partners authorize) and Ariba service providers in order to facilitate your transactions. Your Trading Partner may access statistical reports on your trading history with that Trading Partner, and determine whether you are enabled with other trading organizations. In addition, high level statistical reports relating to the Solution may utilize Transaction Data, so long as such reports contain only anonymous, aggregated data form so as not to identify your company or any specific Transaction Data, and such reports may be reported publicly.
Ariba's Commitment to Data Security
The Ariba Supplier Network (ASN) application; the shared service offerings of Ariba Category Management (ACM), Ariba Enterprise Sourcing (AES), Ariba Analysis, Ariba Spend Visibility, Ariba Procure to Pay (P2P), Ariba Travel and Expense, and Electronic Invoice Presentation and Payment (EIPP) applications have been audited for compliance against the WebTrust Standards for Availability, Confidentiality, Processing Integrity, and Security. Information about Ariba's participation in the WebTrust Program can be found at http://www.ariba.com/legal/ariba_webtrust.cfm. General information on the WebTrust Program can be found at http://www.webtrust.org.
Ariba takes steps to appropriately safeguard credit card and remittance information using recommended industry encryption methods. We've designed our services so that these categories of information can only be viewed from within the Solution. We offer you the use of roles to limit access to the users with a need to see such information. Please see our Security Disclosures (located in the footer from each Solution) for additional information about the measures Ariba takes to address the security of the Solution.
Personal Information Handling and Privacy
Personal Information
"Personal Information" is a person's name and information associated with his or her personal identity as opposed to information associated with a business. Personal Information, such as name, business address, business email, and individually used corporate credit card number, may be required for use of some features of the Solution, such as Ariba's Travel and Expense service. If you do not want to provide Personal Information to Ariba or wish to have Ariba remove your Personal Information from the Solution, please contact your employer's Ariba Account Administrator to find out if there is an optional way for you to perform the applicable business function without submitting Personal Information.
If you are an Ariba Customer, you may have the ability to use the Solution to track which of your Trading Partners have special ownership status or meet certain other criteria. If you object to submitting this summary information to your Trading Partner via the Solution, please contact the Trading Partner directly to investigate options.
Use of Personal Information by Ariba
Ariba will treat your Personal Information as confidential information and will use it only to: facilitate operation of the Solution and its related services; enhance your use of the Solution and its related web pages; perform internal tracking and Solution improvement; enable us to contact you; process your transactions through the Solution (including use of templates and document creation); and analyze the volume and history of your Solution usage. Some of our Solution areas utilize cookie technology for these same purposes. You may configure your browser to reject cookies, but this may affect your ability to utilize our Solution to the same extent as a user who accepts cookies. We do not link the information we store in cookies to Personal Information you submit while using the Solution.
Other Corporate Entities
Ariba may share Personal Information with our global affiliates, parent, subsidiaries, agents and integrated service providers ("Affiliates") that cooperate to provide the Solution and related services to you, throughout the world. Our Affiliates follow practices no less protective of all users of the Solution than our practices described in this Data Policy, to the extent allowed by applicable law. If Ariba and/or its Affiliates were to one day merge with or be acquired by another business entity you should agree that Ariba may share some or all of your Personal Information in order to continue to provide the Solution. You will receive notice of such an event (if it occurs) and we will require that the new combined entity follow the practices disclosed in this Data Policy.
Consent
By submitting Personal Information to the Solution, you are consenting to Ariba's collection, processing, storage, and use of that information in accordance with this Data Policy. Before providing, or allowing an employee to provide, Personal Information to the Solution, you need to obtain that individual's consent for the collection, transfer, processing, and use of that information in accordance with this Data Policy (as well as the Terms of Use for the Ariba Supplier Network, if you utilize the ASN).
Transfer
The Solution is primarily located in and operated from the United States. The Controller of personal data processing through the Solution is Ariba, Inc. headquartered at 807 11th Avenue, Sunnyvale, CA 94089. By submitting data to the Solution, you consent to having such data transferred to the United States and other Solution operation locations selected by Ariba, and Ariba's authorized service providers. Ariba Affiliates controlled by Ariba, Inc. are located inside and outside the European Economic Area. Any transfer of Personal Information from the European Economic Area to Ariba Affiliates located in countries outside the European Economic Area, which may not provide for an adequate level of data protection within the meaning of the European Data Protection Directive, will be subject to a confirmation by Ariba that adequate safeguards are in place and a so-called data transfer agreement based on standard contractual clauses, as approved by the European Commission.
Correcting Account Information (Exercising Your Right to Access Personal Information)
You have a right to access and modify your Personal Information and to delete your Personal Information, subject to constraints identified below. To exercise these rights, Ariba has procedures to allow you to update Personal Information in a timely manner. In most Solutions, the administrative contact for your company can directly change most contact information by logging on to the Solution and managing your account profile directly. For certain Solutions, changes may be requested by calling Ariba customer support.
Deletion of your Personal Information may require approval by your employer (e.g. expense report data) and may require Ariba assistance. Some requests to delete data must be made to Ariba through the administrative contact for your company.
Ariba may refuse to give access to the Solution for legitimate reasons including delinquent payments on the account, a legal dispute, or security concerns. If you are unable to correct, update, or delete your personal information due to the fact that you are no longer an employee of the business that is the account holder, or your account has been terminated, you may contact the Ariba Privacy Coordinator at the address provided below. In each case, Ariba will take reasonable measures to accommodate your request or respond in writing with the legal basis for denying the request within thirty (30) days.
