GDPR and FinancialForce Services, Your Questions Answered
Please provide a general description of the services FinancialForce provides to its customers.
FinancialForce provides software-as-a-service solutions, including the following applications covered in this document: Financial Management, which enables businesses to automate key finance functions - including accounting, revenue recognition, billing, and payments - in a customer-centric manner; Professional Services Automation, which enables businesses to automate professional services operations, including project, resource, time and expense management; and Human Capital Management, which enables businesses to automate key human resources functions, and which FinancialForce intends to cease providing in 2022 (collectively “FinancialForce Services”).
The FinancialForce Services were developed and operate on the Salesforce platform, an industry-leading and mature platform for cloud applications, and benefit from the security and data protection features that the Salesforce platform offers.
Please describe the personal data that will be used, stored, collected, disclosed or otherwise Processed by the FinancialForce Services.
FinancialForce customers choose what data to submit to the FinancialForce Services. Types of personal data typically submitted to the FinancialForce Services include:
- Financial Management: name, title, address, phone number and email address. The contacts object on the Account for customer/vendor/partner/investor/any party includes “sentiment” information (adversary, advocate, neutral).
- Professional Services Automation: name, email address, telephone number, business travel and expense information, professional certifications/qualifications, utilization and skills ratings.
- Human Capital Management: Required by system is first name and last name. All other data is optional through configuration of the FinancialForce Human Capital Management Service, including the following categories:
- Address and address history
- Phone numbers and phone history, ethnicity, date of birth, blood type, disability status is found on the Worker Record
- Emergency contacts full name, address, phone
- Certifications and related ID’s
- Email information work, personal, etc.
- National ID’s (SSN, SIN, etc.)
- Dependent / Beneficiaries first name, last name, national ID, date of birth
- Benefits enrollment information
- Pension contribution information
- Bank account information
- Twitter, Facebook, LinkedIn ID
- Proof of citizenship scanned documents related to Form I9 stored in notes and attachments
- Tax withholding information related to W4 process
- Absence history could have information stored in the notes field
- Extended leave functionality permits attachments such as scanned doctors notes in notes and attachments along with the other information which can be stored on the record itself
- For the recruiting module, only personal email is a required field if this functionality is turned on
- Candidate information and uploaded CV’s can be stored including candidate full name, address, education history and work history, email, disability status
- Salary history
- Job/Position history
- Bonus history
- Equity history
- Allowance history
- Performance reviews (including competencies and ratings as part of performance review)
- Adhoc feedback provided by managers or fellow employees
- Professional / personal goals either part of performance review or standalone
The FinancialForce Services do not collect personal data.
What is the general purpose for processing the personal data?
FinancialForce provides online software-as-a-service solutions for financial management, professional services automation, and human capital management. FinancialForce’s customers typically use the FinancialForce Services to manage their own businesses, interact with their own customers and employees, and manage the information surrounding those interactions. As the data controller, the FinancialForce customer should determine its specific purpose for processing personal data in the FinancialForce Services.
FinancialForce processes personal data to offer the FinancialForce Services pursuant to the terms agreed in its contract with the customer.
What other types of personal data is FinancialForce collecting?
We mainly collect and process personal data about our employees and business contact data relating to our customers, prospects, suppliers and other individuals with whom we have a business relationship. We also gather personal information through our website and other sources. We take care to protect all the personal information that we hold in accordance with law.
Is FinancialForce a controller or processor?
With respect to data submitted to the FinancialForce Services, FinancialForce acts as a data processor. With respect to data collected by FinancialForce in its other business activities (such as, for example, sales, marketing and professional services activities and management of its employees), FinancialForce processes data both as a data controller and a data processor.
What is FinancialForce’s lawful basis for processing personal data when providing FinancialForce Services?
When providing the FinancialForce Services, FinancialForce is a data processor for the customer and the lawful basis for processing is the performance of the contract with the customer.
What contracts are in place to protect personal data submitted to the FinancialForce Services?
FinancialForce sets out protections for personal data in our contracts with customers. Contractual documents containing protections for personal data include (1) a master subscription agreement between FinancialForce and the customer; and (2) a Data Processing Addendum, which can be added to the contract (if not already included) by downloading from here.
Do you have contracts with FinancialForce suppliers (sub-processors) that support your provision of FinancialForce Services?
Yes. FinancialForce commits in clause 5.1 of the Data Processing Addendum to ensure it has contracts in place with its suppliers. See information on sub-processors in FinancialForce Trust and Compliance Documentation.
Where will customer personal data be stored?
FinancialForce Services are built, and all data submitted to the FinancialForce Services is stored, on the Salesforce platform. Storage locations for personal data submitted to the FinancialForce Services are described in the FinancialForce Trust and Compliance Documentation.
Will customer personal data be transferred outside of the European Union (EU)?
