Gooey <-->

Lattice Privacy Practices — Frequently Asked Questions

Last updated: 

September 16, 2024

General FAQS

What personal information does Lattice collect?

Lattice collects varying types of personal information through its services and website, and receives some personal information from third parties. The information we collect or receive is purely commercial. For example, from users of our services we collect company email addresses, job titles, company names, and location. Through our website, we collect contact information, professional or employment-related information, and any other information provided to us by visitors to the site. Our website also automatically collects technical information information like IP addresses and online activity through the use of browser cookies. For more information about how Lattice uses cookies, you can visit Section 6 of our Privacy Policy.

How does Lattice use or process personal information?

Lattice uses the information it collects for legitimate business and commercial purposes including providing and improving our services, for sales and marketing activities, and to ensure technical functionality. You can review a full list detailing how we use the personal information we collect in Section 7 of our Privacy Policy.

Is the personal information Lattice collects secure?

Lattice maintains a comprehensive (SOC 2 Certified) information security program that includes technical, physical, administrative, and contractual safeguards to secure our data throughout all aspects of transfer, storage, and processing. For example, Lattice requires all of our customers, vendors, and subprocessors to enter into a Data Processing Addendum that establishes a high standard for data security and privacy throughout all aspects of the commercial relationships. A comprehensive list of the technical security measures we employ to protect personal data is available here.

Does Lattice sell personal information to third parties?

No. Lattice will never sell the personal information it collects through its services or website to third parties. With the event participant’s consent, Lattice may share contact information of event participants with event sponsors. For additional information about sharing of event participant contact information, see Section 7 of our Privacy Policy.

Does Lattice disclose personal information to third parties?

In some cases, yes. Lattice primarily discloses personal information to third party service providers who perform certain functions on Lattice’s behalf necessary to providing our services.  Examples of service providers include cloud hosting providers, communications providers, and analytics companies. Our service providers must strictly adhere to Lattice’s policies restricting further sharing of any data they receive or access and are always required to enter into a Data Processing Addendum. For additional information about our information sharing practices, you can visit Section 8 of our Privacy Policy.

Does Lattice provide a mechanism for individuals to exercise their privacy rights or get more information?

Yes, individuals that live in jurisdictions that provide privacy rights such as California and the European Union, or who have questions about our privacy practices can contact us at [email protected] or can visit The Lattice Privacy Request Center. Individuals seeking to exercise their privacy rights may be required to verify their identity. Employees of Lattice customers seeking to exercise their privacy rights with respect to personal data collected through the use of our services will be directed to their employer (the controller of their personal data).

Is Lattice compliant with Europe’s General Data Protection Regulation (GDPR)?

Yes, Lattice embraces a continuous commitment to maintain compliance with all applicable data protection laws, including the GDPR.  This includes requiring the Standard Contractual Clauses (SCCs) in all of Lattice’s commercial relationships involving the transfer of personal data outside of the European Economic Area (EEA). Our intention is to ensure adequate protection of data transferred to us from Europe. In light of European Court rulings in 2020, Lattice has implemented measures to ensure that our SCCs remain a valid data transfer mechanism. For details about these measures, you can find additional information here.

How long does Lattice store personal data?

By default, Lattice stores its customers’ active employees’ personal data for the duration of the services contract term plus six months. Six months after the termination or expiration of a customer contract, all employee personal data is automatically deleted. Additionally, the administrator or authorized representative of any Lattice customer may request deletion of employee data (on an individual or aggregate basis) at any time.

Can I delete personal data or request deletion of personal data?

If Lattice has stored or processed your personal data in relation to your use of the website or sales or marketing activities, please see Question 6 above for information on submitting requests to obtain, edit, or delete personal information.For users of Lattice services, our customer is the controller of your data and may delete data within the customer Lattice instance at any time.  If you are an active employee of a Lattice customer and would like to request, edit, or delete your personal data from Lattice, please contact your employer’s Lattice administrator for assistance.  Additionally, our customer may request permanent deletion of your Lattice user account at any time.  This would, of course, mean that you would no longer be able to benefit from the use of our software platform, so it is not recommended for active employees.  For former employees of a Lattice customer, the customer administrator may request deletion of the user’s personal data at any time.

How does Lattice use anonymized customer data?

We use anonymized data, meaning aggregate customer data that cannot be associated with an individual or customer, to analyze usage trends across all of our customers, generate statistics, and establish benchmarks. Some examples are:

-5000 reviews were launched last quarter
-75% of our customers are using the Goal Tracking tool
-1000 pieces of feedback were given in May

We do not use, see, or share any piece of data that is specific to any employee. This data is solely for broad, aggregated usage across our platform to help us understand how our product is being used, make improvements, and generate additional value for our customers and platform users.

Do all Lattice customers have to enter a Data Processing Addendum (“DPA”)?

Yes.  As of 2021, Lattice requires all customers (new and legacy) to enter into a DPA.  Our Terms of Service incorporate our DPA by reference, so for new customers, no further action is required to enter the DPA.  Lattice customers that would prefer an executed copy of the DPA can obtain one by completing the DocuSign process available here.  

Can we use our DPA, or is the Lattice DPA negotiable?

No. We require use of our DPA because it has been tailored to Lattice’s unique characteristics as an enterprise software-as-a-service vendor in the performance management vertical.  Lattice’s DPA has been carefully authored and painstakingly updated to ensure that the rights and compliance obligations of both parties are equitably and satisfactorily addressed.  Individual negotiation of DPAs introduces potential for error that exposes both parties to unnecessary risks.  If you or your legal team has a question or concern about any particular clause or term in our DPA, please do not hesitate to reach out to us, at [email protected].

What measures has Lattice taken to ensure that personal data is not accessed by governmental actors in violation of data protection laws?

Lattice employs data privacy and information security best practices to reduce the likelihood of governmental intrusion.  For additional details on Lattice’s point of view in respect of the Schrems II ruling, please see here.

Will Lattice comply with the new Standard Contractual Clauses, California Privacy Rights Act (CPRA), UK Privacy Law (after Brexit), Canadian Consumer Privacy Protection Act (CPPA), Personal Information Protection Act of British Columbia, Colorado Consumer Data Privacy Act….?

The majority of Lattice’s end users reside in the United States and the EEA.  We understand that maintaining the confidentiality of our users’ personal information and compliance with data protection laws is of paramount importance to our customers.  For these reasons, we continue to invest heavily in information security and data privacy compliance, leveraging internal and external legal, privacy, and engineering resources to dutifully employ best practices and maintain our regulatory compliance obligations, SOC 2 certification, and customer contractual requirements.  While we cannot predict the future, it is safe to assume that we will continue to maintain compliance with all national and most, if not all, regional data privacy laws, to the extent that we can reasonably do so.  We have compliance initiatives in place for all anticipated GDPR (Standard Contractual Clause updates) and CPRA compliance requirements.  If you have a specific question about our compliance with a specific regional regulation, please do not hesitate to contact us at: [email protected].

How can I get additional information about Lattice’s data privacy or information security practices?

Please do not hesitate to contact us at [email protected].

Lattice AI FAQs

What model is Lattice AI built on?

Lattice AI is built on OpenAI's GPT-4 Turbo model.

How is Lattice protecting customer data?

Lattice is SOC 2 Type II Certified and continues to responsibly collect, process, and protect customer data in accordance with our Data Processing Addendum and all applicable data privacy laws. To learn more about how we keep your data secure, please visit the Lattice Trust Center.

Is my organization required to use Lattice's AI-powered features?

No. Customers are not required to use any AI feature or function. You have the option to turn on each AI feature on an individual basis with the feature settings. If you choose not to activate a feature, your data will not be shared with OpenAI. For AI-powered features where users’ personally identifiable information (“PII”) will be shared with OpenAI, we’ll ask you to agree to the Lattice AI Addendum, which will be presented to you within the product.

Is OpenAI a Lattice subprocessor?

OpenAI is an optional subprocessor for certain features where users’ PII is shared with OpenAI. If you opt to use AI-powered features that share users’ PII with OpenAI, we’ll ask you to agree to the Lattice AI Addendum.

Is OpenAI using my organization’s data for model training? 

No. Lattice interfaces with OpenAI via its API. By default, OpenAI does not use data submitted via its API to train or improve its models, and Lattice has not and will not opt to allow OpenAI to use customer data for these purposes.

For how long does OpenAI retain my organization’s data? 

Lattice has implemented Zero Data Retention, meaning that customer data is not stored by OpenAI.

Can you share any additional resources about Lattice’s approach to AI?

Lattice's AI Use Policy can be found at our Trust Center. You can also view the blog post, Lattice AI: Make Your Employee Experience More Human.

EU Data Hosting

Where does Lattice host customer data?

Lattice customers can host their data in the US or in the EU.

Where in the EU is Lattice customer data stored?

The primary hosting location is Frankfurt, Germany, with backup data hosted in Dublin, Ireland.

Which cloud infrastructure provider does Lattice use for EU hosting?

Lattice offers EU data hosting via its established cloud infrastructure provider, AWS.

To which Lattice customers is the EU data hosting option available?

EU data hosting is available to new Lattice customers only.  No migration from the US to the EU data centers is available for existing customers.

Can my company maintain data hosting in both the US and EU locations?

No, data hosting is available in one location only.

What data security standards apply to Lattice’s EU data hosting environment?

Lattice’s EU data hosting environment is subject to the same data security standards that are in place with our US data hosting environment, which are described in our Security Measures resource. Lattice’s US data hosting environment is SOC 2 Type 2 certified; we intend to pursue SOC 2 Type 2 certification for the EU data hosting environment in late 2024.


For More Information

How can I get additional information about Lattice’s data privacy or information security practices?

‍Please do not hesitate to contact us at [email protected].

Subscribe to our subprocessor list updates on SafeBase:

Safebase Security Portal

Vendor

Services provided to Lattice

Security and privacy information

Location

10Pines

Software Development Services
10Pines Privacy and Security Policy
Argentina

Atlassian

Customer Support (Loom)
Atlassian Trust Center
United States

Amazon Web Services

Hosting & data storage
AWS Security and Compliance
United States

Courier

Messaging
Courier Trust Center
United States

Cloudflare, Inc.

Content delivery network, web application firewall, and DDoS protection
Cloudflare Trust Hub
United States

DataDog

Application monitoring and infrastructure status monitoring
DataDog Security and Compliance
United States

DocRaptor

Data conversion
DocRaptor Security and Privacy
United States

Fivetran

Data integration
Fivetran Trust Center
United States

Gong

Customer support
Gong Trust Center
United States

Google Cloud Products

Email, Docs (Google Workspace);
Analytics (Looker)
Google Cloud Trust Center
United States

MailGun

Email
MailGun Trust Center
United States

Marketo (Adobe)

CRM
Adobe Trust Center
United States

Orca

Cloud security vulnerability management
Orca Trust Center
United States

Qualtrics

Customer experience management
Qualtrics Data Protection and Privacy
United States

Salesforce Inc. - SFDC Group

CRM platform (Salesforce);
Messaging integration (Slack)
Salesforce Trust
United States

Sentry

Logging
Sentry Trust Center
United States

Splunk

Security logging and monitoring
Splunk Compliance Center
United States

Twilio Segment

Analytics
Segment Trust Center
United States

Zendesk

Customer support
Zendesk Trust Center
United States

Zoom

Customer support
Zoom Trust Center
United States

Optional Subprocessors

Applicable only to specific features within Lattice that customers have opted-in to use.

Vendor

Services provided to Lattice

Security and privacy information

Location

OpenAI

AI models in support of Lattice’s AI-powered features
OpenAI Security and Privacy
United States

OneSchema

Data import service for HRIS
OneSchema Security and Compliance
United States