Privacy and Data Protection

Our customers trust us with some of their most valuable data. For this reason we set high standards for security. If you’d like to learn more about Staffbase’s stringent security policies and procedures, please see our security page, including more details about our ISO 27001 certification.

Within Staffbase’s Legal & Compliance team we have certified privacy experts with knowledge of and experience with both EU, UK, and US data protection laws.

For all of our employees, we provide annual security awareness training as well as frequent security awareness updates about recent security risks. All developers at Staffbase have regular security training to be up-to-date for common security risks in development, as well as the data privacy of our customers' data. All employees and contractors agree to comply with defined security policies, which include confidentiality, data privacy, and incident reporting.

We have also launched a Privacy Heroes Team. This team consists of a group of privacy heroes that work in every department within Staffbase. Our privacy heroes are in close contact with security and legal and receive additional data protection training. With the help of our privacy heroes, we raise privacy and security awareness to the highest level within Staffbase.

GDPR

We have created a GDPR-ready DPA, available here: https://staffbase.com/legal/dpa. Existing customers that would like to receive our most up-to-date DPA for their internal documentation can contact their customer success manager directly.

CCPA

If you are an existing customer and you want to receive a CCPA-ready DPA, please contact your customer success manager directly and we will send you a US specific version of our DPA that incorporates the obligations and requirements of the CCPA.

We greatly value the “privacy by design” principles and we have a dedicated product & privacy counsel who works closely with the product and development teams. Our security and legal team review new product functionalities according to stringent security and privacy guidelines throughout the entire software development cycle.

Our security and legal team review the security standards and contractual obligations of third party service providers before Staffbase engages new vendors. We also enter into DPAs, and if required standard model clauses, with all vendors that process personal data.

International data transfers after the Schrems II case

In light of the decision by the European Court of Justice in the so-called ‘Schrems II case’, we’d like to highlight that we have concluded standard model clauses with all of our non-EU subprocessors. Despite the invalidation of the EU-US Privacy Shield, the standard model clauses approved by the European Commission remain a valid transfer mechanism. More information about our subprocessors, the hosting location of relevant data and the applicability of the standard model clauses can be found on our subprocessor page.

We will continue to closely follow the European Data Protection Board’s and other relevant authorities’ recommendations related to the Schrems II case going forward.

Our support, security, and legal teams will make sure any data breach involving personal data will be handled with the greatest care. We have set up data breach response plans to promptly and effectively identify, solve, and mitigate incidents that involve personal data of our customers.

Our customers stay in control of the information that is processed by us. This means our customers may also request us to delete or access certain information. If you wonder how our customers can handle any data subject request themselves, have a look on our support page. If the answer to your question is not provided on this page, please contact your technical support or customer success teams, who will then guide you through the process.

Customer’s personal data is retained by us for the duration of the customer relationship unless it’s already deleted by the customer or by us on customer’s request. When Staffbase and a customer part ways, we will delete or return all personal data in accordance with the DPA.

Our customers can manage access rights to customer data by giving a certain role to specific users. That way the customer can control which employees get to see what personal data. More information can be found on our Support Page: https://support.staffbase.com/hc/en-us.