Data Processing Addendum

Where applicable, this Data Processing Addendum is hereby incorporated in the Officevibe Terms of Service (the “General Terms”), found at https://officevibe.com/terms, unless Customer has entered into a superseding written agreement with Officevibe, in which case, it forms a part of such written agreement. All capitalized terms not defined herein shall have the meaning set forth in the General Terms. Unless Customer has a superseding written agreement with Officevibe, Officevibe may amend this Data Processing Addendum from time to time on its Website, as its business evolves. Any revisions will become effective on the date Officevibe publishes the changes. Customer can review the most current version of the Data Processing Addendum at any time by visiting this page. If Customer uses the Services after the effective date of any changes, that use will constitute the acceptance of the revised Data Processing Addendum.

  1. DEFINITIONS AND INTERPRETATION
    1. “Data Controller” has the meaning set out in the GDPR and UK GDPR;
    2. “Data Processor” has the meaning set out in the GDPR and UK GDPR;
    3. “Data Protection Regulator” means the applicable supervisory authority with jurisdiction over either party, and in each case any successor body from time to time;
    4. “Data Subject” has the meaning set out in the GDPR and UK GDPR;
    5. “Privacy Laws” means all applicable data protection and privacy legislation, regulations and guidance governing the protection of Personal Information including but not limited to Regulation (EU) 2016/679 (the “General Data Protection Regulation” or “GDPR”) and the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”);
    6. “Process”, “Processing” or “Processed” have the meaning set out in GDPR;
    7. “Standard Contractual Clauses” means: (i) where the GDPR applies, the model clauses annexed to the European Commission’s Implementing Decision 2021/914 dated June 4th, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the European Council (“EU SCCs“); and (ii) where the UK GDPR applies, the applicable model data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (“UK SCCs“).
  2. PROTECTION OF PERSONAL INFORMATION
    1. Supersedence. This Data Processing Addendum shall supersede any and all provisions of the General Terms inconsistent herewith.
    2. Data Controller and Data Processor. The Parties acknowledge that the Customer is the Data Controller and Officevibe is the Data Processor of the Customer Personal Information. Officevibe will Process Personal Information in accordance with Section 3 of this Data Processing Addendum.
    3. Customer’s Obligations as Data Controller. The Customer warrants that the Customer Personal Information has been obtained fairly and lawfully and, in all respects in compliance with the Privacy Laws.
    4. Officevibe’s Obligations as Data Processor. Officevibe shall:
      1. Process the Customer Personal Information only in accordance with Section 3 of this Data Processing Addendum and any other reasonable documented instructions as provided by the Customer to Officevibe from time to time (“Instructions”), including with regard to transfers of Customer Personal Information to a third country, save where:
        1. such Instructions are unlawful;
        2. such Instructions would cause Officevibe to breach its own obligations under Privacy Laws or the General Terms or any other agreement with a third party;
        3. such Instructions would negate the Survey Respondents’ right under the General Terms to remain anonymous;
        4. Officevibe is under a legal obligation to Process the Customer Personal Information, in which case Officevibe shall inform the Customer of the legal obligation, except to the extent the law prohibits it from doing so; and/or
        5. such Instructions would impact the overall availability of the Services or the performance of the Officevibe Platform in an undue manner.
      2. inform the Customer if, in its opinion, an Instruction received from the Customer infringes the Privacy Laws;
      3. ensure that all Officevibe employees and personnel who are involved in the Processing of Customer Personal Information have committed themselves to confidentiality or are under statutory obligations of confidentiality;
      4. not provide any new third party, with access to the Customer Personal Information or sub-contract any of its obligations under the General Terms that involve Processing Customer Personal Information without noticing in advance the Customer and/or publishing the changes in this Data Processing Addendum on the Website. The Customer hereby approves those third parties listed below, or any further third party that is compliant with GDPR requirements or UK GDPR requirements, where applicable, regarding transfers of Customer Personal Information to a third country (the “Subprocessors”):
        1. Microsoft Azure. Officevibe’s internal database is hosted in Microsoft Azure data centers. Microsoft Inc. is located in the United States. Officevibe and Microsoft Inc. are bound by Standard Contractual Clauses.
        2. MongoDB Inc. Officevibe’s database management service provider is MongoDB, located in the United States. Officevibe and MongoDB Inc. are bound by Standard Contractual Clauses.
        3. trycourier.com, Inc. Officevibe’s notification delivery service provider is Courier, located in the United States. Officevibe and Courier are bound by Standard Contractual Clauses.
        4. Inversoft Inc., dba FusionAuth, Officevibe’s security access management provider is FusionAuth. Although FusionAuth hosts Officevibe data in Canada, FusionAuth is located in the United States where data may be transferred in the context of support services. For this reason, Officevibe and FusionAuth are bound by Standard Contractual Clauses.
        5. Intercom R&D Unlimited Company. As of March 14th, 2022, Intercom will be Officevibe’s product discovery and re-engagement tool. Intercom is located in the United States. Officevibe and Intercom are bound by Standard Contractual Clauses.
        6. Merge API, Inc. As of March 14th, 2022, Merge API will be Officevibe’s unified API tool for provisioning multiple HRIS. Although Merge API hosts Officevibe data in Canada, Merge API is located in the United States where data may be transferred in the context of support services. For this reason, Officevibe and Merge API are bound by Standard Contractual Clauses. Merge API acts as a Subprocessor only where the Customer has opted to integrate their HRIS data with the Officevibe Platform.
