Simployer Engagement - Privacy overview



1. Introduction and available documentation and standard agreement

Simployer is offering several modules to provide you with a human resources management (“HRM”) system. As part of this suite, Simployer is offering a module called Engagement which can track the employees satisfaction and well-being in their everyday work-life. This module is also offered standalone, and this guide explains what parts of the standard agreement that is relevant and specific for the Engagement module.

The contractual terms are found in our standard terms available on our Trust Center, where you also can find the service level agreement (“SLA”) and the standard data processing agreement (“DPA”) as well as information regarding our services, information security, privacy and other relevant documents such as the Simployer Code of Conduct.

 

2. The personal data that is processed in the Engagement-module

The categories of personal data processed in Engagement is: First- & last name, e-mail, organizational belonging, account settings (i.e. notification preferences, time zone), response data (answers to questions), actions data (actions taken), additional employee data (i.e. gender, employment date), application activities (timestamp of actions taken in the application), traffic logs (IP-address and user agent data), device metadata (browser/OS versions). And, if optionally provided by user: phone-number, location (GPS-data), profile picture.            

STC_DPOrganizer

Screenshot from an internal system we use to keep track of all data processing activities called “DPOrganizer”, illustrating the personal data categories processed in Engagement and relevant subprocessors.

 

3. Subprocessors used to provide Engagement

Specifically, for Engagement, the following subprocessors are relevant:

 

Simployer-group companies

Name of subprosessor Simployer AS (company group)
Description of use Development and operation of modules
Location Norway
Reduced Processing Mode Used – Simployer group company
Name of subprosessor Simployer Solutions AS (company group)
Description of use Development and operation of modules
Location Norway
Reduced Processing Mode Used – Simployer group company
Name of subprosessor Simployer AB (company group)
Description of use Development and operation of modules
Location EU/EEA
Reduced Processing Mode Used – Simployer group company
Name of subprosessor Simployer ApS (company group)
Description of use Operation of modules
Location EU/EEA
Reduced Processing Mode Used – Simployer group company
Name of subprosessor Simployer Tech Sp.z.o.o. (company group)
Description of use Development and operation of modules
Location EU/EEA
Reduced Processing Mode Used – Simployer group company
Name of subprosessor Simployer Consulting Sp. z.o.o. (company group)
Description of use Development and operation of modules
Location EU/EEA
Reduced Processing Mode Used – Simployer group company



External 3rd party subprocessors

Name of subprosessor Twilio Sendgrid Inc.
Description of use Transactional emails
Location
  • USA – Transfer based on «Binding Corporate Rules» (BCR) and «Standard Contractual Clauses» (SCC)
  • Data Privacy Framework status - Active
Reduced Processing Mode Not used in Reduced Mode
Name of subprosessor Sentry
Description of use Software provider (SaaS) for error-logging occurring in applications for troubleshooting & quality improvement.
Location
  • USA. Processing is covered by DPA including Model/Standard Contractual Clauses (SCC)
  • Data Privacy Framework status - Active
Reduced Processing Mode Not used in Reduced Mode
Name of subprosessor Mailjet Inc.
Description of use Transactional emails
Location
  • EU/EEA
Reduced Processing Mode Used – but EU-only. TIA exists.
Name of subprosessor Auth0
Description of use Authenticating, integration for Single Sign-On (SSO)
Location
  • EU/EEA · Data Privacy Framework status - Active
Reduced Processing Mode Used – but EU-only
Name of subprosessor Quatrix
Description of use Cloud-service for secure exchange of data (implemention)
Location
  • EU/EEA
Reduced Processing Mode Used optionally – but EU-only
Name of subprosessor Amazon Web Services Europe
Description of use Operation of servers and infrastructure (PaaS)
Location
  • EU/EEA (Frankfurt data centers). Processing covered by DPA including Model/Standard Contractual Clauses (SCC). 
  • Data Privacy Framework status - Active
Reduced Processing Mode Used – but EU-only. TIA exists – because of US-based mother.
Name of subprosessor OneSignal
Description of use Infrastructure provider providing push notification delivery
Location
  • USA. Processing is covered by DPA including Model/Standard Contractual Clauses (SCC)
  • Data Privacy Framework status - Active
Reduced Processing Mode Used – but no personal data, only Pseudonymized IDs. TIA exists.
Name of subprosessor Cloudflare Inc
Description of use Infrastructure provider (IaaS) providing CDN, WAF, Network acceleration
Location
  • Worldwide (IP-addresses may be logged on servers globally). Processing is covered by DPA including Model/Standard Contractual Clauses (SCC). · Data Privacy Framework status - Active
Reduced Processing Mode Used – only IP-addresses. TIA exists.

