Great Place To Work Privacy & Security Notice
At Great Place To Work Institute, Inc. (“GPTW”) we take security and privacy seriously. GPTW is committed to protecting the privacy of the individuals (“visitors,” “users,” and/or “you”) who visit our website and subpages located at https://www.greatplacetowork.com or use our products and services.
This Privacy & Security Notice describes GPTW’s privacy practices in connection with:
- Our websites and subpages located at https://www.greatplacetowork.com (hereafter the “Site”)
- The GPTW products and services accessed by GPTW’s customers, partners or end users (hereafter, the “Product”)
This Privacy & Security Notice does not cover GPTW’s privacy practices for:
- GPTW employees, contractors, or job applicants
- Children and/or Minors. Our Site is neither designed nor intended for any visitors under 18 years of age. If you have any reason to believe that a visitor to our Site is under 18 years old, please contact us at email@example.com we will endeavor to delete the information from our databases.
What is Personal Information?
For purposes of this Privacy & Security Notice, personal information means information collected by GPTW relating to an identified or identifiable natural person.
Links to Third-party Websites
GPTW’s Privacy Practices Affecting Users of Our Site
Sources of Personal Information We Collect From Site Visitors:
GPTW collects personal information from individuals who access our Site:
- Directly from a website visitor
- From service providers or other third parties; and
- Automatically from a web visitor’s visit or activity on our site.
Information Collected Directly From Website Visitors Including Job Applicants
GPTW collects personal information when you visit our Site and when you choose to provide personal information. For example, we collect information when you contact us via our Site, provide your email, phone number or other similar contact information, such as the information that you provide when you sign up for a webinar.
What We Collect
The personal information collected from a visitor to our Site may include:
- Job Title
- Phone Number
- Email Address
The personal information collected from an applicant or employee of GPTW includes, but is not limited to:
- Personal Identifiers (Name, Address, Age, Date of Birth, Social Security Number);
- Professional or Employment-related Information (Employment Record, Salary);
- Education Information; and
- Personal/Professional Contact Information
If you register to attend a GPTW sponsored Event, we may require certain data in some instances, including:
- Emergency contact
- Dietary preferences
- Health and safety information
- Billing information (such as billing name, billing address, and credit card number)
Information Provided by Third Parties or Publicly Available Sources
We may receive information about you from other sources and combine that information with the information we collect directly. Examples of information we may receive from other sources include: purchased business contact information and from publicly accessible websites, such as your company’s website, professional network services, or press releases. Business contact information may include:
- First name
- Last name
- Business email
- Telephone number
- Company name
- Job level
- Functional role
- Business street address
- Online identifier
- Employment history
We use this data for our internal customer analytics, to identify prospective customer marketing opportunities, and to improve the relevance of our Site content and our advertising.
Information Collected by Cookies
You can set your Internet browser or operating system settings to stop accepting new cookies, to receive notice when you receive a new cookie, to disable existing cookies, to omit images (which will disable pixel tags) or adjust your tracking preferences. Note that the opt-out will apply only to the browser that you are using when you elect to opt out of advertising cookies. Without cookies or pixel tags though, you may not be able to take full advantage of our sites’ features.
Information Collected for Analytics
Our Site may record information concerning how often you use the application, the events that occur within the application, aggregated usage, performance data, your IP address. We do not link the information we store within the analytics software to any personal information you submit within the Site.
If you use certain systems provided by GPTW, we will collect data from you to enable multifactor authentication, such as mobile number, email address, or unique verification identifier.
Information Collected Directly From Social Media Features
Our website may host various blogs, forums, wikis, and other social media applications or services that allow you to share content with other users (collectively “Social Media Applications”). Any personal information or other information that you contribute to any Social Media Application can be read, collected, and used by other users of that Social Media Application over whom we have little or no control. Therefore, we are not responsible for any other user’s use, misuse, or misappropriation of any personal information or other information that you contribute to any Social Media Application.
If GPTW collects any other personal information from you, we will explain which personal information is collected and the purpose for its collection.
