15Five Security and Privacy Changes, Sub-processor modification

Posted: October 7, 2021
Author: Patrick Sanders (Director of Information Security and Compliance)

At 15Five, we are always looking for new ways to improve your experience with our software and services. That includes complying with all applicable laws and regulations, and protecting your sensitive data.

In order to continue developing a high quality product and to better support you , we have updated our privacy policy, made changes to our Master Service Agreement (MSA), added the new EU Standard Contractual Clauses (SCCs), and are adding or replacing several data sub-processors.

A sub-processor, is an organization that processes Personal Information on our behalf. This is a common practice among software providers like us. We’ll try not to get too technical here, we just want you to know what’s shifting for your benefit and will include links for further clarification. Our number one priority is to protect your data and we assure you that all of your sensitive information will remain safe.

15Five Platform sub-processor modifications

15Five uses a variety of sub-processors to provide infrastructure and other support services to ensure our application is available, responsive, secure and that our staff can adequately support your organization in achieving its goals using our suite of tools.

In this shift, 15Five, Inc. will:

add Datadog, Inc, a U.S. corporation headquartered in New York, to improve our logging, application performance monitoring, and security and incident response posturing using a variety of tools from their suite of tools.

15Five’s contracts with Datadog include data protection language and security posturing that meets or exceeds our technical organizational measures and our contract uses the new EU Model Clauses.

We expect Datadog will process the following Personal Information routinely:
- Technical identifiers (including at least user ID, computer name, domain name, IP address, and software usage pattern tracking information i.e. cookies)
- Contact details as related outbound communication (e-mail address, APNS identifier, FCM/GCM identifiers)
add Skilljar Software Inc., a U.S. corporation headquartered in Seattle, as an optional sub-processor to provide learning and educational resources to customers.

15Five’s contracts with Skilljar include language that ensures data protection standards equivalent or greater than those of 15Five and use Standard Contractual Clauses to govern data transfer. Personal information processed by this system will include:
- First and last name
- Job Title
- Work email address
- Work phone number
add Zuora, Inc, a U.S. corporation headquartered in Redwood City, CA, as a replacement billing processor. 15Five’s contracts with Zuora include language that ensures data protection standards equivalent or greater than those of 15Five and use Standard Contractual Clauses to govern data transfer to the United States.

15Five will process the following data categories of end-users who interact with our billing portal:
- First and last name
- Job Title
- Work email address
- Work phone number
add Docusign, Inc, a U.S. corporation headquartered in San Francisco, CA, as a replacement contract management and signature suite. 15Five will process the following data categories in a non-exhaustive fashion (this processing will only apply to individuals interacting with 15Five contracts and addendum):
15Five’s contracts with Docusign include language that ensures data protection standards equivalent or greater than those of 15Five and use Binding Corporate Rules to transfer data to the United States. 15Five will process the following data categories of end-users who interact with contracts:
- First and last name
- Job Title
- Work email address
- Work phone number
remove Recurly, Inc. as a billing processor. Billing will be handled by the addition of Zuora, Inc. This transition away from Recurly will happen through the end of 2021.
remove Dynatrace, Inc as a logging and application performance monitoring processor. Datadog will take its place within our stack for the purpose of logging and application performance management. We expect to discontinue use by the end of 2021, but some data may remain in the solution through February of 2022.

We firmly believe that these additions and modifications meet or exceed industry standard security and data protection practices. We have prepared a document with information we believe most organizations will need in order to complete a Transfer Impact Assessment. Please email [email protected] if you would like to request a copy of this documentation.

A full list of sub-processors for the 15Five suite of software and our new Engage product (formerly Emplify) can be found here: https://www.15five.com/terms/data-processing-addendum/sub-processors/

Privacy Policy Updates

Following the Schrems II decision of the European Court of Justice and Switzerland’s Federal Data Protection and Information Commissioner (FDPIC), Privacy Shield is no longer a valid transfer mechanism of data flowing to the United States from the European Union or Switzerland.

Though 15Five updated its Data Processing Addendum in 2020 to use the EU approved Model Clauses, our membership in the Privacy Shield program didn’t expire until mid-2021. As we are no longer participating in the Privacy Shield, we are updating our Privacy Policy to remove Privacy Shield specific language.

We have also made other changes required to keep this policy compliant with evolving data protection laws.

Our Privacy Policy can be viewed here: https://www.15five.com/privacy

Changes to our Master Service Agreement

For many years, 15Five has had online Terms of Service for some customers and a Master Service Agreement for others. We however have always only maintained one data processing and security standard that aligns with our MSA.

We are now replacing our online terms of service with our Master Service Agreement to provide all customers with the level of service and to provide additional transparency. Our online Master Service Agreement can be found here: https://www.15five.com/terms/master-service-agreement

Note: This does not apply to customers with negotiated MSAs.

New Standard Contractual Clauses

15Five’s standard online DPA now includes the newly approved EU Standard Contractual clauses. They can be viewed here.

Customers with previously negotiated Data Processing Addendum will need to update these by December 27, 2022 to include the newly revised Model Clauses to comply with the GDPR.

Our number one priority is to protect the data of each of our customers, and we assure you all sensitive information will remain safe. If you have any concerns or would like to exercise the rights enumerated in your contract, a data processing addendum, or law, please contact us immediately at [email protected]

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.