“Agreement” means the Order Form and any Service Agreement elements contained therein, the accompanying Terms and Conditions, or any such instruction from the Client for Audiem to undertake Data Analysis Services and/or associated Professional Services work.
“Audiem”, “we” “us”, or “our” means Workplace Advantage Ltd. (trading as Audiem), with its registered office at White House Farm, West Rounton, Northallerton, DL6 2LW, with company number 10976073 and VAT number 412702635.
“Audiem Affiliates” means any person carrying out Data Analysis services for the Audiem organisation.
“Audiem Data” means any data resulting from the processing of Client data to make sense of and/or generate insights from it, or any other proprietary data that is related to any services we offer.
“Author” means a person that provides textual (Viewpoint) and numerical or categorical (metadata) content data from, or relating to, a Client organisation.
“Client” means the managing organisation commissioning Audiem to either gather data on their behalf and/or generate insights from Author content.
“Client Data” means any data generated by the Client and/or their Authors that is provided to us for processing using our tools, or that we collect using our tools on their behalf.
“Client User” means anyone authorised by the Client (or their nominated parties) to access and administer the Audiem software platform, or otherwise use our Services.
“Controller” and “Processor” have the meaning set forth in the UK Data Protection Act 2018 and the UK General Data Protection Regulation (“UK GDPR”) within, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
“Data Analysis Services” refers to the whole process of using the Audiem platform to gather viewpoints and generate insights, from the moment data comes into our remit.
“Data Subject” refers to an individual person who can be identified via an identifier such as name or unique ID etc.
“Platform” refers to the Audiem SaaS platform.
The “Policy” is this document in its entirety, including Appendix A.
“PII” means Personally Identifiable Information as set out in the UK GDPR.
This Policy sets out the rights and obligations that apply to Audiem’s handling of personal data on behalf of the Client as part of their access to the Platform and the company’s provision of data analysis services (“Data Analysis Services”).
Appendix A of this Policy contains details about the security measures implemented to comply with the UK General Data Protection Regulation (UK GDPR).
Audiem is committed to processing data in accordance with its responsibilities under the UK Data Protection Act and the UK GDPR within.
This legislation requires data to be:
This Policy covers all data, including Personally Identifiable Information (PII), processed and/or stored by Audiem, including:
The data processed/stored by Audiem relating to the Client is only for the purposes of doing business and being able to meet the requirements of the Agreement. Examples of such data is as follows:
The data processed/stored pertaining to Client Users, including Personally Identifiable Information (PII), may include some or all of the following:
We automatically collect metrics and information about how Client Users interact with and use our Services. We use this information to develop and improve our services, and to inform our sales and marketing strategies. We may share or publish this service data with third parties in an aggregate anonymous manner, but we will not include any Client data or identify Client Users. We use Client data in an anonymised manner for machine learning that supports certain product features and functionality within the Audiem platform.
When you use the Platform, we automatically collect log files. These log files contain certain information about a Client User’s IT system, a Client User’s IP address, browser type, domain names, internet service provider (ISP), the files viewed on site (e.g. HTML pages, graphics, etc.), operating system, clickstream data, access times, and referring website addresses. We use this information to ensure the optimum operation of the Platform and for security purposes. We may link log files to personal data, such as name, email address, address, and phone number for these purposes.
Where Audiem elicits or sources data on the Client’s behalf, all data processed by Audiem for the purpose of Client insight has been published by the content Authors via a data collection (for example survey or feedback tool), or on a public or private forum that we have legitimate access to. Where this is the case, Audiem will only process data when it is within the terms and conditions of the specific data source to do so.
The data processed/stored pertaining to content Authors, including Personally Identifiable Information (PII), may include some or all of the following. When accessed from a publicly accessible source this data is fairly consistent in type, but can vary when data is sourced by the Client. Examples of data types are as follows:
The data created from the Data Analysis Services will be visualised and accessible by the Client and Audiem via the Platform.
