Lattice Privacy Practices
Frequently Asked Questions

Wave
What personal information does Lattice collect?
Lattice collects varying types of personal information through its services and website, and receives some personal information from third parties. The information we collect or receive is purely commercial. For example, from users of our services we collect company email addresses, job titles, company names, and location. Through our website, we collect contact information, professional or employment-related information, and any other information provided to us by visitors to the site. Our website also automatically collects technical information information like IP addresses and online activity through the use of browser cookies. For more information about how Lattice uses cookies, you can visit Section 6 of our Privacy Policy

How does Lattice use or process personal information?
Lattice uses the information it collects for legitimate business and commercial purposes including providing and improving our services, for sales and marketing activities, and to ensure technical functionality. You can review a full list detailing how we use the personal information we collect in Section 7 of our Privacy Policy

Is the personal information Lattice collects secure?
Lattice maintains a comprehensive (SOC 2 Certified) information security program that includes technical, physical, administrative, and contractual safeguards to secure our data throughout all aspects of transfer, storage, and processing. For example, Lattice requires all of our customers, vendors, and subprocessors to enter into a Data Processing Addendum that establishes a high standard for data security and privacy throughout all aspects of the commercial relationships. A comprehensive list of the technical security measures we employ to protect personal data is available here.

Does Lattice sell personal information to third parties?
No. Lattice will never sell the personal information it collects through its services or website to third parties. With the event participant’s consent, Lattice may share contact information of event participants with event sponsors. For additional information about sharing of event participant contact information, see Section 7 of our Privacy Policy.

Does Lattice disclose personal information to third parties?
In some cases, yes. Lattice primarily discloses personal information to third party service providers who perform certain functions on Lattice’s behalf necessary to providing our services.  Examples of service providers include cloud hosting providers, communications providers, and analytics companies. Our service providers must strictly adhere to Lattice’s policies restricting further sharing of any data they receive or access and are always required to inter into a Data Processing Addendum. For additional information about our information sharing practices, you can visit Section 8 of our Privacy Policy.   

Does Lattice provide a mechanism for individuals to exercise their privacy rights or get more information?
Yes, individuals that live in jurisdictions that provide privacy rights such as California and the European Union, or who have questions about our privacy practices can contact us at privacy@lattice.com or can visit www.lattice.com/privacy/request. Individuals seeking to exercise their privacy rights may be required to verify their identity. Employees of Lattice customers seeking to exercise their privacy rights with respect to personal data collected through the use of our services will be directed to their employer (the controller of their personal data).

Is Lattice compliant with Europe’s General Data Protection Regulation (GDPR)?
Yes, Lattice embraces a continuous commitment to maintain compliance with all applicable data protection laws, including the GDPR.  This includes requiring the Standard Contractual Clauses (SCCs) in all of Lattice’s commercial relationships involving the transfer of personal data outside of the European Economic Area (EEA). Our intention is to ensure adequate protection of data transferred to us from Europe. In light of recent European Court rulings, Lattice has implemented new measures to ensure that our SCCs remain a valid data transfer mechanism. For details about these new measures, you can find additional information here.   

How long does Lattice store personal data?
By default, Lattice stores its customers’ active employees’ personal data for the duration of the services contract term plus six months. Six months after the termination or expiration of a customer contract, all employee personal data is automatically deleted. Additionally, the administrator or authorized representative of any Lattice customer may request deletion of employee data (on an individual or aggregate basis) at any time.

Can I delete personal data or request deletion of personal data?
If Lattice has stored or processed your personal data in relation to your use of the website or sales or marketing activities, please see Question 6 above for information on submitting requests to obtain, edit, or delete personal information.For users of Lattice services, our customer is the controller of your data and may delete data within the customer Lattice instance at any time.  If you are an active employee of a Lattice customer and would like to request, edit, or delete your personal data from Lattice, please contact your employer’s Lattice administrator for assistance.  Additionally, our customer may request permanent deletion of your Lattice user account at any time.  This would, of course, mean that you would no longer be able to benefit from the use of our software platform, so it is not recommended for active employees.  For former employees of a Lattice customer, the customer administrator may request deletion of the user’s personal data at any time. 

How does Lattice use anonymized customer data?
We use anonymized data, meaning aggregate customer data that cannot be associated with an individual or customer, to analyze usage trends across all of our customers, generate statistics, and establish benchmarks. Some examples are:

-5000 reviews were launched last quarter
-75% of our customers are using the Goal Tracking tool
-1000 pieces of feedback were given in May

We do not use, see, or share any piece of data that is specific to any employee. This data is solely for broad, aggregated usage across our platform to help us understand how our product is being used, make improvements, and generate additional value for our customers and platform users.

Do all Lattice customers have to enter a Data Processing Addendum (“DPA”)?
Yes.  As of 2021, Lattice requires all customers (new and legacy) to enter into a DPA.  Our Terms of Service for 2021 incorporates our DPA by reference, so for new customers, no further action is required to enter the DPA.  Lattice customers that would prefer an executed copy of the DPA can obtain one by completing the DocuSign process available here.  

Can we use our DPA, or is the Lattice DPA negotiable?
No. We require use of our DPA because it has been tailored to Lattice’s unique characteristics as an enterprise software-as-a-service vendor in the performance management vertical.  Lattice’s DPA has been carefully authored and painstakingly updated to ensure that the rights and compliance obligations of both parties are equitably and satisfactorily addressed.  Individual negotiation of DPAs introduces potential for error that exposes both parties to unnecessary risks.  If you or your legal team has a question or concern about any particular clause or term in our DPA, please do not hesitate to reach out to us, at privacy@lattice.com.

What measures has Lattice taken to ensure that personal data is not accessed by governmental actors in violation of data protection laws?
Lattice employs data privacy and information security best practices to reduce the likelihood of governmental intrusion.  For additional details on Lattice’s point of view in respect of the Schrems II ruling, please see here.

Will Lattice comply with the new Standard Contractual Clauses, California Privacy Rights Act (CPRA), UK Privacy Law (after Brexit), Canadian Consumer Privacy Protection Act (CPPA), Personal Information Protection Act of British Columbia, Colorado Consumer Data Privacy Act….?
The majority of Lattice’s end users reside in the United States and the EEA.  We understand that maintaining the confidentiality of our users’ personal information and compliance with data protection laws is of paramount importance to our customers.  For these reasons, we continue to invest heavily in information security and data privacy compliance, leveraging internal and external legal, privacy, and engineering resources to dutifully employ best practices and maintain our regulatory compliance obligations, SOC 2 certification, and customer contractual requirements.  While we cannot predict the future, it is safe to assume that we will continue to maintain compliance with all national and most, if not all, regional data privacy laws, to the extent that we can reasonably do so.  We have compliance initiatives in place for all anticipated GDPR (Standard Contractual Clause updates) and CPRA compliance requirements.  If you have a specific question about our compliance with a specific regional regulation, please do not hesitate to contact us at: privacy@lattice.com. 

How can I get additional information about Lattice’s data privacy or information security practices?
Please do not hesitate to contact us at privacy@latttice.com. 

Additional Privacy Resources

Privacy Overview
Privacy Policy
Privacy FAQs
Data Processing Addendum
Security Measures
Subprocessors
Privacy Request