Data Processing Addendum

Last updated on December 16, 2022

Where applicable, this Data Processing Addendum is hereby incorporated in the Officevibe Terms of Service (the “General Terms”), found at https://officevibe.com/terms, unless Customer has entered into a superseding written agreement with Officevibe, in which case, it forms a part of such written agreement. All capitalized terms not defined herein shall have the meaning set forth in the General Terms. Unless Customer has a superseding written agreement with Officevibe, Officevibe may amend this Data Processing Addendum from time to time on its Website, as its business evolves. Any revisions will become effective on the date Officevibe publishes the changes. Customer can review the most current version of the Data Processing Addendum at any time by visiting this page. If Customer uses the Services after the effective date of any changes, that use will constitute the acceptance of the revised Data Processing Addendum.

Categories of Customer Personal Information collected by OfficevibeCategories of Data Subjects for which Customer Personal Information is ProcessedPurposes for which Officevibe Processes Customer Personal InformationNature of ProcessingDuration of Processing
Users credentials (such as emails, names, etc.)
  • User credentials permit the Users to access the Officevibe Platform and include emails and password hashes.
  • Account administrator that purchases the subscription and manages the account.
  • Company managers and group managers which use the answers and comments provided by the survey respondents to improve their leadership skills.
  • Employees answering the surveys and providing comments.
  • Provide, maintain and improve the Officevibe Platform.

  • Prevent or address service, security, support or technical issues with the Officevibe Platform.

  • Facilitate product discovery and communications throughout the user journey.

  • Create reports within the Officevibe Platform.
  • Handling, storing, sharing with Subprocessors, accessing and reviewing Customer Personal Information for the Processing purposes set out adjacent.
  • As long as necessary for the purposes described in this Data Processing Addendum, unless a longer retention is required by law.
Employee profiles
  • The account administrator creates a profile for each of their employees, which contains the first name, last name, job title and email of the employee. Each employee has access to their employee profile and can update theirhis information. They can specify their survey language, time zone and preferences for the survey delivery (including survey day, survey time, survey method). The employee can also upload their own picture in their profile.
  • Company managers and group managers which use the answers and comments provided by the survey respondents to improve their leadership skills.
  • Employees answering the surveys and providing comments.
  • Provide, maintain and improve the Officevibe Platform.
  • Prevent or address service, security, support or technical issues with the Officevibe Platform.
  • Handling, storing, sharing with Subprocessors, accessing and reviewing Customer
  • Personal Information for the Processing purposes set out adjacent.
  • As long as necessary for the purposes described in this Data Processing Addendum, unless a longer retention is required by law.
Answers to surveys
  • Answers to surveys can reveal a wide range of Personal information.
  • Employees answer surveys such as “Do you have the freedom to try new tools that will help you do your work better?” and “How do you feel about your level of stress at work?”
  • Officevibe’s internal database includes the identity of the Survey Respondents.
  • Employees answering the surveys, which may include company managers and group managers.
  • Prevent or address service, security, support or technical issues with the Officevibe Platform.

  • Handling, storing, sharing with Subprocessors, accessing and reviewing Customer Personal Information for the Processing purposes set out adjacent.
  • As long as necessary for the purposes described in this Data Processing Addendum, unless a longer retention is required by law.
Comments
  • Comments given by Survey Respondents can reveal a wide range of Personal Information.
  • Officevibe can encourage employees to share comments with questions such as “What would make your relationship with your manager better?”
  • Officevibe’s internal database includes the identity of the comment providers.
  • Employees providing comments, which may include company managers and group managers.
  • Provide, maintain and improve the Officevibe Platform.
  • Prevent or address service, security, support or technical issues with the Officevibe Platform.
  • Handling, storing, sharing with Subprocessors, accessing and reviewing Customer Personal Information for the Processing purposes set out adjacent.
  • As long as necessary for the purposes described in this Data Processing Addendum, unless a longer retention is required by law.
User properties
  • The account administrator creates their own categories of User properties (e.g. gender, age, salary) and inputs the User properties relating to the categories he created in each of the employee profiles. The Personal Information collected according to those User properties will therefore vary accordingly.

  • Officevibe does not have control over the categories of User properties created by the account administrator, however the account administrator is prohibited under the General Terms to create a category of User properties that would result in the input of Sensitive Personal Information in the Officevibe Platform.

  • Officevibe’s internal database includes the identity of the employee in respect of which User properties are provided, including User properties which may be provided through a HRIS integrations, where applicable.
  • Employee answering the surveys and providing comments, which may include company managers and group managers.
  • Provide, maintain and improve the Officevibe Platform.

  • Prevent or address service, security, support or technical issues with the Officevibe Platform.

