Privacy and Data Protection

Our customers trust us with some of their most valuable data. For this reason we sethigh standards for security. If you’d like to learn more about Staffbase’s stringent securitypolicies and procedures, please see our Trust Center, including more details about our ISO 27001 and SOC2 Type II certifications.

All personal data processed by AI features is handled strictly in accordance with our contractual obligations, flowing only through approved sub-processors, and remaining within defined legal and geographical boundaries.

We classify all AI features against the EU AI Act framework and we conduct continuous reviews to adapt to the evolving regulatory landscape. A cross-functional governance process—involving legal, security, and product experts—ensures all AI developments are compliant by design and that customers retain full control and transparency over their data and use of AI within the Staffbase platform. 

More information about Staffbase’s approach to AI can be found in our Support Portal.

For all of our employees, we provide annual security and data protection training as well as frequent awareness updates about recent security and privacy risks. All developers at Staffbase have regular security training to be up-to-date for common security risks in development, as well as the data privacy of our customers' data. All employees and contractors agree to comply with defined security and data protection policies, which include confidentiality, data privacy, and incident reporting.

We have a DPA covering key data protection legislation, including the GDPR, US State Privacy Laws, Australian Privacy Laws, and Canadian Privacy Laws. The Staffbase DPA covers the processing activities specific to our services and it includes our technical and organizational measures to protect customer personal data. Our DPA can be found at: https://staffbase.com/legal/dpa.

We greatly value the “compliance by design” principles and our legal team works closely with the product and development teams in building our product. Our security and legal team review new product functionalities according to stringent security, privacy, and AI guidelines throughout the entire software development cycle.

Staffbase uses Staffbase affiliates and third-party companies to provide our services to our customers. Prior to engaging a sub-processor, our security and legal team conduct due diligence and we enter into data processing agreements with the relevant company. Our current sub-processors are listed at: https://staffbase.com/legal/subprocessors.

Our support, security, and legal teams will make sure any data breach involving personal data will be handled with the greatest care. We have set up data breach response plans to promptly and effectively identify, solve, and mitigate incidents that involve personal data of our customers.

Our customers stay in control of the information that is processed by us. This means our customers may also request us to delete or access certain information. If you wonder how our customers can handle any data subject request themselves, have a look on our support page. If the answer to your question is not provided on this page, please contact your technical support or customer success teams, who will then guide you through the process.

Customer’s personal data is retained by us for the duration of the customer relationship unless it’s already deleted by the customer or by us on customer’s request. When Staffbase and a customer part ways, we will delete or return all personal data in accordance with the DPA.

Our customers can manage access rights to customer data by giving a certain role to specific users. That way the customer can control which employees get to see what personal data. More information can be found on our Support Page: https://support.staffbase.com/hc/en-us.

Our product and system communication is well encrypted. More information about encryption can be found in our Trust Center.