Why We Use Your Personal Information
Our purposes of processing personal information include:
- To fulfill the purpose(s) for which the information was collected or provided, including to communicate with you and respond to your inquiries and requests;
- To improve our site, products and services, through testing, research, analysis and product development;
- To market, advertise, and promote our products and services, such as to make suggestions and recommendations to you about products or services that may be of interest to you;
- To provide training related to the products and services, such as making available training materials or events (whether in-person or online) for which we may use your personal information to provide notices and information regarding such training and events;
- For security, audit, internal investigation, and fraud prevention purposes, such as to prevent unauthorized access or disclosure, to maintain data accuracy, to protect the confidentiality, integrity, and availability of your personal information; to allow only the appropriate use of your personal information; to identify any fraudulent, harmful, unauthorized, unethical or illegal activity;
- To manage litigation, such as in connection with establishing, exercising, or defending our legal rights where it is necessary for our legitimate interests or the legitimate interests of others;
- To improve the content and format of our Site by using cookies and other similar technologies, such as to measure the preferences of our Site visitors, analyze trends, administer the Site, analyze use of the Site, and to gather demographic information about visitors to the Site;
- For other purposes for you have provided consent;
- To aggregate or deidentify your personal information so that the information can no longer be linked to you or your device and use and share such data for any business purpose in accordance with applicable law; and
- To comply with all applicable legal obligations, such as to comply with subpoenas and other court orders to process data where we have determined there is a legal requirement to do so.
GPTW utilizes physical, technical, and administrative controls and procedures designed to safeguard the information we collect, prevent unauthorized access or disclosure, to maintain data accuracy of your personal information, and to restrict the processing of your personal information as set forth in this Privacy & Security Notice.
We utilize a variety of physical and logical access controls, firewalls, anti-virus, and backup systems. We use encrypted sessions when collecting or transferring sensitive data through our Site.
We limit access to your personal information and data to those persons who have a specific business purpose for maintaining and processing such information. Our employees who have been granted access to your personal information are made aware of their responsibilities to protect the confidentiality, integrity, and availability of that information and have been provided training and instruction on how to do so.
GPTW’s Privacy Practices Affecting Users of Our Product
We generally market and sell our Product to businesses, not consumers. Our commitments regarding the personal information we collect, use, and disclose about the end users of the Product are largely driven by our contracts with business customers. The information provided below is intended to help our business customers understand our privacy practices. If you are an end user of one of our products or services, you are encouraged to contact your employer with questions about how your personal information is being collected, used, and disclosed.
Information we Collect
In most instances, GPTW customers are the controllers of the personal information they collect, create, communicate, and store in our Product. The types of personal information that can be stored in our Procut may include, but is not limited to:
- End User Names
- Company Names
- Job Titles
- Business Addresses
- Email Addresses
- Any personal information provided to us by Users of our Product, and which is required for us to execute our agreements with our Customers.
Use of Information We Collect
When we act as a processor, the personal information we collect is used to deliver our products and services to Customers. Any personal information we use is done in accordance with our contracts with our Customers.
Because our business clients are data controllers, it is primarily them who must undertake efforts regarding how information is collected and processed in accordance with data-protection laws. Therefore, if you have questions or concerns about the processing of your information as an end user, you should contact your employer directly or refer to its separate privacy policies.
GPTW does not give anyone access to the personal information maintained in the Product unless:
- It is permitted to do so in its contract with the Customer.
- The Customer instructs GPTW to do so;
- The Customer consents (e.g., subprocessors used by GPTW);
- If GPTW is legally obligated to do so; or
- If GPTW has a legitimate interest (as defined under GDPR and other applicable laws) to do so.
GPTW will only retain personal information for the length of time necessary to fulfill the purpose(s) for which the information was collected or as required or permitted by applicable laws, (including the resolution of disputes) and in accordance with our customer contracts.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of the personal information, the purposes for which we process your personal information, and whether we can achieve those purposes through other means, and the applicable legal requirements.
When we no longer require your personal information, we will either delete or deidentify it or, if this is not possible, we will securely store it in accordance with this policy and cease use of the personal information until deletion is possible. If we deidentify your personal information (so that it is no longer associated with you), we may retain this information for longer periods. To support our research and enable historical comparisons, we retain deidentified data indefinitely.
