Privacy

OpenText Privacy Center

OpenText Privacy Statement

As the leader in Enterprise Information Management (EIM), OpenText takes information security and data privacy very seriously. We have long maintained industry best practices to incorporate data protection and privacy in our day-to-day practices, as well as helping our customers implement our solutions and expertise to build strong compliance programs of their own.

At OpenText, we strive to create personalized experiences for those who engage with us and maximize the value for customers at each interaction, at the same time balancing this objective with security, trust and respect.

OpenText has established a comprehensive privacy program to ensure the protection of personal data or personal information (Personal Information). To operate its current privacy program effectively, OpenText uses a privacy framework based on leading standards and regulations, including the General Data Protection regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Act (CPRA) as well as the industry standards, such as AICPA/CICA’s Privacy Maturity Framework, Nymity’s Privacy Framework and National Institute of Standards and Technology (NIST) Privacy Framework.

OpenText’s privacy program is built on an accountability framework and our mission statement is: “To build and maintain a sustainable data privacy & compliance program that incorporates customer rights, ethical use of data, and legal compliance obligations.”

Purpose

This Statement provides a summary of the OpenText Global Privacy Program, our governance, and the activities we undertake to ensure we process Personal Information fairly, lawfully, and securely when acting as a controller and as a processor on behalf of our customers or consumers.

For the purpose of this page, we are using the following General Data Protection Regulation (GDPR) terms to outline our strategy to meet our applicable obligations.


  • Controller: natural or legal person, public or private, who makes decisions on the processing of Personal Information.
  • Processor: natural or legal person, appointed by the controller, who performs the processing of personal information on behalf of the controller.
  • Personal Data and Personally Identifiable Information (PII) ‘Personal Information’ shall have the meaning as defined in the applicable data protection legislation.

Compliance with data protection and privacy laws

At OpenText, we are committed to ensuring compliance with applicable data protection and privacy laws to the extent they apply to OpenText either as a Controller or as a Processor. We recognize the importance of protecting the Personal Information entrusted to us by our customers, partners and website visitors. OpenText practices as detailed below are designed to adhere to the requirements set forth by relevant data protection and privacy laws, such as the General Data Protection regulation (GDPR) and other applicable regional or national legislation. The Privacy function is responsible for tracking and monitoring changes in regulations and law, and for ensuring the privacy program is regularly reviewed and up to date.

Summary of our approach

The pillars of the OpenText privacy program for protecting Personal Information include the following: the protection of data subjects’ rights, privacy by design, the incorporation of privacy terms in contracts, and implementing and maintaining appropriate security measures to protect Personal Information from authorized access, loss or misuse:

Data Subject Rights
OpenText has implemented policies and procedures that allow data subjects to exercise their individual rights easily. Any data subject may request from OpenText access to, correction of, updating of and/or deletion of their Personal Information, or object to the use or sharing of their Personal Information in certain circumstances and exercise other data subject rights in line with applicable data protection law. For details on how to exercise your privacy rights, refer to OpenText Privacy Policy.

Privacy By Design
OpenText builds privacy into every product or service and incorporates safeguards into the design and development of products, services, and systems from the very beginning. Our development and product management teams work closely with the security team and the Privacy function to ensure appropriate expertise is included in the development process. Additionally, Privacy Risk Assessments are carried out on applicable projects, new system acquisitions and process changes.

Contractual commitments
We work with our customer to ensure that the privacy obligations are included in the contractual commitments for our products and services, establishing a regulatory-compliant data handling framework. To learn more about the data processing agreements established by OpenText, we provide as access to both our Customer Data Processing Agreement and Supplier Data Processing Agreement.

Security
OpenText uses industry practice models, such as ISO/IEC 27001 Information Technology Security techniques and the National Institute of Standards and Technology (NIST) Cybersecurity Framework. OpenText incorporates the ISO 27002 information security control set within the context of an information security management system (ISMS) based on ISO/IEC27001. For more details, please refer to Information Governance on the OpenText website. OpenText conducts regular audits such as the Service Organization Controls (“SOC”) reports. To ensure industry standards are continuously observed and reported, cybersecurity compliance attestations are available (as applicable to a service) for ISO 27001, ISO 27017, ISO 27018, SOC 1 Type II, SOC 2 Type II. Third-party audit reports for OpenText products and services may be available depending on the product or service selected.

Data retention
Where OpenText is a Controller, we have developed retention guidelines to provide guidance to our employees around how to manage OpenText’s records according to sound business, operational and legal practices. The purpose of these guidelines is to ensure that necessary OpenText records, documents, and other materials are adequately maintained, and, when no longer needed by OpenText, are securely discarded at the proper time (subject to any applicable legal or organizational retention requirements). Where OpenText is a Processor and has stored Personal Information as part of the services, at the end of the service(s) as required by applicable law upon the Customer’s written instruction, OpenText will return and/or delete the data (unless applicable law states otherwise). In some cases, the retention schedule will be defined in the customer contract in which case, that schedule will be followed.

Privacy Training and Awareness
OpenText has a long-standing practice of mandatory Corporate Information Security, Data Protection and Compliance, and Ethics training courses for all staff. Curriculums are regularly reviewed for new content necessary to raise awareness and educate employees about their obligations around the appropriate use and safeguarding of Personal Information. During the onboarding all new hires must complete these courses. An annual refresher course is mandatory for all staff.

Privacy Policies

OpenText continually reviews relevant internal and external policies to ensure they reflect new privacy requirements and are updating them to be compliant including those relating to Security, IT, Privacy, and HR. Please refer to OpenText Privacy Policy and Cookie Policy on the OpenText website.

Our internal Privacy Policy for our staff provides employees with an overview of what data is being collected on them, how that data is being used, and what their role is in keeping company data secure.

