Certinia provides software-as-a-service solutions, including the following applications covered in this document: Financial Management, which enables businesses to automate key finance functions – including accounting, revenue recognition, billing, and payments – in a customer-centric manner; Professional Services Automation, which enables businesses to automate professional services operations, including project, resource, time and expense management; and Human Capital Management, which enables businesses to automate key human resources functions, and which Certinia intends to cease providing in 2022 (collectively “Certinia Services”).
The Certinia Services were developed and operate on the Salesforce platform, an industry-leading and mature platform for cloud applications, and benefit from the security and data protection features that the Salesforce platform offers.
Certinia customers choose what data to submit to the Certinia Services. Types of personal data typically submitted to the Certinia Services include:
The Certinia Services do not collect personal data.
Certinia provides online software-as-a-service solutions for financial management, professional services automation, and human capital management. Certinia’s customers typically use the Certinia Services to manage their own businesses, interact with their own customers and employees, and manage the information surrounding those interactions. As the data controller, the Certinia customer should determine its specific purpose for processing personal data in the Certinia Services.
Certinia processes personal data to offer the Certinia Services pursuant to the terms agreed in its contract with the customer.
We mainly collect and process personal data about our employees and business contact data relating to our customers, prospects, suppliers and other individuals with whom we have a business relationship. We also gather personal information through our website and other sources. We take care to protect all the personal information that we hold in accordance with law.
With respect to data submitted to the Certinia Services, Certinia acts as a data processor. With respect to data collected by Certinia in its other business activities (such as, for example, sales, marketing and professional services activities and management of its employees), Certinia processes data both as a data controller and a data processor.
Certinia has determined it is a Service Provider under CCPA with respect to the Certinia Services and data submitted by customers to Certinia Services. Consequently, we have updated our Data Processing Addendum to comply with CCPA, making clear Certinia acts as a Service Provider. We have also made available a CCPA Amendment, for those customers who have already signed a DPA with Certinia.
When providing the Certinia Services, Certinia is a data processor for the customer and the lawful basis for processing is the performance of the contract with the customer.
Certinia sets out protections for personal data in our contracts with customers. Contractual documents containing protections for personal data include (1) a master subscription agreement between Certinia and the customer; and (2) a Data Processing Addendum, which can be added to the contract (if not already included) by downloading from here.
Yes. Certinia commits in clause 5.1 of the Data Processing Addendum to ensure it has contracts in place with its suppliers. See information on sub-processors in Certinia Trust and Compliance Documentation.
Certinia Services are built, and all data submitted to the Certinia Services is stored, on the Salesforce platform. Storage locations for personal data submitted to the Certinia Services are described in the Certinia Trust and Compliance Documentation.
At the outset, we note that the GDPR, like the prior EU data directive, does not require personal data to be stored in the EU.
Certinia Services are built on the Salesforce platform. The Salesforce platform has data centers in the EU; however, Salesforce does not guarantee that personal data of Certinia’s customers (including its EU-based customers) will be stored exclusively in EU data centers. In addition, regardless of which data centres a customer’s data is stored in, the Salesforce platform may store in all data centres globally identifying information about customers users for the purposes of operating the Certinia Services, such as facilitating the login process and enabling Certinia to provide customer support. For more details, please see the Certinia Trust and Compliance Documentation.
Additionally, Certinia affiliates and subcontractors across all global regions may access customer personal data to provide support to customers. These entities and their locations are set out in the Certinia Trust and Compliance Documentation. Any such access for support purposes is subject to the customer’s electronic consent on a case-by-case basis.
In addition, Certinia legally transfers personal data outside of the EU making use of the EU Standard Contractual Clauses. For more information about this transfer mechanism please review our Data Processing Addendum which can be found here.
Certinia takes security seriously, and has established a formal Information Security function, lead by the Chief Information Security Officer (CISO). One of the the CISO’s primary objective is to enforce the appropriate governance and monitor for security compliance aligned with the company Information Security Policy and Standards.
Certinia has policies and procedures in place to protect the security of the Certinia Services. See our Trust page for more information. Certinia Services were developed on the Salesforce platform, an industry-leading and mature platform for cloud applications, and benefits from the security and data protection features that the Salesforce platform offers.
The security policies, procedures, and controls Certinia makes available to customers are described in our Security Whitepaper which can be found on the Trust page. More information can be found in the Certinia Trust and Compliance Documentation.
Certinia customers share responsibility for managing security. Certinia provide a robust set of security controls, made available from the Salesforce platform, that a Certinia customer can configure. Each customer is responsible for configuring those security controls and for managing other aspects of processing under its control such as the security of the customer’s end users’ computers, and controlling access to its instances of the Certinia Services.
