WorkBoard Security and Privacy Policy

Security Audit

WorkBoard is SOC2 Type II, ISO 27001:2013, and TISAX certified. We employ industry standard technological measures that are reasonably designed to help protect your personal information from loss, unauthorized access, disclosure, alteration or destruction. WorkBoard may use, without limitation, firewalls, password protection, secure socket layer, and other security measures to help prevent unauthorized access to your personal information. While we take reasonable efforts to guard personal information, no security system is impenetrable.

WorkBoard, Inc. Privacy Notice

Date of Last Revision: December 4, 2023 (previous version)

WorkBoard, Inc., (“WorkBoard,” “we,” “us,” or “our”) knows you, and your User’s (see definition below) (“you,” or “your,”), Personal Information is important. We appreciate the trust you place in us when you visit the WorkBoard platform and use our services. As a result, we process the Personal Information we receive from you responsibly and in accordance with applicable laws and regulations.

This Privacy Notice describes how we process the Personal Information collected when you access this website (“Website”) or our mobile application (“Mobile App”). Together the Website and Mobile App are the WorkBoard Platform (“WorkBoard Platform” or the “Services”). When you leave the WorkBoard Platform, this privacy notice no longer applies. Any subsequent website, application or service you access will have its own privacy notice and other applicable terms.

This Notice also tells you about your rights and choices with respect to your Personal Information, and how you can contact us if you have any questions or concerns. In this Notice, “Personal Information“ means any information relating to an identified or identifiable individual.

Please read this Notice carefully. If you do not agree with this Privacy Notice or any part thereof, you should not access or use any part of the Services. If you change your mind in the future, you must stop using the Services and you may exercise your rights in relation to your Personal Information as set out in this Notice.

PLEASE NOTE: If you are entering Personal Information on behalf of your Users into the WorkBoard Platform this WorkBoard Platform Privacy Notice must be incorporated into your own privacy notice that you deliver to your Users.

1. Personal Information We Collect

When you visit the WorkBoard Platform, we collect: (1) technical information that is used to deliver the contents and services and for other purposes as described below, and (2) information that you, or your Users, voluntarily submit.

Personal Information You Provide to Us

We collect a variety of information that you provide to us. The specific types of information we collect will depend upon your engagement with the WorkBoard Platform.

  • Account Information. If a customer creates an account for you to use the Services as an account administrator (“Administrator”), or by accepting the invitation to register as a user (“User”) under a customer’s account, we collect Personal Information to allow you to use our Services via this account. When you sign up, you provide us with your name, password, email address, physical address, mobile phone number, job title and other account information necessary to create and maintain your account.
  • Contact Information and Other Information You Choose to Provide to Us. You have the ability to provide a variety of information during your interactions with us, such as through emails or other communications. When you contact us via a contact form, email, or other means, you provide us with Personal Information, such as your name and contact details, and the content of your communications.
  • Support Information. When you request technical support services, we will process your Personal Information such as your name and the contact details you use to contact us, as well as information regarding the reasons for your support request, the support that was provided, and any additional information you may provide in that context.
  • Financial Information. If you purchase our Services, you will need to provide payment information. We will use that information solely for the purpose of fulfilling your purchase request. We ourselves do not store any of your (or your Users) financial information, but rely on the services of payment providers to carry out any payments you wish to make to us.
  • Other Information. You may choose to directly provide us with information associated with your use of the Services. For example, if you decide to use the Services offered by us we will collect and store the content and information you or your Users create or upload to the account on the WorkBoard Platform (“User Content”).

Information Collected via Automated Means

We automatically collect certain information based upon your behavior on the WorkBoard Platform. We use this information to conduct internal research on system usage, demographics, interests, and behavior to better understand who is visiting the WorkBoard Platform, for marketing purposes and to improve our related services. Whenever possible, the collected data is de-identified, aggregated and/or anonymized.

  • Single Sign-On Through Internet Service Providers. We may collect Personal Information from internet service providers when you decide to use their single sign-in servers to connect to our Services. Your interactions with these tools are governed by the privacy notices of the corresponding platform.
  • Device and Usage Information. When you access and use the WorkBoard Platform, we receive and store information about your (and your User’s) interactions, such as date/time stamps, usage information and statistics, your internet protocol (IP) address, hardware and software information (including operating system version and type), browser type, device identifiers, device event information, crash data, cookie data, and the pages you have viewed or engaged with before or after accessing the WorkBoard Platform including content accessed, time viewed, links clicked, referring/exit pages, and clickstream data. This information could be used to identify you and or your device and may provide us with your location.
  • Cookies and Similar Technologies. We collect Personal Information via cookies, pixel tags, or similar technologies on the WorkBoard Platform (collectively referred to as “Cookies“). For more information on our use of Cookies, please read our Cookie Notice.