Records of Processing Activities

OpenText maintains records of processing activities (ROPA) for functional areas where OpenText processes Personal Information as a Controller and Processor on behalf of its customers. The ROPA provides an overview of types and categories of Personal Information processed by OpenText or by its (sub)processors, categories of recipients, data transfers, processing location(s), safeguards, et cetera. Processes are in place to ensure the ROPA is kept complete and accurate.

Privacy Impact Assessments

OpenText is fully committed to protecting the Personal Information of its customers, employees, suppliers, and other stakeholders. We take the privacy of Personal Information very seriously and have instituted a variety of methods and controls to ensure we know what data we collect and process, and how that data is protected. As part of this commitment, OpenText ensures that, where appropriate, business activities and projects that involve the use of Personal Information are subject to a data protection impact assessment (also referred to as a “Privacy Impact Assessment”). The purpose of this assessment is to ensure that:

  • The use of Personal Information is fully understood.
  • Risks to the rights and freedoms of natural persons resulting from the processing of Personal Information are carefully examined.
  • Appropriate measures are put in place to mitigate privacy risks throughout the lifecycle of the processing.

Consent Management

OpenText has a consent management process in place which includes collecting consent for any marketing initiatives including webforms, events, third party syndications, for countries where explicit consent is required for B2B marketing. OpenText provides opt-out options in all marketing communications from OpenText as well as including a link to our privacy policy when the entity collects Personal Information.

Cross Border Data Transfers

OpenText is a global company and performs some of its processing activities in countries outside of the EU including Canada, United States, India and Philippines. Where Personal Information is processed outside of a member state of the EEA, the United Kingdom and Switzerland, OpenText has ensured one of the following safeguards is in place: (1) an adequacy decision for the importing country, or (2) EU Model Clauses between the exporters and importers. To learn more about how OpenText operates regarding international transfers of data, customers can refer to OpenText position paper for a deeper understanding of our commitment to protecting Personal Information during cross-border transfers. The OpenText International Data Transfers position paper is available upon request.

Vendor Management

OpenText may share Personal Information with vendors working on our behalf as necessary to provide OpenText products and services. OpenText has a due diligence process when outsourcing services to vendors, which includes, performing a security/privacy risk assessment if Personal Information is shared and establishing the appropriate data protection clauses in the contract. If vendors operate in countries that are not considered to provide an adequate level of data protection as established by the General Data Protection Regulation ((EU) 2016/679) (GDPR), OpenText will implement appropriate measures with the vendor to secure the data transfers are in accordance with applicable data protection regulations.

Governance and responsibility

OpenText data privacy strategy is led by a dedicated global privacy team who reports to the Vice President of Global Data Privacy. The team includes a Data Protection Officer (DPO). The DPO office can be reached at DPO@opentext.com.

Privacy Function
The average experience of Privacy team members in the field of data protection, privacy, and compliance is over 10 years and several members of the team have professional accreditations such as CIPP, CIPM, CISA, CISM or CISSP.

The organization is supported by a network of internal and external subject matter experts.

Registration with Data and Privacy Authorities
Where appropriate we are registered with country-specific data protection and privacy regulators, and the registrations are reviewed and maintained by the OpenText Privacy Function.

Changes to this Privacy Statement
OpenText reserves the right to update this Privacy Statement from time to time without prior consent to incorporate changes in our practices, technologies, privacy commitments, and any other relevant considerations. We recommend that you periodically review this Privacy Statement to stay updated on OpenText practices.

This Privacy Statement was last reviewed September 2023.

Policies & Procedures

OpenText privacy Policies & Procedures describe OpenText data processing practices and define OpenText role and responsibilities regarding the collection, use and disclosure of personal data. For further information, the following are the primary rules and principles that OpenText has implemented:

OpenText Privacy Policy applies to OpenText Corporation and its affiliates, which addresses the personal information that we collect, use and share. This includes personal information collected via our websites and portals (‘Website’), our products, services or personal information collected from you directly, such as in person, via telephone or email, or indirectly through third parties in the course of our business.

The OpenText China Privacy Policy addresses how we process personal information of Chinese Residents.

OpenText Candidate Privacy Policy addresses information we may collect in connection with our online and/or offline recruiting.

OpenText Cookies Policy addresses how we use cookies and other similar technologies on our websites and mobile applications.

Privacy Incident Response Process: Open Text is committed to complying with local regulations to ensure incident and breach legislations are adhered to. Open Text has defined a Security Incident Response Process (SIRP) that governs and directs the response to Information Security Incidents. If an Information Security Incident is believed to involve the unauthorized access of personal data/information, the SIRP will invoke the Privacy Incident and Breach Response Process (PIBRP).

OpenText Government Access Request Policy: OpenText maintains a government access policy defining the standard operating procedures for responding to and, where appropriate, challenging public authority access requests.

Data Processing Addendum

In OpenText's current data processing addendum where GDPR (or UK GDPR) applies ("DPA"), it offers to its customers the latest set of standard contractual clauses (SCCs) as respectively adopted by the European Commission for EEA territories and by the Information Commission Officer (ICO) for UK after Brexit and by Swiss Federal Data Protection and Information Commissioner (FDPIC) for Switzerland. This can be found here OpenText Data Processing Addendum.

OpenText’s current SCCs can be found:

Existing customers, who have previously entered into a separate DPA and wish to update it to reflect these updated SCCs, are invited to contact OpenText to enter into a new DPA amendment to reflect the new SCCs. Please contact your Account Executive. Our template DPA amendment can be found here Open Text Data Processing Addendum Amendment.

For those existing customers subject to our online DPA as incorporated to their agreements, the DPA is updated automatically as part of that agreement.