Disclosure by Ariba to Third Parties
Ariba does not provide your Personal Information to third parties, except as described elsewhere in this policy and in our contracts with our Customers, unless (1) you request or authorize it; (2) such disclosure is necessary to process transactions or provide services which you have requested (e.g., PCARD processing with credit card companies or settlement services with banks, or employee travel reservations via an integrated travel services provider); (3) Ariba is compelled to do so by a governmental authority, regulatory body, or under subpoena or similar governmental request or to establish or defend a legal claim; or (4) the third party is acting as our agent or sub-contractor in performing services (e.g., Ariba's use of a third party telecommunications provider).
Security
Ariba uses industry standard security measures to protect Personal Information from unauthorized disclosure. Please see our Security Disclosure for information about the measures Ariba takes to address the security of the Solution and the protection of your Personal Information. Information about Ariba's participation in the WebTrust Program can be found at http://www.ariba.com/legal/ariba_webtrust.cfm. General information on the WebTrust Program can be found at http://www.webtrust.org/.
Data Retention
Ariba will retain Personal Information in active databases for varying lengths of time depending upon the specific Solution, type of data, and applicable law. The policy regarding data retention for each Solution is set forth in the documentation or terms for each Solution. Consistent with Ariba's backup and storage procedures and due to the close integration of data with the Solution, Personal Information might be stored by Ariba in backup logs and files for the duration necessary for legal requirements or the purposes described in this policy. However, Ariba makes no commitment to indefinitely store such data. During your subscription to the Solution, you will be able to access your Personal Information for a certain period based on the particular Solution that you purchased and the policies for the Solution and we suggest that inquiries be directed through the administrative contact for your company and directed to the Ariba Privacy Coordinator at the address designated below.
Changes to this Policy
From time to time Ariba will need to make changes to this policy. Some of the changes will be in response to changes in applicable laws and regulations. In addition, as Ariba adds new features and new services to a Solution, Ariba will continue to handle Personal Information consistently with this policy, but some changes or clarifications may be required.
If Ariba seeks to make a material change to Ariba's policy to allow use of Personal Information for a new, legitimate business purpose, Ariba will document the change to this Data Policy, note the date of the last update at the bottom of the policy, and send a notice to the administrative contacts on file with Ariba for each Buyer and Supplier. You are encouraged to check this policy occasionally to stay informed of any changes in our policies and procedures regarding Personal Information. For substantial and material changes to the Data Policy, Ariba will use reasonable efforts to provide notification to all affected users and suggest that such users review the updated Data Policy.
Safe Harbor Program
With regard to the Ariba Supplier Network, the Ariba OnDemand Solutions, and the Ariba Hosting Service, Ariba has formally joined the Safe Harbor Program managed by the U.S. Department of Commerce and has committed to abiding by the Safe Harbor privacy principles for the collection, use, and retention of personal data from the European Union. For more information about Safe Harbor or to access Ariba's certification statement, go to http://www.export.gov/safeharbor/.
Questions
If you have questions about this Data Policy, please send an e-mail to privacy@ariba.com attn: Ariba Privacy Coordinator, or send written correspondence to Ariba Privacy Coordinator, Legal Department, Ariba, Inc., 807 11th Avenue, Sunnyvale, CA 94089.
Ariba, Inc. is a licensee of the TRUSTe Privacy Program. TRUSTe is an independent, non-profit organization whose mission is to build users' trust and confidence in the Internet by promoting the use of fair information practices.
The "Personal Information Handling and Privacy" section of this Data Policy covers the Solutions (and web sites) identified above under the definition of "Solution" (https://service.ariba.com, https://s1.ariba.com, https://www.sourcingservice.com), and customer-specific URLs) Because these web sites want to demonstrate Ariba's commitment to your privacy, Ariba has agreed to disclose its information practices and have its privacy practices reviewed for compliance by TRUSTe.
If you have questions or concerns regarding the Personal Information Handling and Privacy section of this policy, you should first contact your company's administrator or the Ariba Privacy Coordinator listed above (privacy@ariba.com). If you do not receive acknowledgment of your inquiry or your inquiry has not been satisfactorily addressed, you should then contact TRUSTe at http://www.truste.org/consumers/watchdog_complaint.php. TRUSTe will then serve as a liaison with Ariba to resolve your concerns regarding the handling of your Personal Information.
Miscellaneous
The English version of this Data Policy shall govern in the event of any conflict or substantive translation changes into a non-English language.
Ariba offers products and services in the business-to-business market sector. As such, the information Ariba collects about individuals is solely related to their role at a company, and not to them as a person or as a consumer. That being said, Ariba does collect a person's name, business contact information (e.g. business email address, business phone number, business fax number) and role within a company.
Ariba has two other privacy policies. This document is the Ariba Data Policy and Privacy Statement and is targeted at companies that buy and use Ariba's products and services. Ariba also has an internal Privacy Policy targeted at its employees, contactors, etc., and a separate Privacy Policy for its internet facing marketing websites (e.g. www.ariba.com). These other policies are separate and distinct from the activities governed by this policy.
Country-Specific Terms
Italy:This Privacy Statement for the data processing of the data subject (that is, the section entitled "Personal Information Handling and Privacy" above plus this clause) is provided according to Section 13 of the Italian Data Protection Code, Legislative Decree no. 196 (June 30, 2003) consolidated ("Italy Privacy Code"). Ariba, Inc. hereby informs you that the processing of your personal data through the Solution as defined above will be performed according to this Privacy Statement and in compliance with the Italy Privacy Code. The Controllers of the data processing are Ariba, Inc., 807 11th Avenue, Sunnyvale, CA 94089, USA and your employer. If you have questions or concerns about this policy, you may contact Ariba using the email address
******
Data Policy v15.1 September 5, 2007 (corrections May 19, 2008)