Disclosure of Personal Information
We do not sell your personal information to third parties. We may, however, share your information with:
- Affiliates, Licensees, and Subsidiaries. We might share personal information with our affiliates, licensees, and subsidiaries in order to deliver a product or service or to complete a task requested by our customer.
- Third Party Suppliers or Service Providers. We might engage with third parties (suppliers and/or service providers) in order to deliver a product or service, perform certain functions such as enhancing the Product, or complete a task requested by our customer. We have contracts with our Third Party Suppliers or Service Providers to perform certain functions on our behalf, and only at our direction. Our third parties are bound by confidentiality agreements, only have access to personal information to the extent necessary to provide these contracted services, and are only permitted to process personal information in accordance with our instructions (and for the purposes we disclose).
In addition, GPTW might disclose personal information if we in good faith believe that it is necessary:
- To comply with the law or with a legal process
- To protect or defend our rights and property
- To protect against misuse or unauthorized use of our website
- To protect the personal safety or property of our users or the public (among other things, this means that, if you provide false information or attempt to pose as someone else, information about you may be disclosed as part of any investigation into your actions).
- In connection with, or during negotiations for, an acquisition, merger, asset sale, or other similar business transfer that involves all or substantially all of our assets or functions where personal information is transferred or shared as part of the business assets (provided that such party agrees to use or disclose of personal information consistent with our Privacy & Security Notice or gains your consent for other uses of disclosures).
We will not cross-reference your personal information with that of any other customer or entity. GPTW does not support “back door” access to any of its products, services, or operations (including our data stores) by any government or third party. UKG does not share its encryption keys or provide the ability to break our encryption keys with any government or third party.
Protecting Your Information
GPTW has many dedicated policies, practices, and protocols to protect our IT infrastructure, networks, devices, and data from unauthorized access, collection, retention, and use of sensitive, confidential, and/or proprietary customer or user data, including personal information. These policies, practices, and protocols include, but are not limited to:
Engineering and development access to the components that comprise the Product is restricted using methods including, but not limited to, Single Sign-On, two factor authentication, network segmentation, and IP restriction. Access to servers and services inside the primary Product boundary is controlled using centralized accounts, two-factor authentication, and bastion hosts. We employ separation of duties between developers and operations staff to limit access to the Product environment to those with a legitimate business need. The Product is protected by a web application gateway and an outbound firewall with IdP. Data is encrypted in transit and at rest using encryption that meets the current NIST standard.
Access Provisioning and Review
We have a policy and process for creating new accounts, adding and removing permissions from existing accounts, and deprovisioning access upon separation. Required approvals are collected from supervisors and application / group owners to ensure that requests are reviewed for appropriateness by multiple leaders before permissions are granted. In addition, we conduct a quarterly two-phase access review that engages both supervisors and group owners. GPTW employee permissions related to the Product that grant access to customer data are included in this access provisioning and review process. The Product provides customers with real-time information about the user accounts they have created and gives them the ability to change or revoke access at any time. Customers are responsible for managing access to the platform by creating and revoking user accounts.
Our employee endpoints (laptops and mobile devices) are connected to endpoint management software. In order to sign on to any GPTW SSO protected resource (including the Product), an employee must be using a device registered in our endpoint management software that meets our compliance policy. The compliance policy is designed to ensure that a device meets our standards for minimum operating system version, hard drive encryption, secure boot/anti-rooting, firewall enablement, anti-virus, etc. Users and administrators are notified when a device is out of compliance. Non-compliant devices are automatically blocked from accessing company resources once the compliance grace period expires.
Our employee endpoints (laptops and mobile devices) as well as servers in the Product environment are connected to vulnerability management software. We actively scan for vulnerabilities and have a vulnerability management policy and procedure designed to limit the number of known vulnerabilities and number of exposed devices, according to the severity of the vulnerability. We have periodic vulnerability management meetings to review current remediation status, plan future remediations, manage exceptions and accepted risk, and review aged vulnerabilities as time passes and the technical landscape evolves. On laptops and mobile devices, we automatically update critical software (operating systems, browsers, productivity software). Inside the Product environment, we periodically update minor versions of operating systems, databases, and other critical software through our change management process following validation in pre-production environments.
