GDPR Privacy & Security FAQ

Privacy and security are a priority for Pave. We know you are trusting us with your data, and we take that responsibility very seriously. Our practices are based on the frameworks set out by the of the European General Data Protection Regulation (EU GDPR) as well as common standards and guidelines such as SOC2.

Why does Pave process customer data?

Pave’s mission is to build the world's best compensation tools and easily accessible market data so companies can plan, communicate, and benchmark in real-time. Pave processes customer data to enable these services to these companies. In order to create reliable results and valid benchmarks for our customers, Pave is required to process personal data.

Where does Pave store and process customer data from EU-customers?

Pave stores and processes customer data in Google Cloud Servers located in California and Iowa. For the transfer of customer data to the USA, Pave concludes and abides by the June 2021 Standard Contractual Clauses (SCCs) to ensure that EU data is processed according to GDPR standards in the Google Cloud Servers. Further, Pave works closely with the appointed representative at Bitkom Servicegesellschaft mbH, to ensure that all GDPR-requests by data subjects and authorities can be addressed in a timely manner.

How does Pave, as an US-based company, ensure compliance with EU privacy-standards?

Pave understands that compensation data is extremely sensitive. Therefore, we aim to not only comply with EU privacy standards, but consider privacy with every product and process we build.

Specifically, we:

  • Design our SaaS products to only collect and process personal data that is necessary for our activities
  • Anonymize personal data as soon as it is no longer needed for our purposes
  • Implement security measures to ensure only those individuals with specific administered permissions have access to compensation data
  • Further minimize access to compensation data to those individuals whose roles in developing our products require access
  • Make sure that our data, personal or not, cannot be used for other purposes, e.g. by encrypting our customer data
  • Frequently evaluate and update our security measures

Who owns customer data processed by Pave?

Pave customers, the companies that choose to partner with Pave, are and remain at all times the owners of the data Pave is processing. Pave is bound to the instructions of its customers, and merely processes customer data for its own purposes in an anonymized manner.

Is customer data shared with other parties?

Pave strictly does not sell any individual customer data to another customer.

Pave does not share your personal information with third parties other than as follows:

  • When you give us your explicit consent to do so, including if we notify you through the service or application that the information you provide will be shared in a particular manner and you provide such information
  • With third party consultants and service providers who perform functions on our behalf, but we limit their use of the information as is reasonably necessary to carry out their work
  • Customers of Pave's real-time benchmarking portal agree to allow Pave to anonymize the customer's data and provide it to other Pave customers in a manner that is fully aggregated and cannot be associated with a given company or individual at a company
When is customer data deleted or anonymized?

Customer data is deleted or anoymized within 30 days, upon request of the data subject or the company that has engaged Pave. Employee data is anonymized before incorporation into the benchmarking data set. All benchmarking data is fully anonymized and is only ever presented in aggregated forms.

Is it possible to conclude a contract for the processing of customer data with Pave?

Yes. For the processing of personal data a data processing agreement, i.e. the Data Processing Addendum, will be concluded. Pave customers conclude this contract upon signing up for Pave's compensation benchmarking services.

Does Pave ensure appropriate safeguards for the transfer of personal data to countries outside the EU, e.g. Standard Contractual Clauses or Binding Corporate Rules?

Yes. Pave concludes the updated Standard Contractual Clauses from June 2021 with its customers, which have been integrated into the Data Processing Addendum.

How do I report a security issue to Pave?

If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at We will acknowledge your email within 24 hours.

Who at Pave and its partners can access customer data?

Pave takes confidentiality extremely seriously and has adopted the Principle of Least Privilege. Only the development and operations teams critical to operate Pave's products have access to customers data.

What personal data can customers access in Pave's benchmarking tool?

Pave's benchmarking tool only displays data after it has been aggregated and de-identified, and once a sufficient sample size has been reached. Accordingly, no identifiable personal data can be accessed by customers in Pave's benchmarking tool.

How does Pave keep personal data safe from unauthorized access?

Pave fully encrypts data stored in our cloud infrastructure with strong security controls for all employees that require operational access.

How does Pave deal with data breaches?

