Oracle Services Privacy Policy

TRUSTe Certification: Oracle is a licensee of the TRUSTe Privacy Program. If you have questions about this policy, please first contact us through our inquiry form. If you do not receive acknowledgment of your inquiry or your inquiry has not been satisfactorily addressed, you should contact TRUSTe at http://watchdog.truste.com/pvr.php?page=complaint&url= or by faxing Watchdog Complaints to 415.520.3420, or by postal mail to: Watchdog Complaints, TRUSTe, 55 2nd Street, 2nd Floor, San Francisco, CA USA 94105.

If you are faxing or mailing TRUSTe to register a complaint, you must include the following information: our company name (Oracle); the nature of the alleged privacy violation, including details about how your data was collected and what causes you to believe a violation occurred; the resolution you are requesting; your contact information; and whether you give permission to TRUSTe to share the particulars of your complaint, including your name, with us.

The TRUSTe Click to Verify seal applies to Oracle's Web sites and offline privacy practices, services privacy policy, and recruiting privacy policy. It does not cover personal information that may be collected through software downloaded from the Oracle.com Web sites or in connection with Exchange.Oracle.com or Oracle publications.

Safe Harbor: Oracle is a global corporation, with operations in over 80 countries, and has developed global data practices designed to assure your personal data is appropriately protected. Oracle's privacy practices, including the practices addressed in this policy and those applicable to its services businesses, are self-certified to the United States/European Union Safe Harbor Program. and the United States/Swiss Safe Harbor Program as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of data from the European Union and Switzerland respectively. For more information about Safe Harbor or to access Oracle's certification statement, go to http://www.export.gov/safeharbor/. TRUSTe acts as Oracle's third-party dispute resolution provider, as required by the Safe Harbor Program. If you have a complaint concerning Oracle's Safe Harbor compliance, please use the TRUSTe complaint process described above.

Customer Information is information that we may collect from your use of the Oracle.com Web sites and your interactions with us off-line. We deal with customer information according to the terms of our general privacy policy.

Services Data is data that resides on Oracle, customer or third-party systems to which Oracle is provided access to perform services (including On Demand environments as well as test, development and production environments that may be accessed to perform Oracle consulting and support services). Oracle treats services data according to the terms of this policy, and treats services data as confidential in accordance with the terms of your order for services.

To illustrate the difference between customer information and services data, when a customer contracts with Oracle for On Demand services, the customer provides information about itself, including its name, address, billing information, and some employee contact information. Oracle's Web sites may also collect some information about the customer and some employees as part of that interaction. All of that information is customer information, and is treated according to Oracle's general privacy policy.

In contrast, having contracted with Oracle for On Demand or other services, the customer then provides Oracle with access to its production, development or test environment, which may include personal information about its employees, customers, partners or suppliers (collectively "end users").

Below are the conditions under which Oracle may access, collect and/or use services data.

To Provide Services. Services data may be accessed and used to fulfill the requirements specified in your order for support, consulting, On Demand or other services.

To Maintain and Upgrade a System. Technical staff may require periodic access to services data to monitor system performance, test systems and develop and implement upgrades to systems. Any temporary copies of services data created as a necessary part of this process are only maintained for time periods relevant to those purposes.

To Address Performance and Fix Issues. On occasion, Oracle may develop new versions, patches, updates, and other fixes to its programs and services (such as security patches addressing newly discovered vulnerabilities). In accordance with the terms of your order for services and/or with notice to you, we may access and/or use a copy of your test, development or production environment, including services data, to test such new versions, patches, updates and fixes and validate that they work in your environment(s).

As a Result of Legal Requirements. Oracle may be required to provide personally identifiable information to comply with legally mandated reporting, disclosure or other legal process requirements.

Oracle may transfer and access services data globally as required for the purposes specified above. If Oracle hires subcontractors to assist in providing services, their access to services data will be consistent with the terms of your order for services and this services privacy policy.

Oracle does not use services data except as stated above or in your order. Oracle may process services data, but does not control your information collection or use practices for services data. If you provide any services data to Oracle, you are responsible for providing any notices and/or obtaining any consents necessary for Oracle to access and use services data as specified in this policy and your order.

Oracle's access to services data is based on job role/responsibility. Services data residing in Oracle hosted systems is controlled via an access control list (ACL) mechanism, as well as the use of an account management framework. You control access to services data by your end users; end users should direct any requests related to their personal information to you.

Oracle is committed to the security of your services data, and has in place physical, administrative and technical measures designed to prevent unauthorized access to that information. Oracle security policies cover the management of security for both its internal operations as well as the services. These policies, which are aligned with the ISO/IEC 17799:2005 and ISO/IEC 27001:2005 standards, govern all areas of security applicable to services and apply to all Oracle employees. Oracle's Support, Consulting and On Demand lines of business have developed detailed statements of security practices that apply to many of their service offerings, which are available for review at your request.

Oracle's security policies and procedures are reviewed by the Oracle Security Oversight Committee (OSOC) and Oracle Global Information Security (GIS). The OSOC coordinates implementation of security wide programs, including security policies and data privacy standards. GIS is responsible for security oversight, compliance and enforcement, and for conducting information security assessments and leading the development of information security policy and strategy.

Oracle is also committed to reducing risks of human error, theft, fraud, and misuse of Oracle facilities. Oracle's efforts include making personnel aware of security policies and training employees to implement security policies. Oracle employees are required to maintain the confidentiality of services data. Employees' obligations include written confidentiality agreements and compliance with company policies concerning protection of confidential information.

Oracle promptly evaluates and responds to incidents that create suspicions of unauthorized handling of services data. Oracle GIS and Legal are informed of such incidents and, depending on the nature of the activity, defines escalation paths and response teams to address the incidents. If Oracle determines that your services data has been misappropriated (including by an Oracle employee), Oracle will promptly report such misappropriation to you.

Oracle has appointed a Chief Privacy Officer. If you believe your services data has been used in a way that is not consistent with this policy, or if you have further questions related to this policy, please contact the Chief Privacy Officer through out inquiry form. Written inquiries may be addressed to Chief Privacy Officer, 10 Van de Graaff Drive, Burlington, Massachusetts 01803, United States of America.

Last Updated: May 5, 2010