Simployer Engagement – Privacy overview

1.      Introduction and available documentation and standard agreement

Simployer is offering several modules to provide you with a human resources management (“HRM”) system. As part of this suite, Simployer is offering a module called Engagement which can track the employees satisfaction and well-being in their everyday work-life. This module is also offered standalone, and this guide explains what parts of the standard agreement that is relevant and specific for the Engagement module.

The contractual terms are found in our standard terms available on our Trust Center, where you also can find the service level agreement (“SLA”) and the standard data processing agreement (“DPA”) as well as information regarding our services, information security, privacy and other relevant documents such as the Simployer Code of Conduct.

2.      The personal data that is processed in the Engagement-module

The categories of personal data processed in Engagement is: First- & last name, e-mail, organizational belonging, account settings (i.e. notification preferences, time zone), response data (answers to questions), actions data (actions taken), additional employee data (i.e. gender, employment date), application activities (timestamp of actions taken in the application), traffic logs (IP-address and user agent data), device metadata (browser/OS versions). And, if optionally provided by user: phone-number, location (GPS-data), profile picture.            

Screenshot from an internal system we use to keep track of all data processing activities called “DPOrganizer”, illustrating the personal data categories processed in Engagement and relevant subprocessors.

3.      Subprocessors used to provide Engagement

Specifically, for Engagement, the following subprocessors are relevant:

The full list of subprocessors used by Engagement is located here. Note that this list contains more vendors than the list on last page but which are processing data regarding where we, Simployer, is the Data Controller and for data regarding our business relationship with customer, i.e. data in CRM, contract-management systems, etc., and is listed for the sake of transparency.

4.      US-based subprocessors, our assessment and Reduced Processing Mode

Following the Schrems-II ruling and the recommendations for additional safeguards required for transfer of personal data to third countries, Simployer has reduced the number of sub-processors based in third countries and the amount of personal data transferred to such sub-processors. We have also ensured that relevant data processing agreements include updated basis for third country data transfers.

Select sub-processors we continue to use and which are based in the United States, are necessary for us to deliver our service, and as such we do not have the possibility to replace them. We have made the assessment taking into account available technology, the implementation costs and the nature, scope, context and purpose of the processing, as well as the risks, that we may continue to handle personal data with these subprocessors.

Specifically, when using reduced processing, two subprocessors remain in the US:

• OneSignal, which only takes part in Pseudonymized IDs and where the processing is a transfer thus follows EDBP's guidelines, and
• Cloudflare, which is a security/redudancy solution that may handle IP addresses but only in the same way that other types of network equipment process IP addresses of users who access their network / transfer data through their services implicitly.
• These, as well as the use of AWS Europe, which has group parent in the US, are analyzed in a TIA (“Transfer Impact Assessment”) and assessed as reasonable to use with low risk and are covered by new standard contractual clauses (“SCC”) and data processing agreements.

Our assessment is that we can continue to use these subprocessors – based on that:

• the data they process constitutes a subset and less sensitive / typically commonly spread part of our customers' personal data; for example, email and first name - never answers to questions or detailed information about the individuals such as gender, date of birth etc.;
• in our data processing agreements with these sub-processors, and in how the technical solution is set up with these, we ensure that personal data is handled confidentially and with strong security (including encryption during storage and transfer and, where it is possible, on servers in the EU/EEA. Most of our US sub-processors are also based in California and are subject to the California Consumer Privacy Act, which imposes requirements on the handling of personal data that in many respects reflect the GDPR). Several sub-processors have also given guarantees that they will object to extraction requests for personal data processed in their service if requested by i.e. the US government.
• The subprocessors are also having an active status in the newly implemented Data Privacy Framework, DPF, making the transfers from EU/EEA to the US-subprocessors legal under the GDPR. See press release and FAQ for more information regarding the DPF. Simployer has not yet changed all transfer-mechanism to the Data Privacy Framework, and SCC/BCR are still valid and in effect.

For customers that wish to use Simployer Engagement and ensure that processing is limited to EU/EEA, we offer a “Reduced processing mode” that can be enabled on your account. When enabled, we will restrict processing of personal data to within EU/EEA by disabling our use of sub-processors that process personal data outside of EU/EEA. For an overview over subprocessors used in this mode and how, se this page.

Note that with “Reduced processing” enabled, our ability to provide full level of support and troubleshooting is limited. Specifically, we will have less visibility into your account in our Customer Success and Support functions, will not include your account in customer satisfaction surveys and we will have less information for technical troubleshooting through our analytics and error logging. If you want to restrict users sending emails to our help function that could be processed outside of EU/EEA we can also disable our support e-mail for your specific domain – please contact us if you wish to do so.