Data Processing Record

(2023-08-31)

Workleap Platform inc. provides a web‐based, team leader stack software-as-a-service Platform to engage with your team members and cultivate trust which is commercialized as Officevibe. We help you tackle team challenges and build strengths so your team can do its best work.

Name and contact details of Workleap Platform inc.
Workleap Platform inc. is a software company incorporated and domiciled in Québec, Canada. It is a subsidiary company of Workleap Technologies inc., also incorporated and domiciled in Québec, Canada. Workleap Platform inc. does not have any EU established operations.

Legal name: Workleap Platform inc.

Address: 1751, rue Richardson, bureau 1050 Montréal (Québec) Canada H3K 1G6

Contact email for privacy matters: legal@officevibe.com
Contact email for security matters: security@officevibe.com
Transfers of personal information to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards.

Workleap Platform inc. is located in Canada. In Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC, the European Commission has recognised Canada as providing adequate protection of personal information.

Officevibe’s internal database is hosted in Microsoft Azure data centers. Microsoft Inc. is located in the United States and is bound by Standard Contractual Clauses entered into with Officevibe.

Officevibe’s database management service provider is MongoDB Atlas (MongoDB), located in the United States and is also bound by Standard Contractual Clauses entered int with Officevibe.

Officevibe’s notification delivery service provider is trycourier.com, Inc. (“Courier”), also located in the United States and bound by Standard Contractual Clauses entered into with Officevibe.

Officevibe’s security access management provider is Inversoft Inc., dba FusionAuth (“FusionAuth”). Although FusionAuth hosts Officevibe data in Canada, FusionAuth is located in the United States where data may be transferred in the context of support services. For this reason, Officevibe and FusionAuth are bound by Standard Contractual Clauses.

Officevibe’s product discovery and re-engagement tool provider is Intercom R&D Unlimited Company (“Intercom”). Intercom is located in the United States and is also bound by Standard Contractual Clauses entered into with Officevibe.

Officevibe’s unified API tool for provisioning multiple HRIS is provided by Merge API Inc. (“Merge API”). Although Merge API hosts Officevibe data in Canada, Merge API is located in the United States where data may be transferred in the context of support services. For this reason, Officevibe and Merge API are bound by Standard Contractual Clauses.

Officevibe’s real-time analytics services are provided by Rockset, Inc. (“Rockset”). Rockset is located in the United States and bound by Standard Contractual Clauses entered into with Officevibe.

Personal information collected by Officevibe

Categories of personal information collected by Officevibe	Categories of data subjects for which such personal information is collected	Categories of processing activities in connection with such information
Officevibe user credentials User credentials permit the users to access the Officevibe Platform and include emails and password hashes.	Account administrator that purchases the subscription and manages the account Company managers and group managers which use the answers and comments provided by the survey respondents to improve their leadership skills Employees answering the surveys and providing comments	Provide, maintain and improve the Officevibe Platform Prevent or address service, security, support or technical issues with the Officevibe Platform Facilitate product discovery and communications throughout the user journey
Employee profiles The account administrator creates a profile for each of their employees, which contains the first name, last name, job title and email of the employee. Each employee has access to their employee profile and can update their information. They can specify their survey language, time zone and preferences for the survey delivery (including survey day, survey time, survey method). The employee can also upload their own picture in their profile.	Company managers and group managers which use the answers and comments provided by the survey respondents to improve their leadership skills Employees answering the surveys and providing comments	Provide, maintain and improve the Officevibe Platform Prevent or address service, security, support or technical issues with the Officevibe Platform
Answers to surveys Employees answer surveys such as “Do you have the freedom to try new tools that will help you do your work better?” and “How do you feel about your level of stress at work?” The manager does not know the identity of the survey respondents because the data is only presented on an aggregated basis (i.e. Your score for this metric is x/10). Officevibe’s internal database includes the identity of the survey respondents.	Employees answering the surveys, which may include company managers and group managers	Provide, maintain and improve the Officevibe Platform Prevent or address service, security, support or technical issues with the Officevibe Platform Create statistics based on the aggregated personal data for benchmarking and marketing purposes, for example for Officevibe’s state of engagement available at https://officevibe.com/guides/state-employee-engagement
Comments Officevibe can encourage employees to share comments with questions such as “What would make your relationship with your manager better?” Generally, the manager does not know the identity of the provider of comments. However, an employee can sometime request that its identity be revealed to let his manager know that he is the one that posted such comment. Officevibe’s internal database includes the identity of the comment providers.	Employees providing comments, which may include company managers and group managers	Provide, maintain and improve the Officevibe Platform Prevent or address service, security, support or technical issues with the Officevibe Platform
User properties The manager creates a profile for each of their employees. In the employee profiles, the manager can add user properties (the manager decides which categories of user properties they want to create. It could be gender, age, salary, anything). These user properties can later be used by the manager to segregate data (Eg. The employees in this age range are more stressed). Officevibe’s internal database includes the identity of the employee in respect of which user properties are provided, including User properties which may be provided through a HRIS integration, where applicable.	Employees prompted to answer the surveys and providing comments, which may include company managers and group managers	Provide, maintain and improve the Officevibe platform Prevent or address service, security, support or technical issues with the Officevibe platform Ensure the integration and synchronization of the Customer’s HRIS data between the Customer’s HRIS and the Officevibe Platform.
Performance Engagement Users can create various performance engagement tools such as one on one meetings and individual, team or organization goals. These performance engagement tools can include talking points, action items and performance objectives. Officevibe’s internal database includes the identity of the user who created the performance engagement tool, along with the identity of the users who take part to the event.	Managers, executive managers, and users can create agendas, talking points, and action items All users can create goals and link them together	Provide, maintain and improve the Officevibe Platform Prevent or address service, security, support or technical issues with the Officevibe Platform

