Employee Email – Data Processing Details

17 August 2021

When does this page apply to Customer?
If Customer has purchased Employee Email, then this page forms an integral part of the existing data processing agreement between Staffbase and Customer (“DPA”) when both parties have agreed upon and signed: (i) Staffbase’s data processing agreement before 17 August 2021; or (ii) Customer’s data processing agreement.

When does this page not apply to Customer?
This page does not apply to Customer’s use of Employee Email when Customer has: (i) agreed to the Staffbase online data processing agreement (currently available at: https://staffbase.com/en/legal/dpa/); (ii) signed Staffbase’s data processing agreement on or after 17 August 2021; or (iii) not entered into a data processing agreement with Staffbase.

Employee Email

The categories of Personal Data processed and the categories of Data Subjects whose Personal Data are processed in relation to Employee Email differ from the categories of Personal Data processed and the categories of Data Subjects whose Personal data are processed in relation to other Staffbase Services. 

For this reason, Staffbase has listed the details of Staffbase’s data processing activities in relation to Employee Email on this page. By purchasing Employee Email, Customer agrees to the data processing details described on this page. Staffbase will process Personal Data for the duration of the Subscription Term, unless otherwise agreed in writing.  

Any other terms not expressly defined here have the same meanings as in our Terms of Service or, if applicable, in the signed Master Subscription Agreement between Staffbase and Customer.

Categories of Data Subjects

The Personal Data transferred concern the following categories of Data Subjects:

Employee Email Users: All users specially designated and authorized by Customer to access and use the Employee Email service.
Email Recipients: Customer employees and other internal audiences who receive email newsletters from Customer via the Employee Email service.

Categories of Personal Data

Staffbase processes the following categories of Personal Data in relation to Employee Email: 

Account information: Full name, email address, and password of Employee Email Users.
Email information: Full name and email address of Email Recipients, distribution list names entered into the To and CC fields, content of email newsletter templates and drafts, and subject lines.
Email metrics information: Approximate location of Email Recipients (used to identify time zone settings and used in relation to internal email metrics); information about email engagement, including, but not limited to: when an email newsletter is read, when a link in an email newsletter is clicked, collected by tracking technologies such as pixels and cookies; and any optional segmentation information uploaded by Customer, such as the job title, department, or office location.
Technical information: Device type, IP address, User ID, operating system, browser type, and visit and usage information.

Specific Sub-Processors

Staffbase may use specific Sub-Processors in relation to Employee Email that are not used in relation to any other Staffbase Service. An overview of the Subprocessors used in relation to Employee Email can be found at our Sub-Processor Page under the section “Product-Specific Sub-Processors”.

Security Measures

Not all Security Measures applicable to other Staffbase Services apply to Employee Email. The following Security Measures differ from the Security Measures related to other Staffbase Services as may be included in the DPA:

  1. SOC 2. The Staffbase ISO/IEC 27001:2013 certification is not (yet) applicable to Employee Email. Instead, Staffbase’s SOC 2 certification (or equivalent replacement) is applicable to Customer’s use of Employee Email; and
  2. Internal Access Controls. Staffbase will take reasonable measures to prevent unauthorized Staffbase personnel from gaining access to Personal Data processed in relation to Employee Email. Internal Access Controls related to Employee Email include but may not be limited to:
    1. A selected number of Staffbase personnel has access to Personal Data in the following roles:

      Developer Access: Personal access to all Personal Data within the corresponding customer instance, including the database. 

      Customer Success Access: Personal access to the customer instance on behalf of the respective Admin User, but no server or database access.

    2. The roles defined above are assigned to the minimum number of Staffbase personnel. The allocation of roles is recorded and reviewed at least once a year.