      5. ensure that any sub-contract entered into by Officevibe (where Customer Personal Information is Processed by a Subprocessor) contains provisions which comply with Privacy Laws and in any event are no less onerous than those imposed under Section 2 of this Data Processing Addendum, and where a Subprocessor fails to fulfil its data protection obligations under the GDPR or UK GDPR, Officevibe shall remain liable to Customer for the performance of that Subprocessor’s obligations;
      6. implement and maintain appropriate technical and organizational security measures to protect against unauthorised or unlawful Processing of the Customer Personal Information and against accidental loss, disclosure or destruction of, or damage to, the Customer Personal Information, taking into account the state of the art, costs of implementation and nature, scope, context and purposes of Processing, as described in the Privacy Policy, found at https://officevibe.com/privacy, and including:
        1. the anonymization, pseudonymization and/or encryption of Customer Personal Information;
        2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
        3. the ability to restore the availability and access to Customer Personal Information in a timely manner in the event of a physical or technical incident; and
        4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
      7. taking into account the nature of the Processing, assist the Customer (at the Customer’s reasonable cost) by appropriate technical and organizational measures, to enable the Customer to comply with its obligations under Privacy Laws in responding to requests from Data Subjects or the Data Protection Regulator, insofar as this is possible, to the extent the anonymity of the Personal Information shall be kept confidential by Officevibe, and not shared with Customer;
      8. assist the Customer (at the Customer’s reasonable cost), to comply with the following obligations under the GDPR or UK GDPR, taking into account the nature of Processing and information available to Officevibe, including:
        1. notification and assistance to Customer without undue delay, in accordance with the provision set forth in Section 11 of the Privacy Policy, and notification to the Data Protection Regulator and Data Subjects of a Data Incident, as defined in the Privacy Policy, with regards to Customer Personal Information transmitted, stored or otherwise Processed; and
        2. the Customer’s obligations to carry out data protection impact assessments and any subsequent consultation with the Data Protection Regulator;
      9. make available to Customer or an independent third party auditor mandated by the Customer (but not being a competitor of Officevibe), at the Customer’s reasonable cost, to a maximum of once a year or when a breach of Customer Personal Information is reasonably suspected, all reasonable information that Officevibe deems necessary to demonstrate compliance with the obligations imposed on Officevibe under Section 2 of this Data Processing Addendum, and allow for and contribute to audits, including inspections for the sole purpose of demonstrating such compliance; and
      10. unless required by law, at Customer’s request following termination or expiry of the General Terms for whatever reason, at the Customer’s reasonable cost, securely delete all of the Customer Personal Information.
  3. INSTRUCTIONS FOR PROCESSING OF CUSTOMER PERSONAL INFORMATION Officevibe will Process Customer Personal Information in accordance with the following instructions:
Categories of Customer Personal Information collected by OfficevibeCategories of Data Subjects for which Customer Personal Information is ProcessedPurposes for which Officevibe Processes Customer Personal InformationNature of ProcessingDuration of Processing
Users credentials (such as emails, names, etc.)
  • User credentials permit the Users to access the Officevibe Platform and include emails and password hashes.
  • Account administrator that purchases the subscription and manages the account.
  • Company managers and group managers which use the answers and comments provided by the survey respondents to improve their leadership skills.
  • Employees answering the surveys and providing comments.
  • Provide, maintain and improve the Officevibe Platform.
  • Prevent or address service, security, support or technical issues with the Officevibe Platform.
  • Facilitate product discovery and communications throughout the user journey
.
  • Handling, storing, sharing with Subprocessors, accessing and reviewing Customer Personal Information for the Processing purposes set out adjacent.
  • As long as necessary for the purposes described in this Data Processing Addendum, unless a longer retention is required by law.
Employee profiles
  • The account administrator creates a profile for each of their employees, which contains the first name, last name, job title and email of the employee. Each employee has access to their employee profile and can update theirhis information. They can specify their survey language, time zone and preferences for the survey delivery (including survey day, survey time, survey method). The employee can also upload their own picture in their profile.
  • Company managers and group managers which use the answers and comments provided by the survey respondents to improve their leadership skills.
  • Employees answering the surveys and providing comments.
  • Provide, maintain and improve the Officevibe Platform.
  • Prevent or address service, security, support or technical issues with the Officevibe Platform.
  • Handling, storing, sharing with Subprocessors, accessing and reviewing Customer
  • Personal Information for the Processing purposes set out adjacent.
  • As long as necessary for the purposes described in this Data Processing Addendum, unless a longer retention is required by law.
Answers to surveys
  • Answers to surveys can reveal a wide range of Personal information.
  • Employees answer surveys such as “Do you have the freedom to try new tools that will help you do your work better?” and “How do you feel about your level of stress at work?”
  • Officevibe’s internal database includes the identity of the Survey Respondents.
  • Employees answering the surveys, which may include company managers and group managers.
  • Prevent or address service, security, support or technical issues with the Officevibe Platform.