2. How We Use Personal Information We Receive or Collect

We use the Personal Information we receive or collect for the following purposes:

  • To Create Your Account for our Services and to secure and maintain it.
  • To Provide Our Services, including to operate, maintain and support our Services by making available our online database with business contact details to Administrators and Users.
  • To Communicate With You, including to contact you for administrative purposes such as security or support and maintenance advisories, to provide services and information that you request, to respond to comments and questions, to contact you regarding issues concerning your use of our Services, including changes to this Notice, and to otherwise provide customer support.
  • Subject to any consent requirements, to Send Marketing Materials, alerts about the latest developments and features or other promotional materials, and to develop new promotional materials that can be useful or relevant to our customers. You will always be provided with an opportunity to opt out of receiving such communications. For example, You opt out by following the instructions located at the bottom of any commercial emails you may receive or by contacting us as outlined in the Contact Us section in this Privacy Notice.
  • For Personalization to customize our Services.
  • For Analytics and Product Development, including to measure and analyze usage trends and preferences in order to improve our Services, and to develop new products, services, and features.
  • For Customer and Vendor Relationship Management, including to track emails, phone calls, and other actions you have taken as a prospective customer or our customer or vendor.
  • For Aggregation. We sometimes aggregate or anonymize Personal Information in a form that does not allow our Administrators or Users to be personally identified and use the resulting information for statistical analysis regarding the use of the Services, such as to better understand our customer base, or for other purposes.
  • For Administrative and Legal Purposes, such as for compliance purposes, including enforcing our contractual rights or enforcing or defending other legal rights, or as may be required by applicable laws and regulations or requested by any judicial process or governmental agency, and to comply with our legal obligations and internal policies as permitted by law.

3. Legal Bases for the Processing of Personal Information

If you are located in the EEA, UK or Switzerland, we only use your Personal Information as described in this section if we have a valid legal ground for the processing, including:

  • Consent. This is the case where you have consented to the use of your Personal Information.
  • Contract. We need your Personal Information to provide you with our Services in order to perform our end of our contracts with you, such as to create and secure your account, or to respond to your inquiries.
  • Legitimate Interest. We have a legitimate business interest in processing your Personal Information to provide the Services to our Customers. We only rely on legitimate interest as a legal basis when such legitimate interests are not overridden by your interests or your fundamental rights and freedoms and we ensure we comply with any request you make to exercise your rights.
  • Legal Obligation. We may have a legal obligation to process your Personal Information, for example to comply with tax and accounting obligations, and we may process your Personal Information when necessary to establish, exercise, or defend legal claims. We may also process your Personal Information when necessary to protect your or another individual’s vital interests.

4. Who We Share Personal Information With

We may disclose Personal Information about you under the following circumstances:

  • Group Entities. We may disclose Personal Information about you to our affiliates and subsidiaries, if any.
  • Service Providers. We work with third parties to provide services such as hosting, maintenance, and support. These third parties may have access to or process your Personal Information as part of providing those services to us. For example:
    • Cloud service providers who we rely on for data storage, disaster recovery and to perform our obligations to you.
    • We use providers of business communication tools for providing product information and marketing materials to you.
  • Legal. Information about our Administrators and Users, including Personal Information, will be disclosed to law enforcement agencies, regulatory bodies, public authorities or pursuant to the exercise of legal proceedings if we are legally required to do so, or if we believe, in good faith, that such disclosure is necessary to comply with a legal obligation or request, to enforce our terms and conditions, to prevent or resolve security or technical issues, or to protect the rights, property or safety of WorkBoard, our Administrators or Users, a third party, or the public.
  • Change of Corporate Ownership. Information about our Administrators or Users, including Personal Information, may be disclosed and otherwise transferred to an acquirer, successor, or assignee as part of any merger, acquisition, debt financing, sale of assets, or similar transaction, as well as in the event of an insolvency, bankruptcy, or receivership in which information is transferred to one or more third parties as one of our business assets.
  • Aggregated Information. We may use and disclose aggregated or otherwise anonymized information for any purpose, unless we are prohibited from doing so under applicable law.
  • Business Partners. We may share Personal Information such as name, email, phone, work history, location, skillset, social profiles and related data with our business partners, including for the purposes of sales, marketing, recruiting and other related purposes. We may share Personal Information with our business partners in order to contact potential customers, market products and services, recruit new employees and for other related purposes. You will always be provided with an opportunity to opt out of this type of sharing.

A list of current sub-processors is located here. We will provide notice if this list of sub-processors changes. If you do not agree with the changes you may terminate your use of the WorkBoard Platform in accordance with the terms of your contractual agreement with WorkBoard.