Certinia has a detailed Cyber Security Incident Response Plan and Security Incident Management Procedure, and has formed a Cyber Incident Response Team (CIRT) to support notification to customers in the event of a security breach resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to such customers’ data. These procedures also guide the CIRT in investigation, management, resolution and remediation activities, as well as cooperation with law enforcement, in the event of a breach. Certinia commits contractually to provide such notification in its Data Processing Addendum (available here), as required by the GDPR. Notification may include phone contact by Certinia’s Customer Support or Customer Success team, email to the customer’s designated contact, and/or a public announcement. Regular updates are provided to engaged parties until issue resolution. Incident tracking and resolution is documented and managed within a centralized incident logging system.
Yes. Information about Certinia attestations and/or certifications, as well as those of Salesforce that apply to the Salesforce platform, are described in our Certinia Trust and Compliance Documentation.
The Certinia Human Capital Management service may be used to process health and other categories of data (see Human Capital Management) for information on categories of data. Subject to that, submission of special categories of personal data is neither expected nor required. More information is available in the Certinia Trust and Compliance Documentation.
Customers are responsible for ensuring that submission of special categories of personal data to the Certinia Services complies with applicable laws.
How Certinia processing of personal data in the Certinia Services affects key aspects of an individual’s life will depend upon how the customer uses the Certinia Services, and as such must be determined by the customer. Customers of the Certinia Human Capital Management Services should consider how its use of the solution may impact on key aspects of an individual’s life based on how the customer has configured the solution.
Certinia does not process outside the Certinia Services personal data related to its customers in a manner that is likely to have an impact on key aspects of an individual’s life.
Certinia provides the Certinia Services to its customers, which may in turn use the Certinia Services to store, manage and process data about and communicate with data subjects. As a data processor, Certinia does not know the identities of, or directly communicate with, its customers’ data subjects. It is the customer’s responsibility, as the data controller, to communicate the details of the processing to its data subjects.
The Certinia Services allow customers to manage the personal data they maintain in the Certinia Services, including in response to data subject requests. To the extent a customer needs Certinia’s assistance to respond to a Data Subject, Certinia will provide assistance as described in section 3 of our Data Processing Addendum.
Customers are responsible for using the Certinia Services appropriately, including their processing of personal data using the Certinia Services. Certinia is responsible for providing the Certinia Services as described in its contract with its customers. Under that contract, Certinia commits to using the data only to provide the Certinia Services, to prevent or address service or technical problems, as compelled by law, or as the customer expressly permits in writing.
All access to Certinia Services is controlled via login with a user identification and password. Customers can also configure additional access controls, such as, for example, multi-factor authentication and IP range restrictions. Please see the Salesforce Security Guide for additional information.
Customers can assign different levels of access to their users. The Certinia Services are built on the Salesforce platform, which allows customers to assign access permissions based on the user’s role. Certinia customer contracts restrict access by Certinia personnel and its sub-processors’ personnel, who may access personal data only to provide the services, to prevent or address technical or service problems, if compelled by law, or with the customer’s written permission.
Certinia agrees by contract that its and its sub-processors’ personnel may access personal data only to provide the Certinia Services, to prevent or address technical or service problems, if compelled by law, or with the Certinia customer’s written permission.
Certinia affiliates and subcontractors may access customer personal data to provide support to customers. These entities and their locations are set out in the Certinia Trust and Compliance Documentation.
Certinia Services are built and operate on the Salesforce platform, an industry-leading and mature platform for cloud applications. Customers can allow their users to access the Certinia Services from virtually anywhere with an Internet connection. For these reasons, data may flow between the Certinia Services and any location globally, depending on where the customer and its users are located.
Within the Certinia Services, data flows as follows:
Customers choose how long to retain Customer Data, including personal data, when using the Certinia Services. Unless otherwise specified in the contract with the customer or our documentation, Certinia does not delete Customer Data, including personal data, during a subscription term, unless the customer instructs Certinia to do so. After a customer’s contract with Certinia terminates, Certinia deletes Customer Data, including personal data, in the manner described in the Certinia Trust and Compliance Documentation.
Certinia will notify a customer if it receives a request to exercise rights related to the processing of personal data on the Certinia Services (for which that customer is the Data Controller) as set out in Certinia’s Data Processing Addendum. Whilst customers should have all the access needed to manage such requests, Certinia commits to provide reasonable assistance if needed.
Like any responsible organization, Certinia aims to comply with the data protection laws that apply to it. Certinia does have an EU establishment, and therefore would be directly subject to the GDPR.
Like any responsible organization Certinia aims to comply with the privacy and data protection laws that apply to it. Certinia has determined that it is classed as a Service Provider under CCPA with respect to data submitted by customers to Certinia Services.
Certinia has a Privacy Officer who is responsible for privacy management at Certinia. Please contact [email protected] to contact our Privacy Officer.
Yes, Certinia commits in its Data Processing Addendum to ensure that personnel have been appropriately trained, are reliable and enter into confidentiality agreements.
Yes, you can review our privacy statement here.
Certinia has prepared a Data Protection Impact Assessment Information Sheet containing information to assist you when completing a DPIA or a PIA.
Employees are trained on privacy and information security annually.