Data Processing Record

(2021-08-24)

Officevibe Inc. provides a web‐based, team leader stack software-as-a-service platform to engage with your team members and cultivate trust. We help you tackle team challenges and build strengths so your team can do its best work.

  1. Name and contact details of Officevibe Inc.

    Officevibe Inc. is a software company incorporated and domiciled in Quebec, Canada. It is a subsidiary company of Groupe GSOFT Inc., also incorporated and domiciled in Quebec, Canada. Officevibe Inc. does not have any EU established operations.

    Legal name: Officevibe Inc.

    Address: 1751, rue Richardson, bureau 1050 Montréal (Québec) Canada H3K 1G6

    Contact email for privacy matters: legal@officevibe.com
    Contact email for security matters: security@officevibe.com

  2. Transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards.

    Officevibe Inc. is located in Canada. The European Commission has recognised Canada as providing adequate protection.

    Officevibe Inc.’s internal database is hosted in Microsoft Azure data centers. Microsoft Inc. is located in the United States and is bound by Standard Contractual Clauses entered into with Officevibe.

    Officevibe Inc.’s database management service provider is MongoDB Atlas (MongoDB), located in the United States and is also bound by Standard Contractual Clauses entered int with Officevibe.

    Officevibe’s notification delivery service provider is trycourier.com, Inc. (“Courier”), also located in the United States and bound by Standard Contractual Clauses entered into with Officevibe.

    Lastly, Officevibe’s security access management provider is Inversoft Inc., dba FusionAuth (“FusionAuth”). Although FusionAuth hosts Officevibe data in Canada, FusionAuth is located in the United States where data may be transferred in the context of support services. For this reason, Officevibe and FusionAuth are bound by Standard Contractual Clauses.

Personal data collected by Officevibe

Categories of personal data collected by OfficevibeCategories of data subjects for which such personal data is collectedCategories of processing activities in connection with such personal data
Officevibe user credentials

User credentials permit the users to access the Officevibe platform and include emails and password hashes.

  • Account administrator that purchases the subscription and manages the account
  • Company managers and group managers which use the answers and comments provided by the survey respondents to improve their leadership skills
  • Employees answering the surveys and providing comments
  • Provide, maintain and improve the Officevibe platform
  • Prevent or address service, security, support or technical issues with the Officevibe platform
Answers to surveys

Employees answer surveys such as “Do you have the freedom to try new tools that will help you do your work better?” and “How do you feel about your level of stress at work?”

The manager does not know the identity of the survey respondents because the data is only presented on an aggregated basis (i.e. Your score for this metric is x/10).

Officevibe Inc.’s internal database includes the identity of the survey respondents.

  • Employees answering the surveys, which may include company managers and group managers
  • Provide, maintain and improve the Officevibe platform
  • Prevent or address service, security, support or technical issues with the Officevibe platform
  • Create statistics based on the aggregated personal data for benchmarking and marketing purposes, for example for Officevibe’s state of engagement available at https://officevibe.com/guides/state-employee-engagement
Comments

Officevibe Inc. can encourage employees to share comments with questions such as “What would make your relationship with your manager better?”

Generally, the manager does not know the identity of the provider of comments. However, an employee can sometime request that its identity be revealed to let his manager know that he is the one that posted such comment.

Officevibe Inc.’s internal database includes the identity of the comment providers.

  • Employees providing comments, which may include company managers and group managers
  • Provide, maintain and improve the Officevibe platform
  • Prevent or address service, security, support or technical issues with the Officevibe platform
User properties

The manager creates a profile for each of their employees. In the employee profiles, the manager can add user properties (the manager decides which categories of user properties they want to create. It could be gender, age, salary, anything). These user properties can later be used by the manager to segregate data (Eg. The employees in this age range are more stressed).

Officevibe Inc.’s internal database includes the identity of the employee in respect of which user properties are provided.

  • Employees prompted to answer the surveys and providing comments, which may include company managers and group managers
  • Provide, maintain and improve the Officevibe platform
  • Prevent or address service, security, support or technical issues with the Officevibe platform
Performance Engagement

Users can create various performance engagement tools such as one on one meetings and individual, team or organization goals.

These performance engagement tools can include talking points, action items and performance objectives.

Officevices inc.’s internal database includes the identity of the user who created the performance engagement tool, along with the identity of the users who take part to the event.

  • Managers, executive managers, and users can create agendas, talking points, and action items
  • All users can create goals and link them together
  • Provide, maintain and improve the Officevibe platform
  • Prevent or address service, security, support or technical issues with the Officevibe platform

General description of the technical and organisational security measures in place

Pseudonymisation and encryption of personal data
PseudonymisationOfficevibe Inc. cannot pseudonymize the “comments” data in the database, otherwise it would not be able to reveal the identity of an employee when such employee requests Officevibe Inc. to do so in relation to a specific comment.