  • Handling, storing, sharing with Subprocessors, accessing and reviewing Customer Personal Information for the Processing purposes set out adjacent.
  • As long as necessary for the purposes described in this Data Processing Addendum, unless a longer retention is required by law.
Comments
  • Comments given by Survey Respondents can reveal a wide range of Personal Information.
  • Officevibe can encourage employees to share comments with questions such as “What would make your relationship with your manager better?”
  • Officevibe’s internal database includes the identity of the comment providers.
  • Employees providing comments, which may include company managers and group managers.
  • Provide, maintain and improve the Officevibe Platform.
  • Prevent or address service, security, support or technical issues with the Officevibe Platform.
  • Handling, storing, sharing with Subprocessors, accessing and reviewing Customer Personal Information for the Processing purposes set out adjacent.
  • As long as necessary for the purposes described in this Data Processing Addendum, unless a longer retention is required by law.
User properties
  • The account administrator creates their own categories of User properties (e.g. gender, age, salary) and inputs the User properties relating to the categories he created in each of the employee profiles. The Personal Information collected according to those User properties will therefore vary accordingly.

  • Officevibe does not have control over the categories of User properties created by the account administrator, however the account administrator is prohibited under the General Terms to create a category of User properties that would result in the input of Sensitive Personal Information in the Officevibe Platform.

  • Officevibe’s internal database includes the identity of the employee in respect of which User properties are provided, including User properties which may be provided through a HRIS integrations, where applicable.
  • Employee answering the surveys and providing comments, which may include company managers and group managers.
  • Provide, maintain and improve the Officevibe Platform.

  • Prevent or address service, security, support or technical issues with the Officevibe Platform.

  • Ensure the integration and synchronization of the Customer’s HRIS data between the Customer’s HRIS and the Officevibe Plateform.
  • Handling, storing, sharing with Subprocessors, accessing and reviewing Customer Personal Information for the Processing purposes set out adjacent.
  • As long as necessary for the purposes described in this Data Processing Addendum, unless a longer retention is required by law.
Performance Engagement
  • Users can create various performance engagement tools such as one on one meetings and individual, team or organization goals. These performance engagement tools can include talking points, action items and performance objectives.

  • Officevibe inc.’s internal database includes the identity of the user who created the performance engagement tool, along with the identity of the users who take part to the event
.
  • Managers, executive managers, and users can create agendas, talking points, and action items

  • All users can create goals and link them together
  • Provide, maintain and improve the Officevibe platform

  • Prevent or address service, security, support or technical issues with the Officevibe platform
  • Handling, storing, sharing with Subprocessors, accessing and reviewing Customer Personal Information for the Processing purposes set out adjacent
  • As long as necessary for the purposes described in this Data Processing Addendum, unless a longer retention is required by law.

This Policy was last updated on February 08, 2022

Officevibe is inexpensive, simple to start and easy to use. Your team will thank you for it.

Get started free

âś“ No credit card required