Audiem are solely permitted to process data when instructed to do so by the Client. For the avoidance of doubt, the Policy constitutes such instruction as sending/uploading data to analyse, agreeing to an Order Form for work and/or any other communication that implies a request for Data Analysis Services.
All Client instructions pass through a DPIA phase where:
Audiem shall inform the Client if an instruction, in the opinion of Audiem, infringes any relevant data protection laws and/or the terms of our data source providers.
Specific data processing requirements
Where the Client has specific processing requirements that go beyond or are not specified in this Policy, the Client may provide them in writing to Audiem.
Audiem will comply with all such instructions without additional charge to the extent
necessary for Audiem to comply with its obligations as a Processor under the Regulation in the performance of the Data Analysis Services.
The parties will negotiate in good faith with respect to any other change in the Data Analysis Services and/or fees resulting from any additional instructions.
Audiem shall ensure that persons authorised to process personal data on behalf of the Client have committed themselves to confidentiality or are subject to appropriate statutory obligation of confidentiality.
Audiem ensures that only those persons who are currently authorised are able to access the personal data being processed on behalf of the Controller.
The Client will at all times remain the Controller for the purposes of the Data Analysis Services, the Agreement, and this Policy. The Client is responsible for compliance with its obligations as a Controller under data protection laws, in particular for justification of any transmission of Personal Data to Audiem (including providing any required notices and obtaining any required consents and authorisations), and for its decisions and actions concerning the processing and use of the Personal Data.
The Client will also act as a Processor on behalf of the content Authors as defined in this Policy. Audiem is a Processor for the purposes of the Data Analysis Services, the Agreement, and this Policy. Audiem will process data solely for the provision of the Data Analysis Services, and will not otherwise:
Audiem, taking into account the nature of the processing, shall, as far as possible, assist the Client by appropriate technical and organisational measures, in the fulfilment of the Client’s obligations to respond to requests for the exercise of the Data Subjects’ rights pursuant to relevant legislation.
Audiem will pass on to the Client any requests of an individual Data Subject to access, delete, correct or block Personal Data processed under this Policy. Audiem will not be responsible for responding directly to the request, unless otherwise required by Law.
Audiem shall assist the Client in ensuring compliance with the Client’s obligations pursuant to UK GDPR, taking into account Audiem’s role and the nature of the processing and the information made available to Audiem. The Client agrees to pay Audiem reasonable fees that may be associated with Audiem performance of any such assistance to the Client.
Audiem may transfer Personal Data to the EEA, outside of EEA, or international organisations on documented instructions from the Client, or where a UK GDPR compliant Sub-Processor does so as part of its service.
The Client accepts that some or all of Audiem’s obligations under this Policy is performed by third party Sub-Processors. Audiem maintains a list of Audiem Sub-Processors that may process data.
Audiem uses the following Sub-Processors:
Audiem will provide reasonable notice to the Client of any planned changes with regard to additions to or replacement of other data processors.
Audiem shall ensure that Sub-Processors are subject to the same data protection obligations as those specified in this Policy on the basis of a contract or other legal document under relevant legislation, in particular providing the sufficient guarantees that the Sub-Processors will implement the appropriate technical and organisational measures in such a way that the processing meets the requirements of the governing laws.
Audiem take all the measures required pursuant to the UK GDPR which stipulates that – with consideration for the state of the art, implementation costs and the nature, scope, context and purposes of processing and the risk of varying likelihood and severity for the rights and freedoms of natural persons - the Client and Audiem shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Audiem shall ensure that Personal Data is stored securely using modern software that is kept up-to-date. This provision includes:
Additional measures, and information concerning such measures, including the specific security measures and practices for the Platform and particular Data Analysis Services ordered by the Client, may be specified in the Agreement.
Appendix A of this Policy specifies the level of security and the measures implemented by Audiem to ensure the above.
Audiem shall make available to the Client all information necessary to demonstrate
compliance with the outlined duties of a Data Processor and this Policy, and allow for and contribute to audits, including inspections performed by the Controller or another auditor mandated by the Controller.
