Data Processing Record
GSoft Technologies Inc. provides a web‐based, team leader stack software-as-a-service Platform to engage with your team members and cultivate trust which is commercialized as Officevibe. We help you tackle team challenges and build strengths so your team can do its best work.
- Name and contact details of GSoft Technologies Inc.
GSoft Technologies Inc. is a software company incorporated and domiciled in Québec, Canada. It is a subsidiary company of Groupe GSOFT Inc., also incorporated and domiciled in Québec, Canada. GSoft Technologies Inc. does not have any EU established operations.
Legal name: GSoft Technologies Inc.
Address: 1751, rue Richardson, bureau 1050 Montréal (Québec) Canada H3K 1G6
- Transfers of personal information to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards.
GSoft Technologies Inc. is located in Canada. In Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC, the European Commission has recognised Canada as providing adequate protection of personal information.
Officevibe’s internal database is hosted in Microsoft Azure data centers. Microsoft Inc. is located in the United States and is bound by Standard Contractual Clauses entered into with Officevibe.
Officevibe’s database management service provider is MongoDB Atlas (MongoDB), located in the United States and is also bound by Standard Contractual Clauses entered int with Officevibe.
Officevibe’s notification delivery service provider is trycourier.com, Inc. (“Courier”), also located in the United States and bound by Standard Contractual Clauses entered into with Officevibe.
Officevibe’s security access management provider is Inversoft Inc., dba FusionAuth (“FusionAuth”). Although FusionAuth hosts Officevibe data in Canada, FusionAuth is located in the United States where data may be transferred in the context of support services. For this reason, Officevibe and FusionAuth are bound by Standard Contractual Clauses.
As of March 14th, 2022, Officevibe’s product discovery and re-engagement tool provider will be Intercom R&D Unlimited Company (“Intercom”). Intercom is located in the United States and is also bound by Standard Contractual Clauses entered into with Officevibe.
Lastly, as of March 14th, 2022, Officevibe’s unified API tool for provisioning multiple HRIS will be provided by Merge API Inc. (“Merge API”). Although Merge API hosts Officevibe data in Canada, Merge API is located in the United States where data may be transferred in the context of support services. For this reason, Officevibe and Merge API are bound by Standard Contractual Clauses.
Personal information collected by Officevibe
|Categories of personal information collected by Officevibe||Categories of data subjects for which such personal information is collected||Categories of processing activities in connection with such information|
|Officevibe user credentials|
User credentials permit the users to access the Officevibe Platform and include emails and password hashes.
| Employee profiles|
The account administrator creates a profile for each of their employees, which contains the first name, last name, job title and email of the employee. Each employee has access to their employee profile and can update their information. They can specify their survey language, time zone and preferences for the survey delivery (including survey day, survey time, survey method). The employee can also upload their own picture in their profile.
| || |
|Answers to surveys |
Employees answer surveys such as “Do you have the freedom to try new tools that will help you do your work better?” and “How do you feel about your level of stress at work?”
The manager does not know the identity of the survey respondents because the data is only presented on an aggregated basis (i.e. Your score for this metric is x/10).
Officevibe’s internal database includes the identity of the survey respondents.
Officevibe can encourage employees to share comments with questions such as “What would make your relationship with your manager better?”
Generally, the manager does not know the identity of the provider of comments. However, an employee can sometime request that its identity be revealed to let his manager know that he is the one that posted such comment.
Officevibe’s internal database includes the identity of the comment providers.
|User properties |
The manager creates a profile for each of their employees. In the employee profiles, the manager can add user properties (the manager decides which categories of user properties they want to create. It could be gender, age, salary, anything). These user properties can later be used by the manager to segregate data (Eg. The employees in this age range are more stressed).
Officevibe’s internal database includes the identity of the employee in respect of which user properties are provided, including User properties which may be provided through a HRIS integration, where applicable.
|Performance Engagement |
Users can create various performance engagement tools such as one on one meetings and individual, team or organization goals.
These performance engagement tools can include talking points, action items and performance objectives.
Officevibe’s internal database includes the identity of the user who created the performance engagement tool, along with the identity of the users who take part to the event.
General description of the technical and organisational security measures in place
|Pseudonymisation and encryption of personal information|
|Pseudonymisation||Officevibe cannot pseudonymize the “comments” data in the database, otherwise it would not be able to reveal the identity of an employee when such employee requests Officevibe to do so in relation to a specific comment.
Officevibe cannot pseudonymize the “user properties” data in the database, otherwise the managers could not view, add or modify user properties related to their employees.
The answers to surveys, the comments and the user properties are all included in the same internal database. Therefore, it would not be possible to pseudonymize such data.
|Encryption||The data is encrypted in transit with HTTP over TLS. Certificates are 2048 bits and private keys are stored in a specific secret vault. Weak cyphers are disabled.
Data is encrypted at rest using AES-256.
|Ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services|
|Confidentiality||Officevibe has measures in place to ensure that no person is allowed to access personal information without authorization. Such measures include, without limitation:
|Integrity||Officevibe has measures in place to ensure that the data integrity is maintained. Such measures include, without limitation:
|Availability||Officevibe has measures in place to ensure that personal information is available and is used properly in the intended process. Such measures include, without limitation:
|Resilience||Officevibe has measures in place to ensure that the Officevibe Platform is resilient. Such measures include:
|Ability to restore the availability and access to personal information in a timely manner in the event of a physical or technical incident|
|If causes of outage are within Officevibe’s control, its recovery time objective (RTO) is about 12 hours or less.
See measures described above with respect to “availability”.
|Process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing|