GDPR, Privacy & Security FAQ
Privacy
Pave’s mission is to build the world's best compensation tools and easily accessible market data so companies can plan, communicate, and benchmark in real-time. Pave processes customer data to enable these services to these companies. In order to create reliable results and valid benchmarks for our customers, Pave is required to process personal data.
Pave stores and processes customer data in Google Cloud Servers located in California and Iowa. For the transfer of customer data to the USA, Pave concludes and abides by the June 2021 Standard Contractual Clauses (SCCs) to ensure that EU data is processed according to GDPR standards in the Google Cloud Servers. Further, Pave works closely with the appointed representative at Bitkom Servicegesellschaft mbH, to ensure that all GDPR-requests by data subjects and authorities can be addressed in a timely manner.
Pave understands that compensation data is extremely sensitive. Therefore, we aim to not only comply with EU privacy standards, but consider privacy with every product and process we build.
Specifically, we:
- Design our SaaS products to only collect and process personal data that is necessary for our activities
- Anonymize personal data as soon as it is no longer needed for our purposes
- Implement security measures to ensure only those individuals with specific administered permissions have access to compensation data
- Further minimize access to compensation data to those individuals whose roles in developing our products require access
- Make sure that our data, personal or not, cannot be used for other purposes, e.g. by encrypting our customer data
- Frequently evaluate and update our security measures
Pave customers, the companies that choose to partner with Pave, are and remain at all times the owners of the data Pave is processing. Pave is bound to the instructions of its customers, and merely processes customer data for its own purposes in an anonymized manner.
Pave strictly does not sell any individual customer data to another customer.
Pave does not share your personal information with third parties other than as follows:
- When you give us your explicit consent to do so, including if we notify you through the service or application that the information you provide will be shared in a particular manner and you provide such information
- With third party consultants and service providers who perform functions on our behalf, but we limit their use of the information as is reasonably necessary to carry out their work
- Customers of Pave's real-time benchmarking portal agree to allow Pave to anonymize the customer's data and provide it to other Pave customers in a manner that is fully aggregated and cannot be associated with a given company or individual at a company
Customer data is deleted or anoymized within 30 days, upon request of the data subject or the company that has engaged Pave. Employee data is anonymized before incorporation into the benchmarking data set. All benchmarking data is fully anonymized and is only ever presented in aggregated forms.
Yes. For the processing of personal data a data processing agreement, i.e. the Data Processing Addendum, will be concluded. Pave customers conclude this contract upon signing up for Pave's compensation benchmarking services.
Yes. Pave concludes the updated Standard Contractual Clauses from June 2021 with its customers, which have been integrated into the Data Processing Addendum.
Security
If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at support@pave.com. We will acknowledge your email within 24 hours.
Pave takes confidentiality extremely seriously and has adopted the Principle of Least Privilege. Only the development and operations teams critical to operate Pave's products have access to customers data.
Pave's benchmarking tool only displays data after it has been aggregated and de-identified, and once a sufficient sample size has been reached. Accordingly, no identifiable personal data can be accessed by customers in Pave's benchmarking tool.
Pave fully encrypts data stored in our cloud infrastructure with strong security controls for all employees that require operational access.
If Pave becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to customer data under its control, Pave will:
- Take reasonable measures to analyze and mitigate the harmful effects of the Breach and prevent further breach of security.
- Upon confirmation of the Breach, notify Customer in writing of the Breach and, if necessary, the competent supervisory authorities in the EU without undue delay.
Notwithstanding the foregoing, Pave is not required to make such notice if prohibited by law, and Pave may delay such notice as requested by law enforcement and/or in light of Pave's legitimate needs to investigate or remediate the matter before providing notice.
All customer data is encrypted when in transit and when stored.
Pave implements End-to-End Transport Layer Security (TLS) across the platform. Learn more about Google Cloud’s end-to-end encryption standards here.
Pave periodically runs vulnerability scans of our cloud infrastructure as well as dependency audits within the software we develop. We then resolve identified vulnerabilities by either upgrading impacted components or replacing the dependencies.
All employees in the development and operations teams at Pave are bound by confidentiality. Additionally, Pave has adopted the least privileged policy to ensure that access to customer data is as limited as possible.
Pave continually strives to improve security measures. Accordingly, security measures are reviewed on an ongoing basis as new features are developed and as processes change. Additionally, Pave commits to:
- Annual detailed security and vulnerability assessments of the Service conducted by independent third-party security experts that include a thorough code analysis and a comprehensive security audit.
- Bi-annual penetration testing of Pave systems and applications to test for exploits including, but not limited to, XSS, SQL injection, access controls, and CSRF.