Privacy and security are a priority for Pave. We know you are trusting us with your data, and we take that responsibility very seriously. Our practices are based on the frameworks set out by the of the European General Data Protection Regulation (EU GDPR) as well as common standards and guidelines such as SOC2.
Pave’s mission is to build the world's best compensation tools and easily accessible market data so companies can plan, communicate, and benchmark in real-time. Pave processes customer data to enable these services to these companies. In order to create reliable results and valid benchmarks for our customers, Pave is required to process personal data.
Pave stores and processes customer data in Google Cloud Servers located in California and Iowa. For the transfer of customer data to the USA, Pave concludes and abides by the June 2021 Standard Contractual Clauses (SCCs) to ensure that EU data is processed according to GDPR standards in the Google Cloud Servers. Further, Pave works closely with the appointed representative at Bitkom Servicegesellschaft mbH, to ensure that all GDPR-requests by data subjects and authorities can be addressed in a timely manner.
Pave understands that compensation data is extremely sensitive. Therefore, we aim to not only comply with EU privacy standards, but consider privacy with every product and process we build.
Specifically, we:
Pave customers, the companies that choose to partner with Pave, are and remain at all times the owners of the data Pave is processing. Pave is bound to the instructions of its customers, and merely processes customer data for its own purposes in an anonymized manner.
Pave strictly does not sell any individual customer data to another customer.
Pave does not share your personal information with third parties other than as follows:
Customer data is deleted or anoymized within 30 days, upon request of the data subject or the company that has engaged Pave. Employee data is anonymized before incorporation into the benchmarking data set. All benchmarking data is fully anonymized and is only ever presented in aggregated forms.
Yes. For the processing of personal data a data processing agreement, i.e. the Data Processing Addendum, will be concluded. Pave customers conclude this contract upon signing up for Pave's compensation benchmarking services.
Yes. Pave concludes the updated Standard Contractual Clauses from June 2021 with its customers, which have been integrated into the Data Processing Addendum.
If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at support@pave.com. We will acknowledge your email within 24 hours.
Pave takes confidentiality extremely seriously and has adopted the Principle of Least Privilege. Only the development and operations teams critical to operate Pave's products have access to customers data.
Pave's benchmarking tool only displays data after it has been aggregated and de-identified, and once a sufficient sample size has been reached. Accordingly, no identifiable personal data can be accessed by customers in Pave's benchmarking tool.
Pave fully encrypts data stored in our cloud infrastructure with strong security controls for all employees that require operational access.
If Pave becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to customer data under its control, Pave will:
Notwithstanding the foregoing, Pave is not required to make such notice if prohibited by law, and Pave may delay such notice as requested by law enforcement and/or in light of Pave's legitimate needs to investigate or remediate the matter before providing notice.
All customer data is encrypted when in transit and when stored.
Pave implements End-to-End Transport Layer Security (TLS) across the platform. Learn more about Google Cloud’s end-to-end encryption standards here.
Pave periodically runs vulnerability scans of our cloud infrastructure as well as dependency audits within the software we develop. We then resolve identified vulnerabilities by either upgrading impacted components or replacing the dependencies.
All employees in the development and operations teams at Pave are bound by confidentiality. Additionally, Pave has adopted the least privileged policy to ensure that access to customer data is as limited as possible.
Pave continually strives to improve security measures. Accordingly, security measures are reviewed on an ongoing basis as new features are developed and as processes change. Additionally, Pave commits to: