FinancialForce provides software-as-a-service solutions, including the following applications covered in this document: Financial Management, which enables businesses to automate key finance functions – including accounting, revenue recognition, billing, and payments – in a customer-centric manner; Professional Services Automation, which enables businesses to automate professional services operations, including project, resource, time and expense management; and Human Capital Management, which enables businesses to automate key human resources functions, and which FinancialForce intends to cease providing in 2022 (collectively “FinancialForce Services”).
The FinancialForce Services were developed and operate on the Salesforce platform, an industry-leading and mature platform for cloud applications, and benefit from the security and data protection features that the Salesforce platform offers.
FinancialForce customers choose what data to submit to the FinancialForce Services. Types of personal data typically submitted to the FinancialForce Services include:
The FinancialForce Services do not collect personal data.
FinancialForce provides online software-as-a-service solutions for financial management, professional services automation, and human capital management. FinancialForce’s customers typically use the FinancialForce Services to manage their own businesses, interact with their own customers and employees, and manage the information surrounding those interactions. As the data controller, the FinancialForce customer should determine its specific purpose for processing personal data in the FinancialForce Services.
FinancialForce processes personal data to offer the FinancialForce Services pursuant to the terms agreed in its contract with the customer.
We mainly collect and process personal data about our employees and business contact data relating to our customers, prospects, suppliers and other individuals with whom we have a business relationship. We also gather personal information through our website and other sources. We take care to protect all the personal information that we hold in accordance with law.
With respect to data submitted to the FinancialForce Services, FinancialForce acts as a data processor. With respect to data collected by FinancialForce in its other business activities (such as, for example, sales, marketing and professional services activities and management of its employees), FinancialForce processes data both as a data controller and a data processor.
FinancialForce has determined it is a Service Provider under CCPA with respect to the FinancialForce Services and data submitted by customers to FinancialForce Services. Consequently, we have updated our Data Processing Addendum to comply with CCPA, making clear FinancialForce acts as a Service Provider. We have also made available a CCPA Amendment, for those customers who have already signed a DPA with FinancialForce.
When providing the FinancialForce Services, FinancialForce is a data processor for the customer and the lawful basis for processing is the performance of the contract with the customer.
FinancialForce sets out protections for personal data in our contracts with customers. Contractual documents containing protections for personal data include (1) a master subscription agreement between FinancialForce and the customer; and (2) a Data Processing Addendum, which can be added to the contract (if not already included) by downloading from here.
Yes. FinancialForce commits in clause 5.1 of the Data Processing Addendum to ensure it has contracts in place with its suppliers. See information on sub-processors in FinancialForce Trust and Compliance Documentation.
FinancialForce Services are built, and all data submitted to the FinancialForce Services is stored, on the Salesforce platform. Storage locations for personal data submitted to the FinancialForce Services are described in the FinancialForce Trust and Compliance Documentation.
At the outset, we note that the GDPR, like the prior EU data directive, does not require personal data to be stored in the EU.
FinancialForce Services are built on the Salesforce platform. The Salesforce platform has data centers in the EU; however, Salesforce does not guarantee that personal data of FinancialForce’s customers (including its EU-based customers) will be stored exclusively in EU data centers. In addition, regardless of which data centres a customer’s data is stored in, the Salesforce platform may store in all data centres globally identifying information about customers users for the purposes of operating the FinancialForce Services, such as facilitating the login process and enabling FinancialForce to provide customer support. For more details, please see the FinancialForce Trust and Compliance Documentation.
Additionally, FinancialForce affiliates and subcontractors across all global regions may access customer personal data to provide support to customers. These entities and their locations are set out in the FinancialForce Trust and Compliance Documentation. Any such access for support purposes is subject to the customer’s electronic consent on a case-by-case basis.
In addition, FinancialForce legally transfers personal data outside of the EU making use of the EU Standard Contractual Clauses. For more information about this transfer mechanism please review our Data Processing Addendum which can be found here.
FinancialForce takes security seriously, and has established a formal Information Security function, lead by the Chief Information Security Officer (CISO). One of the the CISO’s primary objective is to enforce the appropriate governance and monitor for security compliance aligned with the company Information Security Policy and Standards.
FinancialForce has policies and procedures in place to protect the security of the FinancialForce Services. See our Trust page for more information. FinancialForce Services were developed on the Salesforce platform, an industry-leading and mature platform for cloud applications, and benefits from the security and data protection features that the Salesforce platform offers.
The security policies, procedures, and controls FinancialForce makes available to customers are described in our Security Whitepaper which can be found on the Trust page. More information can be found in the FinancialForce Trust and Compliance Documentation.
FinancialForce customers share responsibility for managing security. FinancialForce provide a robust set of security controls, made available from the Salesforce platform, that a FinancialForce customer can configure. Each customer is responsible for configuring those security controls and for managing other aspects of processing under its control such as the security of the customer’s end users’ computers, and controlling access to its instances of the FinancialForce Services.
