What personal information does Lattice collect?
How does Lattice use or process personal information?
Is the personal information Lattice collects secure?
Lattice maintains a comprehensive (SOC 2 Certified) information security program that includes technical, physical, administrative, and contractual safeguards to secure our data throughout all aspects of transfer, storage, and processing. For example, Lattice requires all of our customers, vendors, and subprocessors to enter into a Data Processing Addendum that establishes a high standard for data security and privacy throughout all aspects of the commercial relationships. A comprehensive list of the technical security measures we employ to protect personal data is available here.
Does Lattice sell personal information to third parties?
Does Lattice disclose personal information to third parties?
Does Lattice provide a mechanism for individuals to exercise their privacy rights or get more information?
Yes, individuals that live in jurisdictions that provide privacy rights such as California and the European Union, or who have questions about our privacy practices can contact us at [email protected] or can visit https://preferences.lattice.com/privacy. Individuals seeking to exercise their privacy rights may be required to verify their identity. Employees of Lattice customers seeking to exercise their privacy rights with respect to personal data collected through the use of our services will be directed to their employer (the controller of their personal data).
Is Lattice compliant with Europe’s General Data Protection Regulation (GDPR)?
Yes, Lattice embraces a continuous commitment to maintain compliance with all applicable data protection laws, including the GDPR. This includes requiring the Standard Contractual Clauses (SCCs) in all of Lattice’s commercial relationships involving the transfer of personal data outside of the European Economic Area (EEA). Our intention is to ensure adequate protection of data transferred to us from Europe. In light of recent European Court rulings, Lattice has implemented new measures to ensure that our SCCs remain a valid data transfer mechanism. For details about these new measures, you can find additional information here.
How long does Lattice store personal data?
By default, Lattice stores its customers’ active employees’ personal data for the duration of the services contract term plus six months. Six months after the termination or expiration of a customer contract, all employee personal data is automatically deleted. Additionally, the administrator or authorized representative of any Lattice customer may request deletion of employee data (on an individual or aggregate basis) at any time.
Can I delete personal data or request deletion of personal data?
If Lattice has stored or processed your personal data in relation to your use of the website or sales or marketing activities, please see Question 6 above for information on submitting requests to obtain, edit, or delete personal information.For users of Lattice services, our customer is the controller of your data and may delete data within the customer Lattice instance at any time. If you are an active employee of a Lattice customer and would like to request, edit, or delete your personal data from Lattice, please contact your employer’s Lattice administrator for assistance. Additionally, our customer may request permanent deletion of your Lattice user account at any time. This would, of course, mean that you would no longer be able to benefit from the use of our software platform, so it is not recommended for active employees. For former employees of a Lattice customer, the customer administrator may request deletion of the user’s personal data at any time.
How does Lattice use anonymized customer data?
We use anonymized data, meaning aggregate customer data that cannot be associated with an individual or customer, to analyze usage trends across all of our customers, generate statistics, and establish benchmarks. Some examples are:
-5000 reviews were launched last quarter
-75% of our customers are using the Goal Tracking tool
-1000 pieces of feedback were given in May
We do not use, see, or share any piece of data that is specific to any employee. This data is solely for broad, aggregated usage across our platform to help us understand how our product is being used, make improvements, and generate additional value for our customers and platform users.
Do all Lattice customers have to enter a Data Processing Addendum (“DPA”)?
Yes. As of 2021, Lattice requires all customers (new and legacy) to enter into a DPA. Our Terms of Service for 2021 incorporates our DPA by reference, so for new customers, no further action is required to enter the DPA. Lattice customers that would prefer an executed copy of the DPA can obtain one by completing the DocuSign process available here.
Can we use our DPA, or is the Lattice DPA negotiable?
No. We require use of our DPA because it has been tailored to Lattice’s unique characteristics as an enterprise software-as-a-service vendor in the performance management vertical. Lattice’s DPA has been carefully authored and painstakingly updated to ensure that the rights and compliance obligations of both parties are equitably and satisfactorily addressed. Individual negotiation of DPAs introduces potential for error that exposes both parties to unnecessary risks. If you or your legal team has a question or concern about any particular clause or term in our DPA, please do not hesitate to reach out to us, at [email protected]
What measures has Lattice taken to ensure that personal data is not accessed by governmental actors in violation of data protection laws?
Lattice employs data privacy and information security best practices to reduce the likelihood of governmental intrusion. For additional details on Lattice’s point of view in respect of the Schrems II ruling, please see here.
Will Lattice comply with the new Standard Contractual Clauses, California Privacy Rights Act (CPRA), UK Privacy Law (after Brexit), Canadian Consumer Privacy Protection Act (CPPA), Personal Information Protection Act of British Columbia, Colorado Consumer Data Privacy Act….?
The majority of Lattice’s end users reside in the United States and the EEA. We understand that maintaining the confidentiality of our users’ personal information and compliance with data protection laws is of paramount importance to our customers. For these reasons, we continue to invest heavily in information security and data privacy compliance, leveraging internal and external legal, privacy, and engineering resources to dutifully employ best practices and maintain our regulatory compliance obligations, SOC 2 certification, and customer contractual requirements. While we cannot predict the future, it is safe to assume that we will continue to maintain compliance with all national and most, if not all, regional data privacy laws, to the extent that we can reasonably do so. We have compliance initiatives in place for all anticipated GDPR (Standard Contractual Clause updates) and CPRA compliance requirements. If you have a specific question about our compliance with a specific regional regulation, please do not hesitate to contact us at: [email protected]
How can I get additional information about Lattice’s data privacy or information security practices?
Please do not hesitate to contact us at [email protected]