Any audits are at the Client’s expense. Any request for Audiem to provide assistance with an audit is considered a separate service, if such audit assistance requires the use of resources different from or in addition to those required for access to the Platform or the provision of Data Analysis Services. Audiem will seek the Client’s written approval and agreement to pay any related fees before performing such audit assistance.
Audiem can commission penetration tests at the Client’s request. Unless otherwise agreed, the Client will pay for an external penetration test.
Audiem will notify the Client without undue delay after becoming aware of a personal data breach, which may lead to accidental or unlawful destruction, alteration, unauthorised disclosure of or access to the Client’s data.
Audiem will, taking into account the nature of the processing and information available, assist the Client in notifying the personal data breach to the supervisory authority and the data subjects.
Upon termination of the Data Analysis Services, Audiem shall be under obligation, at the
Client’s discretion, to delete or return all of the Personal Data to the Client and to delete existing copies unless governing legislation requires storage of the Personal Data.
All requests for data removal must be made in writing to firstname.lastname@example.org and will similarly be confirmed actioned in writing.
As part of our employee induction process, all staff are familiarised with our policies on data protection, email and internet usage, remote working and employee information security.
Audiem password policy requires all passwords for applications to be managed by the
LastPass service. Upon an employee leaving the company or changing role, their LastPass authorisation will be changed or removed accordingly. For staff requiring access to the servers via SSH, SSH keys are required for access and will be removed when necessary.
Except as otherwise required by law, Audiem will promptly notify the Client of any subpoena, judicial, administrative or arbitral order of an executive or administrative agency, regulatory agency, or other governmental authority (“Demand”) that it receives and which relates to the processing of Personal Data.
At the Client’s request, Audiem will provide the Client with reasonable information in its possession that may be responsive to the Demand and any assistance reasonably required for the Client to respond to the Demand in a timely manner. The Client acknowledges that Audiem has no responsibility to interact directly with the entity making the Demand, unless required by law.
Where a material or potential data breach occurs Audiem will provide the Client with reasonable information in its possession as soon as possible upon discovery of the (potential) breach.
Audiem will work with the Client to take all reasonable actions to mitigate the (potential) risks from such a breach in a fully transparent manner.
if no Personal Data is used for the purposes mentioned in (1) or (2).
Processing of the personal data under this Policy cannot be performed at other locations than the following without the Client’s prior written consent:
Audiem employs physical security measures for work locations and hardware, designed to prevent unauthorised persons from gaining access to data processing systems in which Personal Data is processed.
All access to the Data Analysis Services is managed with authentication via password and access logs are maintained. Audiem systems used to access Client data have up-to-date malware/virus protection and are secured using unique secure passwords. All hard drives are encrypted.
Personal Data is accessible and manageable only by properly authorised staff, direct database access is restricted, and application access rights are established and enforced.
During onboarding, and from time-to-time as new staff/departments use the platform, it is necessary to grant individual access to the platform for Client Users. The process for this is as follows:
Except as otherwise specified for the Data Analysis Services, transmissions of confidential data or special categories of data outside the Data Analysis Service environment are encrypted.
Where the Personal Data source is under the control of the Client, Personal Data integration into the system is managed by secured transfer from the Client.
Client data is stored and backed-up as part the Data Analysis Services on secure Microsoft servers in the UK (via OneDrive and on Microsoft Power BI). Backups are taken on a regular basis and are secured using a combination of technical and physical controls.
For specific elements of the Data Analysis Services, Client data is also uploaded and temporarily stored and backed-up on other Sub-Processor systems which are subject to the same Data Protection obligations as Audiem.
Client data being processed under the Agreement is segregated from Audiem’s other clients into their own database. These different databases may be on the same physical hardware or different hardware. This is to provide an extra layer of protection against data leakage between Clients’ databases. User credentials for different Clients (which includes PII) is kept centrally in order to resolve which platform a Client User is allowed to access.