Backup and Disaster Recovery
The Product environment is periodically backed up. All persistent data is backed up with at least a 24 hour recovery point objective. Data that changes frequently is backed up more frequently (up to and including continuous backup). Backups are persisted to geo-redundant online storage at least every 24 hours to protect against the catastrophic failure of a given data center. The majority of our infrastructure is implemented using infrastructure as code. We have documentation and code allowing us to build a new Product environment in the event of a major disaster. We test our disaster recovery procedure annually.
Data Classification, Handling, and Labeling
We have a data classification, handling, and labeling policy. Data is classified according to its risk. Employees receive training on the policy and its practical implementation. We have a detailed list of all data artifacts related to or produced by the Product that explains their classification in detail.
Global Laws and Regulations
We commit to comply with all applicable laws and regulations including, but not limited to, the following outlined below.
General Data Protection Regulation (GDPR)
The GDPR is a comprehensive data-protection law that regulates the processing of personal data of European Union (EU) residents and provides individuals rights to empower individuals by giving them more control over their personal data. The GDPR enshrines major principles such as privacy by design, privacy by default, and implementation of strong technical and organizational measures designed to protect personal data.
The GDPR is not limited to the EU. It applies to all organizations that target, collect, or use the personal data of any EU resident and mandates organizations to:
- Know what data they hold and have appropriate rights to use the data.
- Be accountable and able to answer questions about what type of data they hold, and in some cases, delete data they no longer need.
- Notify supervisory authorities of data breaches.
- Use vendors that comply with the principles of the GDPR
- Offer European Essential Guarantees by challenging governments’ requests to access personal data.
GPTW is committed to compliance with the GDPR and all applicable laws. We have enhanced process to prepare to address the rights of people in the EU and we are prepared to answer questions from our customers as well as our employees.
California Residents – California Privacy Notice
The California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”) provide certain privacy-related rights to California residents. Learn more about GPTW privacy practices and compliance with the CCPA and CPRA.
International Transfers of Personal Information
GPTW operates globally and, as such, may process personal data worldwide to provide customer support; in connection with GPTW sub-processors, a list of which is available below and their own sub-processors, where applicable; and in connection with GPTW professional services.
Strict data protection laws govern he transfer of personal data from the European Economic Area (EEA), United Kingdom, and Switzerland, to countries deemed by the European Commission as not offering an equivalent standard of protection, including the United States.
To address this requirement for our customers with operations in the EEA, the United Kingdom, and Switzerland, GPTW has incorporated the European Commissions approved standard contractual clauses, also referred to as the “SCCs,” into our customer contracts.
GPTW has started using the new SCCs, which were adopted on June 4, 2021, for all new agreements, order forms, and other customer and supplier transaction documents. If you require an amendment to include the new SCCs, please reach out to firstname.lastname@example.org.
As part of providing the Product to you, we currently engage the following sub-processors:
Data Subject Rights
If you have a question or request concerning personal information held by GPTW, including your personal information collected through the use of the Product please email email@example.com. To protect your privacy and security, we may take reasonable steps to verify your identity before responding to your request. We will respond to your request within a reasonable timeframe and as otherwise required by applicable law in your location.
Updates To Our Global Privacy & Security Notice
GPTW reserves the right to update or change portions of this statement at any time and without prior notice. If we change or update this statement in a material way, we will process new personal information received under this Global Privacy & Security Notice according to the terms of this Notice, unless you consent otherwise.
How To Contact GPTW
If you have any questions or comments about this Global Privacy & Security Notice, GPTW’s privacy practices or if you would like us to update information or preferences you provided to us, please e-mail us at: firstname.lastname@example.org
Written responses may also be submitted to:
Great Place To Work® Institute, Inc.
1999 Harrison Street, Suite 2070
Oakland, CA 94612
Last Updated: 2023-04-05