General description of the technical and organisational security measures in place

Pseudonymisation and encryption of personal information
Pseudonymisation	Officevibe cannot pseudonymize the “comments” data in the database, otherwise it would not be able to reveal the identity of an employee when such employee requests Officevibe to do so in relation to a specific comment. Officevibe cannot pseudonymize the “user properties” data in the database, otherwise the managers could not view, add or modify user properties related to their employees. The answers to surveys, the comments and the user properties are all included in the same internal database. Therefore, it would not be possible to pseudonymize such data.
Encryption	The data is encrypted in transit with HTTP over TLS. Certificates are 2048 bits and private keys are stored in a specific secret vault. Weak cyphers are disabled. Data is encrypted at rest using AES-256.
Ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
Confidentiality	Officevibe has measures in place to ensure that no person is allowed to access personal information without authorization. Such measures include, without limitation: Officevibe manages accesses to personal information based on the role‐based access control (RBAC) permissions model on a need to access basis and least privileged basis. Officevibe has a secure authentication process in place with mandatory MFA. All Officevibe’s employees are subject to a criminal background check to ensure that they are not guilty of a job‐related offense. Officevibe’s internal database is located at a Microsoft Azure data center. Microsoft Inc. conforms to global security standards such as ISO 27001, FedRAMP, SOC 1 and SOC 2. Officevibe has measures in place to control physical security at its office (inc. security guard at building entrance, alarm system, visitor registration). All Officevibe’s suppliers that have access to personal data (being Azure, MongoDB Atlas, and TryCourier.com Inc) and all Officevibe’s employees have signed a non‐disclosure agreement. The data is encrypted in transit with HTTP over TLS. Certificates are 2048 bits and private keys are stored in a specific secret vault. Weak cyphers are disabled. The data is encrypted at rest using AES-256. Encryption keys are managed with limited number of employees and secured in a vault with regular rotations. Regular updates concerning current security attacks are sent to Officevibe’s employees to raise awareness. All employees receive regular security specific training which is reviewed for completion and testing. Officevibe maintains a documented and tested Security Incident Response Plan which includes prompt notification of affected customers and authorities.
Integrity	Officevibe has measures in place to ensure that the data integrity is maintained. Such measures include, without limitation: The right to modify or delete any customer data (which includes personal information) is restricted to a limited group of people on a need basis. Employees in the customer success team and in the technical support team are granted the right to modify and delete customer data in Officevibe’s database. Any modification or deletion by such employees is catalogued in an audit log. Officevibe reviews accesses every two months and every time a team changes. A group of four key employees have unlimited access to Officevibe’s database. A policy restricting possible modifications and deletions within Officevibe’s database is in place. Officevibe maintains backups of its database in accordance with its retention policy. The backups are verified daily, and tests are done every three months to meet its RPO and RTO.
Availability	Officevibe has measures in place to ensure that personal information is available and is used properly in the intended process. Such measures include, without limitation: Officevibe maintains backups of its database in accordance with its retention policy. The backups are verified daily, and tests are done every three months to meet its RPO and RTO. Officevibe’s infrastructure and database schema are built from scripts that are kept in its source control system. Therefore, Officevibe can deploy the whole infrastructure dynamically within hours. Officevibe has implemented azure security center to prevent malware in the hosting environment and a centralized antimalware solution to prevent malware in the office with periodic full scans and firewall integration. Officevibe maintains a documented and approved Business Continuity Plan and Disaster Recovery Plan.
Resilience	Officevibe has measures in place to ensure that the Officevibe Platform is resilient. Such measures include: Officevibe’s infrastructure can scale automatically depending on the load. Officevibe’s infrastructure is redundant in the same data center. Officevibe’s database server is redundant in two data centers.
Ability to restore the availability and access to personal information in a timely manner in the event of a physical or technical incident
If causes of outage are within Officevibe’s control, its recovery time objective (RTO) is about 12 hours or less. See measures described above with respect to “availability”.
Process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing
Access control: Officevibe reviews accesses every two months and every time a team changes. Vulnerability assessments: Officevibe maintains a private BugBounty Program with HackerOne Inc. for continuous security testing. Security assessment: Officevibe has several dashboards to assess its security including Azure security center and insight VM. Logs centralization: Officevibe uses various SIEMs to aggregate its logs.