At the outset, we note that the GDPR, like the prior EU data directive, does not require personal data to be stored in the EU.
FFinancialForce Services are built on the Salesforce platform. The Salesforce platform has data centers in the EU; however, Salesforce does not guarantee that personal data of FinancialForce’s customers (including its EU-based customers) will be stored exclusively in EU data centers. In addition, regardless of which data centres a customer’s data is stored in, the Salesforce platform may store in all data centres globally identifying information about customers users for the purposes of operating the FinancialForce Services, such as facilitating the login process and enabling FinancialForce to provide customer support. For more details, please see the FinancialForce Trust and Compliance Documentation.
Additionally, FinancialForce affiliates and subcontractors across all global regions may access customer personal data to provide support to customers. These entities and their locations are set out in the FinancialForce Trust and Compliance Documentation. Any such access for support purposes is subject to the customer’s electronic consent on a case-by-case basis.
In addition, FinancialForce offers two mechanisms to legally transfer personal data outside of the EU: the EU Standard Contractual Clauses, and the EU-US and Swiss-US Privacy Shield. For more information about these transfer mechanisms and which FinancialForce Services will rely on which mechanism, please review our Data Processing Addendum.
What security measures does FinancialForce apply to protect data stored when utilising the FinancialForce Services?
FinancialForce takes security seriously, and has established a formal Information Security function, lead by the Chief Informatioxn Security Officer (CISO). One of the CISO's primary objective is to enforce the appropriate governance and monitor for security compliance aligned with the company Information Security Policy and Standards.
FinancialForce has policies and procedures in place to protect the security of the FinancialForce Services. See our Trust page for more information. FinancialForce Services were developed on the Salesforce platform, an industry-leading and mature platform for cloud applications, and benefits from the security and data protection features that the Salesforce platform offers.
The security policies, procedures, and controls FinancialForce makes available to customers are described in our Security Whitepaper. More information can be found in the FinancialForce Trust and Compliance Documentation.
FinancialForce customers share responsibility for managing security. FinancialForce provide a robust set of security controls, made available from the Salesforce platform, that a FinancialForce customer can configure. Each customer is responsible for configuring those security controls and for managing other aspects of processing under its control such as the security of the customer's end users' computers, and controlling access to its instances of the FinancialForce Services.
How are breach notifications addressed?
FinancialForce has a detailed Cyber Security Incident Response Plan and Security Incident Management Procedure, and has formed a Cyber Incident Response Team (CIRT) to support notification to customers in the event of a security breach resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to such customers’ data. These procedures also guide the CIRT in investigation, management, resolution and remediation activities, as well as cooperation with law enforcement, in the event of a breach. FinancialForce commits contractually to provide such notification in its Data Processing Addendum, as required by the GDPR. Notification may include phone contact by FinancialForce’s Customer Support or Customer Success team, email to the customer's designated contact, and/or a public announcement. Regular updates are provided to engaged parties until issue resolution. Incident tracking and resolution is documented and managed within a centralized incident logging system.
Are there any security attestations and/or certifications in place with respect to the FinancialForce Services?
Yes. Information about FinancialForce attestations and/or certifications, as well as those of Salesforce that apply to the Salesforce platform, are described in our FinancialForce Trust and Compliance Documentation.
Do the FinancialForce Services process “special categories of personal data” (as defined under GDPR) or personal data related to criminal convictions or offences?
The FinancialForce Human Capital Management service may be used to process health and other categories of data (see Human Capital Management) for information on categories of data. Subject to that, submission of special categories of personal data is neither expected nor required. More information is available in the FinancialForce Trust and Compliance Documentation.
Customers are responsible for ensuring that submission of special categories of personal data to the FinancialForce Services complies with applicable laws.
Could the processing of the personal data by FinancialForce in relation to its customers have an impact on key aspects of an individual’s life?
How FinancialForce processing of personal data in the FinancialForce Services affects key aspects of an individual's life will depend upon how the customer uses the FinancialForce Services, and as such must be determined by the customer. Customers of the FinancialForce Human Capital Management Services should consider how its use of the solution may impact on key aspects of an individual’s life based on how the customer has configured the solution.
FinancialForce does not process outside the FinancialForce Services personal data related to its customers in a manner that is likely to have an impact on key aspects of an individual’s life.
Are the data subjects made aware of the details of the processing of their personal data in the FinancialForce Services?
FinancialForce provides the FinancialForce Services to its customers, which may in turn use the FinancialForce Services to store, manage and process data about and communicate with data subjects. As a data processor, FinancialForce does not know the identities of, or directly communicate with, its customers' data subjects. It is the customer’s responsibility, as the data controller, to communicate the details of the processing to its data subjects.
How can requests from individual data subjects to access or correct their personal data be handled when using FinancialForce Services?
