Privacy and Data Protection

How Staffbase helps our customers with their data protection and privacy obligations.

Staffbase Cares About Data Protection

Both the law and technology are constantly changing, especially with regard to privacy and data protection. Your employees are important to you, including their personal information. We at Staffbase always put the employee first, and that includes protecting their personal details. We know that trust is of central importance when communicating with your employees. That’s why we’ve built our services to earn that trust, whether it is because of our Security practices, or because of our information provision that enables you to respond to any questions your employees may have about privacy and security when using our product.

From Germany to the rest of the world: Germany has some of the strictest data protection and data privacy laws in the world. With our roots in Germany and in the European Union, Staffbase has put privacy and data protection at the core of developing our products, services, and our internal governance since the beginning. As a result, we bring our extensive experience in privacy and data protection compliance in Germany into the way we develop and build employee communications for customers around the world. We monitor trends and developments in privacy and data protection, including through our corporate membership in the International Association of Privacy Professionals (IAPP), and continue to adapt and update our approach, including for new US state laws like the California Consumer Privacy Act (CCPA).
What is Staffbase’s role when providing its services?: When providing our services we process personal data on behalf of our customers. Our customers are in control of all the information they select for use with the Staffbase Service. Information that customers decide to use with our services may contain personal data, like any text, images, videos and profile information of our customers’ end users. Staffbase only processes personal data in accordance with clear written instructions of our customers and any contractual agreements that are in place, like a Data Processing Agreement (DPA).

Staffbase has taken technical and organizational measures to ensure the processing of personal data meets the requirements of applicable data protection law. When building new product features we apply “privacy by design” principles to enhance the privacy readiness of our product.

In addition, Staffbase also acts as a data controller, for example when it processes personal data of website visitors. For any information collected by Staffbase as data controller, the Staffbase Privacy Policy applies.

Our Organizational Approach

Security Program: Our customers trust us with some of their most valuable data. For this reason we set high standards for security. If you’d like to learn more about Staffbase’s stringent security policies and procedures, please see our security page, including more details about our ISO 27001 certification.
Training and Privacy Awareness: Within Staffbase’s Legal & Compliance team we have certified privacy experts with knowledge of and experience with both EU, UK, and US data protection laws.

For all of our employees, we provide annual security awareness training as well as frequent security awareness updates about recent security risks. All developers at Staffbase have regular security training to be up-to-date for common security risks in development, as well as the data privacy of our customers' data. All employees and contractors agree to comply with defined security policies, which include confidentiality, data privacy, and incident reporting.

We have also launched a Privacy Heroes Team. This team consists of a group of privacy heroes that work in every department within Staffbase. Our privacy heroes are in close contact with security and legal and receive additional data protection training. With the help of our privacy heroes, we raise privacy and security awareness to the highest level within Staffbase.
Data Processing Agreement: GDPR
We have created a GDPR-ready DPA, available here: https://staffbase.com/en/legal/dpa/. Existing customers that would like to receive our most up-to-date DPA for their internal documentation can contact their customer success manager directly.

CCPA
If you are an existing customer and you want to receive a CCPA-ready DPA, please contact your customer success manager directly and we will send you a US specific version of our DPA that incorporates the obligations and requirements of the CCPA.
Privacy by Design and Product Reviews: We greatly value the “privacy by design” principles and we have a dedicated product & privacy counsel who works closely with the product and development teams. Our security and legal team review new product functionalities according to stringent security and privacy guidelines throughout the entire software development cycle.
Vendor Reviews: Our security and legal team review the security standards and contractual obligations of third party service providers before Staffbase engages new vendors. We also enter into DPAs, and if required standard model clauses, with all vendors that process personal data.

International data transfers after the Schrems II case
In light of the decision by the European Court of Justice in the so-called ‘Schrems II case’, we’d like to highlight that we have concluded standard model clauses with all of our non-EU subprocessors. Despite the invalidation of the EU-US Privacy Shield, the standard model clauses approved by the European Commission remain a valid transfer mechanism. More information about our subprocessors, the hosting location of relevant data and the applicability of the standard model clauses can be found on our subprocessor page.

We will continue to closely follow the European Data Protection Board’s and other relevant authorities’ recommendations related to the Schrems II case going forward.
Data Breach Response: Our support, security, and legal teams will make sure any data breach involving personal data will be handled with the greatest care. We have set up data breach response plans to promptly and effectively identify, solve, and mitigate incidents that involve personal data of our customers.
Data Protection Officer: We have appointed a Data Protection Officer (DPO) to oversee our privacy and data protection compliance.

Staffbase Product Readiness

Deletion and data access: Our customers stay in control of the information that is processed by us. This means our customers may also request us to delete or access certain information. If you wonder how our customers can handle any data subject request themselves, have a look on our support page. If the answer to your question is not provided on this page, please contact your technical support or customer success teams, who will then guide you through the process.

Customer’s personal data is retained by us for the duration of the customer relationship unless it’s already deleted by the customer or by us on customer’s request. When Staffbase and a customer part ways, we will delete or return all personal data in accordance with the DPA.
Access restrictions: Our customers can manage access rights to customer data by giving a certain role to specific users. That way the customer can control which employees get to see what personal data. More information can be found on our Support Page: https://support.staffbase.com/hc/en-us.
Encryption: Our product and system communication is well encrypted. More information about encryption can be found on our security page: https://staffbase.com/en/security.

Our Security Practices

Our best-in-class infrastructure protects personal data throughout their entire lifecycle in the platform. A powerful suite of customizable settings and tools also afford our customers the autonomy to further define their own security and privacy parameters.

Learn more