  • Ensure the integration and synchronization of the Customer’s HRIS data between the Customer’s HRIS and the Officevibe Plateform.
  • Handling, storing, sharing with Subprocessors, accessing and reviewing Customer Personal Information for the Processing purposes set out adjacent.
  • As long as necessary for the purposes described in this Data Processing Addendum, unless a longer retention is required by law.
Performance Engagement
  • Users can create various performance engagement tools such as one on one meetings and individual, team or organization goals. These performance engagement tools can include talking points, action items and performance objectives.

  • GSoft Technologies inc.’s internal database includes the identity of the user who created the performance engagement tool, along with the identity of the users who take part to the event.
  • Managers, executive managers, and users can create agendas, talking points, and action items

  • All users can create goals and link them together
  • Provide, maintain and improve the Officevibe platform

  • Prevent or address service, security, support or technical issues with the Officevibe platform
  • Handling, storing, sharing with Subprocessors, accessing and reviewing Customer Personal Information for the Processing purposes set out adjacent
  • As long as necessary for the purposes described in this Data Processing Addendum, unless a longer retention is required by law.

Schedule 1: Officevibe sub-processors

Sub-processorMicrosoft, Inc.
Type of processingCloud Provider
CountryUnited States of America and Canada
Transfer MechanismStandard Contractual Clauses
Sub-processorMongoDB, Inc.
Type of processingDatabase management service
CountryUnited States of America and Canada
Transfer MechanismStandard Contractual Clauses
Sub-processortrycourier.com, Inc.
Type of processingNotification delivery service
CountryUnited States of America
Transfer MechanismStandard Contractual Clauses
Sub-processorInversoft, Inc. (d.b.a. FusionAuth)
Type of processingSecurity access management tool.
CountryUnited States of America
Transfer MechanismStandard Contractual Clauses
Sub-processorIntercom R & D Unlimited Company
Type of processingProduct discovery and re-engagement tool. 
CountryUnited States of America
Transfer MechanismStandard Contractual Clauses
Sub-processorMerge API, Inc.
Type of processingUnified API tool for provisioning multiple Human Resources Information Software.
CountryCanada (data storage and processing)
United States of America (access for support services) 
Transfer MechanismStandard Contractual Clauses
Sub-processorRockset, Inc. (as of January 16th, 2023)
Type of processingReal-time analytics database service
CountryUnited States of America
Transfer MechanismStandard Contractual Clauses

Schedule 2: General description of the technical and organizational security measures in place 

All capitalized terms not defined herein shall have the meaning set forth in the General Terms. 

Officevibe has implemented and maintains the following technical and organizational security measures:

Pseudonymisation and encryption of Customer Personal Information 

PseudonymisationIt is Officevibe’s policy to pseudonymize Customer Personal Information whenever possible.  
Officevibe cannot however pseudonymize the “comments” data in the database, otherwise it would not be able to reveal the identity of an employee when such employee requests Officevibe to do so in relation to a specific comment. 
Officevibe cannot pseudonymize the “User attributes” data in the database, otherwise the managers could not view, add or modify User attributes related to their employees.   
The answers to surveys, the comments and the User attributes are all included in the same internal database. Therefore, it would not be possible to pseudonymize such data. 
EncryptionThe data is encrypted in transit with HTTP over TLS. Certificates are 2048 bits and private keys are stored in a specific secret vault. Weak cyphers are disabled.  
The data is also encrypted at rest by Officevibe and the Subprocessors.  
Encryption keys are managed with limited number of employees and secured in a vault with regular rotations.

Ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services

ConfidentialityOfficevibe has measures in place to ensure that no person is allowed to access Customer Personal Information without authorization. Such measures include, without limitation:
  • Officevibe manages accesses to Customer Personal Information based on the role-based access control (RBAC) permissions model on a need to access basis and least privileged basis.
  • Officevibe has a secure authentication process in place.
  • All Officevibe’s employees are subject to a criminal background check to ensure that they are not guilty of a job-related offense.
  • Officevibe’s internal database is located at a Microsoft Azure data center. Microsoft Inc. conforms to global security standards such as ISO 27001, FedRAMP, SOC 1 and SOC 2.
  • Officevibe has measures in place to control physical security at its office (including security guard at building entrance, alarm system, visitor registration).  
  • Officevibe, all Officevibe’s employees and Subprocessors have signed a non-disclosure agreement.
  • The data is encrypted in transit with HTTP over SSL. Certificates are 2048 bits and private keys are stored in a specific secret vault. Weak cyphers are disabled. The data is also encrypted at rest. Encryption keys are managed with limited number of employees and secured in a vault with regular rotations.
  • Regular updates concerning current security attacks are sent to Officevibe’s employees to raise awareness.
  • Officevibe has BCP and DRP documentation. Tabletop testing is done at least once a year.
IntegrityOfficevibe has measures in place to ensure that the data integrity is maintained. Such measures include, without limitation:
  • The right to modify or delete any customer data (which includes Customer Personal Information) is restricted to a limited group of people on a need basis.
    • Employees in the customer success team and in the technical support team are granted the right to modify and delete customer data in Officevibe’s database.  Any modification or deletion by such employees is catalogued in an audit log. Officevibe reviews accesses every two months and every time a team changes.
    • A group of four key employees have unlimited access to Officevibe’s database.
    • A policy restricting possible modifications and deletions within Officevibe’s database is in place.
  • Officevibe maintains backups of its database in accordance with its retention policy. The backups are verified daily, and tests are done every three months to meet its RPO and RTO.
AvailabilityOfficevibe has measures in place to ensure that Customer Personal Information is available and is used properly in the intended Process. Such measures include, without limitation:
  • Officevibe maintains backups of its database in accordance with its retention policy. The backups are verified daily, and tests are done every three months to meet its RPO and RTO.
  • Officevibe’s infrastructure and database schema are built from scripts that are kept in its source control system. Therefore, Officevibe can deploy the whole infrastructure dynamically within hours.
  • Officevibe has implemented Azure security center to prevent malware in the hosting environment and a centralized antimalware solution to prevent malware in the office with periodic full scans and firewall integration.
  • Officevibe is in the process of adopting and operationalizing a disaster recovery plan. It is Officevibe’s objective that this disaster recovery plan be fully operational as quickly as possible.
ResilienceOfficevibe has measures in place to ensure that the Officevibe Platform is resilient. Such measures include:
  • Officevibe’s infrastructure can scale automatically depending on the load.
  • Officevibe’s infrastructure is redundant in the same data center.
  • Officevibe’s database server is redundant in the same data center.