The FinancialForce Services allow customers to manage the personal data they maintain in the FinancialForce Services, including in response to data subject requests. To the extent a customer needs FinancialForce's assistance to respond to a Data Subject, FinancialForce will provide assistance as described in section 3 of our Data Processing Addendum.
Who is responsible for assuring proper use of personal data in the FinancialForce Services?
Customers are responsible for using the FinancialForce Services appropriately, including their processing of personal data using the FinancialForce Services. FinancialForce is responsible for providing the FinancialForce Services as described in its contract with its customers. Under that contract, FinancialForce commits to using the data only to provide the FinancialForce Services, to prevent or address service or technical problems, as compelled by law, or as the customer expressly permits in writing.
How is access to the FinancialForce Services managed?
All access to FinancialForce Services is controlled via login with a user identification and password. Customers can also configure additional access controls, such as, for example, multi-factor authentication and IP range restrictions. Please see the Salesforce Security Guide for additional information.
Customers can assign different levels of access to their users. The FinancialForce Services are built on the Salesforce platform, which allows customers to assign access permissions based on the user's role. FinancialForce customer contracts restrict access by FinancialForce personnel and its sub-processors’ personnel, who may access personal data only to provide the services, to prevent or address technical or service problems, if compelled by law, or with the customer's written permission.
Can FinancialForce personnel access personal data in the FinancialForce Services, and if so, for what purpose and where are they located?
FinancialForce agrees by contract that its and its sub-processors’ personnel may access personal data only to provide the FinancialForce Services, to prevent or address technical or service problems, if compelled by law, or with the FinancialForce customer's written permission.
FinancialForce affiliates and subcontractors may access customer personal data to provide support to customers. These entities and their locations are set out in the FinancialForce Trust and Compliance Documentation.
How does information flow in the FinancialForce Services?
FinancialForce Services are built and operate on the Salesforce platform, an industry-leading and mature platform for cloud applications. Customers can allow their users to access the FinancialForce Services from virtually anywhere with an Internet connection. For these reasons, data may flow between the FinancialForce Services and any location globally, depending on where the customer and its users are located.
Within the FinancialForce Services, data flows as follows:
- Personal data about a FinancialForce customer's users: Customers enter personal data about their users when they provision the users' accounts. Personal data may also be collected when users perform activities in the FinancialForce services, for example, when their actions generate records of their activities. In either case, the information flows from the location of the person entering the data to the Salesforce platform storage facilities utilised by the FinancialForce Services.
- Personal data accessed by FinancialForce personnel: If FinancialForce personnel access personal data—for example, if a customer requests that FinancialForce access its data during a customer support inquiry—the data will be visible to the FinancialForce individual accessing the data. The locations of FinancialForce entities and its sub-processors that may access personal data in this manner are set out in the FinancialForce Trust and Compliance Documentation.
How long is personal data retained in the FinancialForce Services and when is it deleted?
Customers choose how long to retain Customer Data, including personal data, when using the FinancialForce Services. Unless otherwise specified in the contract with the customer or our documentation, FinancialForce does not delete Customer Data, including personal data, during a subscription term, unless the customer instructs FinancialForce to do so. After a customer's contract with FinancialForce terminates, FinancialForce deletes Customer Data, including personal data, in the manner described in the FinancialForce Trust and Compliance Documentation.
How are requests from Data Subjects to have their personal data deleted managed?
FinancialForce will notify a customer if it receives a request to exercise rights related to the processing of personal data on the FinancialForce Services (for which that customer is the Data Controller) as set out in FinancialForce’s Data Processing Addendum. Whilst customers should have all the access needed to manage such requests, FinancialForce commits to provide reasonable assistance if needed.
General Questions about FinancialForce Privacy Program
Does FinancialForce comply with the GDPR?
Like any responsible organization, FinancialForce aims to comply with the data protection laws that apply to it. FinancialForce does have an EU establishment, and therefore would be directly subject to the GDPR. See our Guide to the GDPR and GDPR FAQs for more information.
Has FinancialForce appointed a Data Protection Officer?
FinancialForce has a Privacy Officer who is responsible for privacy management at FinancialForce. Please contact email@example.com to contact our Privacy Officer.
Are FinancialForce employees bound by confidentiality obligations?
Yes, FinancialForce commits in its Data Processing Addendum to ensure that personnel have been appropriately trained, are reliable and enter into confidentiality agreements.
Yes, you can review our privacy statement here.
We are completing a Data Protection Impact Assessment (DPIA) and/or Privacy Impact Assessment (PIA) in respect of our use or intended use of FinancialForce applications, what information can FinancialForce provide us to assist us with this exercise?
FinancialForce has prepared a Data Protection Impact Assessment Information Sheet containing information to assist you when completing a DPIA or a PIA.
Are Employees trained on privacy and data protection?
Employees are trained on privacy and information security annually.