The full list of subprocessors used by Engagement is located here. Note that this list contains more vendors than the list on last page but which are processing data regarding where we, Simployer, is the Data Controller and for data regarding our business relationship with customer, i.e. data in CRM, contract-management systems, etc., and is listed for the sake of transparency.

 

4. US-based subprocessors, our assessment and Reduced Processing Mode

Following the Schrems-II ruling and the recommendations for additional safeguards required for transfer of personal data to third countries, Simployer has reduced the number of sub-processors based in third countries and the amount of personal data transferred to such sub-processors. We have also ensured that relevant data processing agreements include updated basis for third country data transfers.

Select sub-processors we continue to use and which are based in the United States, are necessary for us to deliver our service, and as such we do not have the possibility to replace them. We have made the assessment taking into account available technology, the implementation costs and the nature, scope, context and purpose of the processing, as well as the risks, that we may continue to handle personal data with these subprocessors.

Specifically, when using reduced processing, two subprocessors remain in the US:

  • OneSignal, which only takes part in Pseudonymized IDs and where the processing is a transfer thus follows EDBP's guidelines, and
  • Cloudflare, which is a security/redudancy solution that may handle IP addresses but only in the same way that other types of network equipment process IP addresses of users who access their network / transfer data through their services implicitly.
  • These, as well as the use of AWS Europe, which has group parent in the US, are analyzed in a TIA (“Transfer Impact Assessment”) and assessed as reasonable to use with low risk and are covered by new standard contractual clauses (“SCC”) and data processing agreements.

Our assessment is that we can continue to use these subprocessors – based on that:

  • the data they process constitutes a subset and less sensitive / typically commonly spread part of our customers' personal data; for example, email and first name - never answers to questions or detailed information about the individuals such as gender, date of birth etc.;
  • in our data processing agreements with these sub-processors, and in how the technical solution is set up with these, we ensure that personal data is handled confidentially and with strong security (including encryption during storage and transfer and, where it is possible, on servers in the EU/EEA. Most of our US sub-processors are also based in California and are subject to the California Consumer Privacy Act, which imposes requirements on the handling of personal data that in many respects reflect the GDPR). Several sub-processors have also given guarantees that they will object to extraction requests for personal data processed in their service if requested by i.e. the US government.
  • The subprocessors are also having an active status in the newly implemented Data Privacy Framework, DPF, making the transfers from EU/EEA to the US-subprocessors legal under the GDPR. See press release and FAQ for more information regarding the DPF. Simployer has not yet changed all transfer-mechanism to the Data Privacy Framework, and SCC/BCR are still valid and in effect.

For customers that wish to use Simployer Engagement and ensure that processing is limited to EU/EEA, we offer a “Reduced processing mode” that can be enabled on your account. When enabled, we will restrict processing of personal data to within EU/EEA by disabling our use of sub-processors that process personal data outside of EU/EEA. For an overview over subprocessors used in this mode and how, se this page.

Note that with “Reduced processing” enabled, our ability to provide full level of support and troubleshooting is limited. Specifically, we will have less visibility into your account in our Customer Success and Support functions, will not include your account in customer satisfaction surveys and we will have less information for technical troubleshooting through our analytics and error logging. If you want to restrict users sending emails to our help function that could be processed outside of EU/EEA we can also disable our support e-mail for your specific domain – please contact us if you wish to do so.

How can we help?

We’re here for every step of your employee journey. From intuitive software for people management to hands-on learning programs and expert support from our legal team — we've got you covered.

Vector Get HR news straight to your inbox

Stay updated on HR, leadership, and work life. Choose between our Norwegian and Swedish newsletters.
Get HR updates

Vector Need a hand? We’re here to help!

Find FAQs, release notes, and more in our Support Center. We're here for you!
Go to support