Ability to restore the availability and access to Customer Personal Information in a timely manner in the event of a physical or technical incident

If causes of outage are within Officevibe’s control, its recovery time objective (RTO) is about 8 hours or less.  
See measures described above with respect to “availability”. 

Process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing

  • Access control: Officevibe reviews accesses regularly and every time a team changes.
  • Vulnerability assessments: External tests are conducted continuously using a Private Bug Bounty Program.
  • Security assessment: Officevibe has several dashboards to assess its security.
  • Logs centralization: Officevibe uses a SIEM to aggregate its logs.

Process for ensuring that access by government or law enforcement agencies is legally valid and appropriate

Officevibe has procedures in place to ensure that Customer Personal Information cannot be accessed by governmental organizations or law enforcement without due process. Officevibe and its subprocessors will not disclose data to government or law enforcement agencies except as directed by Customer or where required by law. Officevibe and its subprocessors scrutinize all requests to validate that they are legally valid and appropriate. Upon receipt of such a request, Officevibe will notify you, unless prohibited by law to do so. We will direct the governmental organization or law enforcement agency to seek the data directly from Customer by default. Where Officevibe or its subprocessors are legally bound to disclose information, only information specifically requested may be disclosed.
Our subprocessors have committed to publish transparency reports regarding government and law enforcement requests for personal information. We do note however that only one of our subprocessors (Microsoft Inc.) has been the object of such requests in recent years.
We note that the processed data is not the target of data gathering under Section 702 FISA or EO 12.333. There is no indication that such data has ever been the target of searches under Section 702 FISA or EO 12.333. Also, Section 702 FISA is only about communications services provided to the targets of the searches, and not to others or applications such as the present one. Therefore, we believe that the probability that Officevibe or its subprocessors will receive a surveillance order with respect to Customer Personal Information is very low.

Schedule 3: UK international data transfer addendum

Purpose. This Schedule supplements the Data Processing Addendum as incorporated by reference to the General Terms to govern the international transfer of Personal Information out of the United Kingdom. By signing the General Terms, the Parties agree to the terms of this Schedule.

PART 1: TABLES

Table 1 will be completed with the Parties’ details as set out in the General Terms.

TABLE 2 – Selected SCCs

Addendum EU SCCsThe 2021 Standard Contractual Clauses, including the appendix information as set out in Section 2.4.11 of the Data Processing Addendum. 

TABLE 3 – Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the 2021 Standard Contractual Clauses (other than the Parties), and which for this Addendum is set out in:

Annex 1AList of Parties: As described in Section 2.2 of the Data Processing Addendum.
Annex 1BDescription of Transfer: As described in Section 3 of the Data Processing Addendum.
Annex IITechnical and organisational measures including technical and organisational measures to ensure the security of the data: As described in Schedule 2 to the Data Processing Addendum.
Annex IIIList of Sub Processors: As described in Schedule 1 to the Data Processing Addendum.

TABLE 4 – Ending this Addendum

Ending this Addendum when
the Approved Addendum changes
Which Parties may end this Addendum: 
Exporter and Importer 

PART 2: MANDATORY CLAUSES

Mandatory Clauses incorporated by this express referenceIncorporation by reference of Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and submitted to Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 and approved on 21 March 2022, as amended from time under Section ‎‎18 of those Mandatory Clauses.

Officevibe is inexpensive, simple to start and easy to use. Your team will thank you for it.

Get started free

✓ No credit card required