If Pave becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to customer data under its control, Pave will:

  • Take reasonable measures to analyze and mitigate the harmful effects of the Breach and prevent further breach of security.
  • Upon confirmation of the Breach, notify Customer in writing of the Breach and, if necessary, the competent supervisory authorities in the EU without undue delay.

Notwithstanding the foregoing, Pave is not required to make such notice if prohibited by law, and Pave may delay such notice as requested by law enforcement and/or in light of Pave's legitimate needs to investigate or remediate the matter before providing notice.

Does Pave apply psuedonymization or encryption when transferring & storing customer data?

All customer data is encrypted when in transit and when stored.

Pave implements End-to-End Transport Layer Security (TLS) across the platform. Learn more about Google Cloud’s end-to-end encryption standards here.

Does Pave perform measures to identify vulnerabilities in the security of personal data?

Pave periodically runs vulnerability scans of our cloud infrastructure as well as dependency audits within the software we develop. We then resolve identified vulnerabilities by either upgrading impacted components or replacing the dependencies.

How does Pave ensure that customer data is processed confidentially by Pave and its partners?

All employees in the development and operations teams at Pave are bound by confidentiality. Additionally, Pave has adopted the least privileged policy to ensure that access to customer data is as limited as possible.

How often are security measures reviewed and by whom?

Pave continually strives to improve security measures. Accordingly, security measures are reviewed on an ongoing basis as new features are developed and as processes change. Additionally, Pave commits to:

  • Annual detailed security and vulnerability assessments of the Service conducted by independent third-party security experts that include a thorough code analysis and a comprehensive security audit.
  • Bi-annual penetration testing of Pave systems and applications to test for exploits including, but not limited to, XSS, SQL injection, access controls, and CSRF.
/* (function (d, u, h, s) { h = d.getElementsByTagName('head')[0]; s = d.createElement('script'); s.async = 1; s.src = u + new Date().getTime(); h.appendChild(s); })(document, ''); */ (function (h, o, t, j, a, r) { h.hj = h.hj || function () { (h.hj.q = h.hj.q || []).push(arguments) }; h._hjSettings = { hjid: 2412860, hjsv: 6 }; a = o.getElementsByTagName('head')[0]; r = o.createElement('script'); r.async = 1; r.src = t + h._hjSettings.hjid + j + h._hjSettings.hjsv; a.appendChild(r); })(window, document, '', '.js?sv='); !function () { var analytics = = || []; if (!analytics.initialize) if (analytics.invoked) window.console && console.error && console.error("Segment snippet included twice."); else { analytics.invoked = !0; analytics.methods = ["trackSubmit", "trackClick", "trackLink", "trackForm", "pageview", "identify", "reset", "group", "track", "ready", "alias", "debug", "page", "once", "off", "on", "addSourceMiddleware", "addIntegrationMiddleware", "setAnonymousId", "addDestinationMiddleware"]; analytics.factory = function (e) { return function () { var t =; t.unshift(e); analytics.push(t); return analytics } }; for (var e = 0; e < analytics.methods.length; e++) { var key = analytics.methods[e]; analytics[key] = analytics.factory(key) } analytics.load = function (key, e) { var t = document.createElement("script"); t.type = "text/javascript"; t.async = !0; t.src = "" + key + "/analytics.min.js"; var n = document.getElementsByTagName("script")[0]; n.parentNode.insertBefore(t, n); analytics._loadOptions = e }; analytics.SNIPPET_VERSION = "4.13.1"; analytics.load("0KGQyN5tZ344emH53H3kxq9XcOO1bKKw");; } }(); $(document).ready(function () { $('[data-analytics]').on('click', function (e) { var properties var event = $(this).attr('data-analytics') $.each(this.attributes, function (_, attribute) { if ('data-property-')) { if (!properties) properties = {} var property ='data-property-')[1] properties[property] = attribute.value } }) analytics.track(event, properties) }) }); window.addEventListener('load', (event) => { if ($('#pixel-iframe').length <= 0) { return; } $('#pixel-iframe').attr('src',''); }); var isMobile = /iPhone|iPad|iPod|Android/i.test(navigator.userAgent); if (isMobile) { var dropdown = document.querySelectorAll('.navbar__dropdown'); for (var i = 0; i < dropdown.length; i++) { dropdown[i].addEventListener('click', function(e) { e.stopPropagation(); this.classList.toggle('w--open'); }); } }