Officevibe Inc. cannot pseudonymize the “user attributes” data in the database, otherwise the managers could not view, add or modify user attributes related to their employees.

The answers to surveys, the comments and the user attributes are all included in the same internal database. Therefore, it would not be possible to pseudonymize such data.

EncryptionThe data is encrypted in transit with HTTP over TLS. Certificates are 2048 bits and private keys are stored in a specific secret vault. Weak cyphers are disabled.

Data is encrypted at rest using AES-256.

Ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
ConfidentialityOfficevibe Inc. has measures in place to ensure that no person is allowed to access personal data without authorization. Such measures include, without limitation:
  • Officevibe Inc. manages accesses to personal data based on the role‐based access control (RBAC) permissions model on a need to access basis and least privileged basis.
  • Officevibe Inc. has a secure authentication process in place with mandatory MFA.
  • All Officevibe Inc.’s employees are subject to a criminal background check to ensure that they are not guilty of a job‐related offense.
  • Officevibe Inc.’s internal database is located at a Microsoft Azure data center. Microsoft Inc. conforms to global security standards such as ISO 27001, FedRAMP, SOC 1 and SOC 2.
  • Officevibe Inc. has measures in place to control physical security at its office (inc. security guard at building entrance, alarm system, visitor registration).
  • All Officevibe Inc.’s suppliers that have access to personal data (being Azure, MongoDB Atlas, and TryCourier.com Inc) and all Officevibe Inc.’s employees have signed a non‐disclosure agreement.
  • The data is encrypted in transit with HTTP over TLS. Certificates are 2048 bits and private keys are stored in a specific secret vault. Weak cyphers are disabled. The data is encrypted at rest using AES-256. Encryption keys are managed with limited number of employees and secured in a vault with regular rotations.
  • Regular updates concerning current security attacks are sent to Officevibe Inc.’s employees to raise awareness.
  • All employees receive regular security specific training which is reviewed for completion and testing.
  • Officevibe Inc. is maintains a documented and tested Security Incident Response Plan which includes prompt notification of affected customers and authorities.
IntegrityOfficevibe Inc. has measures in place to ensure that the data integrity is maintained. Such measures include, without limitation:
  • The right to modify or delete any customer data (which includes personal data) is restricted to a limited group of people on a need basis.
    • Employees in the customer success team and in the technical support team are granted the right to modify and delete customer data in Officevibe Inc.’s database. Any modification or deletion by such employees is catalogued in an audit log. Officevibe Inc. reviews accesses every two months and every time a team changes.
    • A group of four key employees have unlimited access to Officevibe Inc.’s database.
    • A policy restricting possible modifications and deletions within Officevibe’s database is in place.
  • Officevibe Inc. maintains backups of its database in accordance with its retention policy. The backups are verified daily, and tests are done every three months to meet its RPO and RTO.
AvailabilityOfficevibe Inc. has measures in place to ensure that personal data is available and is used properly in the intended process. Such measures include, without limitation:
  • Officevibe Inc. maintains backups of its database in accordance with its retention policy. The backups are verified daily, and tests are done every three months to meet its RPO and RTO.
  • Officevibe Inc.’s infrastructure and database schema are built from scripts that are kept in its source control system. Therefore, Officevibe Inc. can deploy the whole infrastructure dynamically within hours.
  • Officevibe has implemented azure security center to prevent malware in the hosting environment and a centralized antimalware solution to prevent malware in the office with periodic full scans and firewall integration.
  • Officevibe Inc. maintains a documented and approved Business Continuity Plan and Disaster Recovery Plan.
ResilienceOfficevibe Inc. has measures in place to ensure that the Officevibe platform is resilient. Such measures include:
  • Officevibe Inc.’s infrastructure can scale automatically depending on the load.
  • Officevibe Inc.’s infrastructure is redundant in the same data center.
  • Officevibe Inc.’s database server is redundant in two data centers.
Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
If causes of outage are within Officevibe Inc.’s control, its recovery time objective (RTO) is about 12 hours or less.

See measures described above with respect to “availability”.

Process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing
  • Access control: Officevibe Inc. reviews accesses every two months and every time a team changes.
  • Vulnerability assessments: Officevibe Inc. maintains a private BugBounty Program with HackerOne Inc. for continuous security testing.
  • Security assessment: Officevibe Inc. has several dashboards to assess its security including Azure security center and insight VM.
  • Logs centralization: Officevibe Inc. uses various SIEMs to aggregate its logs.

Officevibe is inexpensive, simple to start and easy to use. Your team will thank you for it.

Get started free

✓ No credit card required