  • Protection of Us and Others. By accessing the WorkBoard Platform you acknowledge and agree that we may also release your information when required by law or in good faith when we believe that disclosure is reasonably necessary to comply with the law or legal process (e.g., a subpoena or court order), enforce our privacy notice or other contracts with you, including investigations of potential related violations, or to protect ours or others’ rights, property, or safety, respond to claims that any content violates the rights of third parties; or to respond to your requests for customer service. This includes exchanging information with other companies and organizations for fraud protection, and spam/malware prevention, and similar purposes.
  • Business Transfers. As we continue to develop our business, we may buy, merge, or partner with other companies. In such transactions (including in contemplation of such transactions), user information may be among the transferred assets. If a portion or all of our assets are sold or transferred to a third-party, customer information (including your email address) would likely be one of the transferred business assets. If such transfer is subject to additional mandatory restrictions under applicable laws, we will comply with applicable restrictions.
  • Native Integrations. You can use native integrations to share data with other work applications. WorkBoard does not share data from integrated apps with any other services or clients. For example, if you integrate your Slack account, we access your Slack account to gather information that is required for the integration endpoint. PLEASE NOTE: We do not “sell” your Personal Information to any third-parties, as defined by your Data Processing Agreement with us, which is located on the Website or as agreed with the Administrator.

5. Privacy Notice for Residents of Certain U.S. States

Some U.S. state laws provide state residents with additional privacy rights. We are not currently subject to any U.S. state law which grants its residents with additional privacy rights, including the California Consumer Protection Act/California Privacy Rights Act.

Do Not Track Disclosure

Regulatory agencies such as the U.S. Federal Trade Commission have promoted the concept of Do Not Track as a mechanism to permit Internet users to control online tracking activity across websites through their browser settings.

We currently do not process or comply with any web browser’s “do-not-track” signal or other similar mechanism that indicates a request to disable online tracking of individual users who visit our Sites or use our Services.

Children’s Online Privacy Protection Act Compliance

Our Services are all directed to people who are at least 16 years old or older.

We do not knowingly collect any “Personal Information” (as defined by the U.S. Children’s Online Privacy Protection Act) from anyone under 16 years of age without valid parental consent. If we become aware that we have collected such Personal Information without parental consent, we will take reasonable steps to delete it as soon as possible. We also comply with other age restrictions and requirements in accordance with applicable local laws.

Retention of Information

We keep your information for no longer than necessary for the purposes for which it is processed. The length of time for which we retain information depends on the purposes for which we collected and use it and/or as required to comply with applicable laws.

Security

We implement a variety of security measures designed to protect the safety of your Personal Information from loss, misuse, and unauthorized access, disclosure, alteration, or destruction when you enter or submit your Personal Information on the WorkBoard Platform. However, no Internet or email transmission is ever fully secure or error free. Please keep this in mind when disclosing any information to us via the Internet.

6. Yours (and Your User’s) Data Subject Rights

You have the following rights associated with the processing of your personal information:

  • Right to Access. You have the right to obtain access to the Personal Information we hold about you and to request certain information about our processing. More in particular, you have the right to receive an explanation of (i) why we process your Personal Information, (ii) the categories of Personal Information we have about you, (iii) who we share your Personal Information with, (iv) how long we store your Personal Information and (v) who we received your Personal Information from, if it was not collected from you directly. We will also inform you about your privacy rights.
  • Right to Rectification. You have the right to correct, update or complete any Personal Information we hold about you that is inaccurate or incomplete. Please note that we may rectify or remove incomplete or inaccurate information, at any time and at our own discretion.
  • Right to Erasure. You may request to have your Personal Information anonymized, erased or deleted, as appropriate. In this case, if there is no overriding legitimate interest to continue processing your Personal Information we will erase your data.
  • Right to Object to Processing. You have the right to object to our processing of your Personal Information where we are relying on a legitimate interest or if we are processing your Personal Information for direct marketing purposes.
  • Right to Restrict Processing. You have a right in certain circumstances to stop us processing your Personal Information other than for storage purposes.
  • Right to Portability. You have the right to receive, in a structured, commonly used and machine-readable format, Personal Information that we hold about you, if we process it on the basis of our contract with you, or with your consent, or to request that we transfer such Personal Information to a third party.
  • Right to Withdraw Consent. You may withdraw any consent you previously provided to us regarding the processing of your Personal Information at any time and free of charge. We will apply your preferences going forward. This will not affect the lawfulness of the processing before you withdrew your consent.
  • Right to Lodge a Complaint. You may lodge a complaint with a supervisory authority, including in your country of residence, place of work, or where you believe an incident took place.
  • Right to non-discrimination related to the exercising of your rights provided by law.