FinancialForce has a detailed Cyber Security Incident Response Plan and Security Incident Management Procedure, and has formed a Cyber Incident Response Team (CIRT) to support notification to customers in the event of a security breach resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to such customers’ data. These procedures also guide the CIRT in investigation, management, resolution and remediation activities, as well as cooperation with law enforcement, in the event of a breach. FinancialForce commits contractually to provide such notification in its Data Processing Addendum (available here), as required by the GDPR. Notification may include phone contact by FinancialForce’s Customer Support or Customer Success team, email to the customer’s designated contact, and/or a public announcement. Regular updates are provided to engaged parties until issue resolution. Incident tracking and resolution is documented and managed within a centralized incident logging system.
Yes. Information about FinancialForce attestations and/or certifications, as well as those of Salesforce that apply to the Salesforce platform, are described in our FinancialForce Trust and Compliance Documentation.
The FinancialForce Human Capital Management service may be used to process health and other categories of data (see Human Capital Management) for information on categories of data. Subject to that, submission of special categories of personal data is neither expected nor required. More information is available in the FinancialForce Trust and Compliance Documentation.
Customers are responsible for ensuring that submission of special categories of personal data to the FinancialForce Services complies with applicable laws.
How FinancialForce processing of personal data in the FinancialForce Services affects key aspects of an individual’s life will depend upon how the customer uses the FinancialForce Services, and as such must be determined by the customer. Customers of the FinancialForce Human Capital Management Services should consider how its use of the solution may impact on key aspects of an individual’s life based on how the customer has configured the solution.
FinancialForce does not process outside the FinancialForce Services personal data related to its customers in a manner that is likely to have an impact on key aspects of an individual’s life.
FinancialForce provides the FinancialForce Services to its customers, which may in turn use the FinancialForce Services to store, manage and process data about and communicate with data subjects. As a data processor, FinancialForce does not know the identities of, or directly communicate with, its customers’ data subjects. It is the customer’s responsibility, as the data controller, to communicate the details of the processing to its data subjects.
The FinancialForce Services allow customers to manage the personal data they maintain in the FinancialForce Services, including in response to data subject requests. To the extent a customer needs FinancialForce’s assistance to respond to a Data Subject, FinancialForce will provide assistance as described in section 3 of our Data Processing Addendum.
Customers are responsible for using the FinancialForce Services appropriately, including their processing of personal data using the FinancialForce Services. FinancialForce is responsible for providing the FinancialForce Services as described in its contract with its customers. Under that contract, FinancialForce commits to using the data only to provide the FinancialForce Services, to prevent or address service or technical problems, as compelled by law, or as the customer expressly permits in writing.
All access to FinancialForce Services is controlled via login with a user identification and password. Customers can also configure additional access controls, such as, for example, multi-factor authentication and IP range restrictions. Please see the Salesforce Security Guide for additional information.
Customers can assign different levels of access to their users. The FinancialForce Services are built on the Salesforce platform, which allows customers to assign access permissions based on the user’s role. FinancialForce customer contracts restrict access by FinancialForce personnel and its sub-processors’ personnel, who may access personal data only to provide the services, to prevent or address technical or service problems, if compelled by law, or with the customer’s written permission.
FinancialForce agrees by contract that its and its sub-processors’ personnel may access personal data only to provide the FinancialForce Services, to prevent or address technical or service problems, if compelled by law, or with the FinancialForce customer’s written permission.
FinancialForce affiliates and subcontractors may access customer personal data to provide support to customers. These entities and their locations are set out in the FinancialForce Trust and Compliance Documentation.
FinancialForce Services are built and operate on the Salesforce platform, an industry-leading and mature platform for cloud applications. Customers can allow their users to access the FinancialForce Services from virtually anywhere with an Internet connection. For these reasons, data may flow between the FinancialForce Services and any location globally, depending on where the customer and its users are located.
Within the FinancialForce Services, data flows as follows:
Customers choose how long to retain Customer Data, including personal data, when using the FinancialForce Services. Unless otherwise specified in the contract with the customer or our documentation, FinancialForce does not delete Customer Data, including personal data, during a subscription term, unless the customer instructs FinancialForce to do so. After a customer’s contract with FinancialForce terminates, FinancialForce deletes Customer Data, including personal data, in the manner described in the FinancialForce Trust and Compliance Documentation.
FinancialForce will notify a customer if it receives a request to exercise rights related to the processing of personal data on the FinancialForce Services (for which that customer is the Data Controller) as set out in FinancialForce’s Data Processing Addendum. Whilst customers should have all the access needed to manage such requests, FinancialForce commits to provide reasonable assistance if needed.
Like any responsible organization, FinancialForce aims to comply with the data protection laws that apply to it. FinancialForce does have an EU establishment, and therefore would be directly subject to the GDPR.
Like any responsible organization FinancialForce aims to comply with the privacy and data protection laws that apply to it. FinancialForce has determined that it is classed as a Service Provider under CCPA with respect to data submitted by customers to FinancialForce Services.
FinancialForce has a Privacy Officer who is responsible for privacy management at FinancialForce. Please contact firstname.lastname@example.org to contact our Privacy Officer.
Yes, FinancialForce commits in its Data Processing Addendum to ensure that personnel have been appropriately trained, are reliable and enter into confidentiality agreements.
Yes, you can review our privacy statement here.
FinancialForce has prepared a Data Protection Impact Assessment Information Sheet containing information to assist you when completing a DPIA or a PIA.
Employees are trained on privacy and information security annually.