Exercise your data subject rights under GDPR

We provide you with an easy way to submit us privacy related request like a request to access or erase your personal data. If you want to make use of your data subject rights, please visit our public privacy landing page

Please note that, prior to any response to the exercise of such rights, we will require you to verify your identity. In addition, we may have valid legal reasons to refuse your request and will inform you if that is the case. Note that applicable laws contain certain exceptions and limitations to each of these rights.

Only the registered account Administrator may close an account. The Administrator may decided to terminate the ability of one or more of the invited Users to use their account. Only the Administrator or User’s manager may request the deletion of the User Content in the account.

International Data Transfers

If you provide us with your Personal Information when using the Services from the EEA, Switzerland or the UK or other regions of the world with laws governing data collection and use that may differ from U.S. law, then please note that you are transferring your Personal Information outside of those regions to the United States for storage and processing.

If we transfer your Personal Information internationally, we will ensure that relevant safeguards are in place to afford adequate protection for your Personal Information and we will comply with applicable data protection laws, in particular by relying on an EU Commission adequacy decision, or the current standard contractual protections for the transfer of your Personal Information or if a derogation is available.

The specific legal basis for the international or cross-border transfer of your Personal Information is located in your Data Processing Agreement with WorkBoard (“DPA”), which is located on our website, or as has been agreed to with your organization.

Third Party Links and Websites

This Privacy Notice does not address, and we are not responsible for, the privacy practices of any third parties, including those that operate websites to which the WorkBoard Platform links. The inclusion of a link on the WorkBoard Platform does not imply that we or our affiliates endorse the practices of the linked website.

Co-Branded Websites

In the event that our Website links to other websites that include our branding, this Privacy Notice does not apply to those other websites. Visitors to those websites are advised to carefully read the notices on those individual websites.

Security

We employ industry standard technological measures that are reasonably designed to help protect your personal information from loss, unauthorized access, disclosure, alteration or destruction. WorkBoard may use, without limitation, firewalls, password protection, secure socket layer, and other security measures to help prevent unauthorized access to your personal information. While we take reasonable efforts to guard personal information, no security system is impenetrable.

Change of Ownership

In the event of a change in ownership, or a merger with, acquisition by, or transfer or sale of all or a portion of our assets to, another entity, we reserve the right to transfer all of your Personal Information, including email addresses, to that entity. We will use reasonable efforts to notify you of any such transfer to an unaffiliated third party (by a posting on our homepage, or by email to your email address that you provided to us, as chosen by us in our discretion).

7. Microsoft OpenAI Privacy Policy

Utilization of OpenAI's GPT-3.5 as our foundational Language Model (LLM) is subject to the privacy policy articulated by Microsoft Cognitive Services, which encompasses OpenAI services. We acknowledge the significance of privacy and data protection and are committed to ensuring that user data is handled with the utmost care and compliance.

For your reference and transparency, the Microsoft OpenAI Privacy Policy, which governs the data privacy practices associated with our use of the GPT-3.5 model, can be accessed via the following link: Microsoft OpenAI Privacy Policy.

This policy outlines the procedures, safeguards, and principles that Microsoft employs to uphold user privacy, ensuring that data processing aligns with regulatory requirements and industry standards.

8. Changes to Our Privacy Notice

We reserve the right to amend this privacy notice at any time to reflect changes in the law, our data collection, use or sharing practices or advances in technology. We will make the revised Privacy Notice accessible throughout the WorkBoard Platform. You should review this privacy notice periodically. The “Date of Last Revision" included at the beginning of this privacy notice will indicate when it was last updated.

By continuing to access or use our WorkBoard Platform, you are confirming you have read and understand the latest version of this Privacy Notice.

Complaints

If you wish to lodge a complaint about how we process your Personal Information, please contact us as described in the Contact Us section below. We will endeavor to respond to your complaint as soon as possible. You may also lodge a claim with the applicable supervisory authority.

Contact Us

WorkBoard, Inc. is the entity responsible for the processing of your Personal Information and for the purpose of the European Union’s General Data Protection Regulation, is the Data Processer (you are the Data Controller) regarding the processing of your Personal Information. If you have any questions or comments about this Privacy Notice, our privacy practices, or if you would like to exercise your rights with respect to your Personal Information, please contact us by one of the following methods:

  • Send us an e-mail at: privacy@workboard.com, or
  • Write to us at: 487 Seaport Ct., Suite 100, Redwood City, CA 94063

Representative for data subjects in the EU and UK

WorkBoard, Inc. does not have an EU Data Protection Officer. We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact.

Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative, Prighter or make use of your data subject rights, please visit the following website: https://prighter.com/q/11225937575