At Unily, we are committed to both complying with our obligations under applicable data protection laws when providing services to our customers as a processor, and to ensuring that our customers can use our services while complying with their own data protection requirements.
As part of this commitment, we have published our answers to frequently asked questions to assist our customers with their due diligence processes and completion of data protection impact assessments for the Unily services.
Unily provides an employee experience intranet platform that offers various features and other related services for connecting, informing, and engaging employees, as described in our Data Protection Addendum (DPA). For a detailed description of the Unily service offering, please see: https://www.unily.com/services
The Unily platform stores personal data to enable users to create their profile pages and display this information in the company directory. Users have complete visibility and control over this data and can make changes to it themselves as needed.
The platform also utilises personal data to monitor usage and improve the user experience through its analytics feature, which generates analytics reports on the customer's behalf as part of the services we provide to our customers. We don’t use this for our own purposes except to check and calculate payments
Unily customers can choose what personal data they submit to, and collect using, the Unily platform. As such, the type of personal data processed may differ depending on each customer's individual requirements. Examples of the data that may be processed include:
Personal details (name, date of birth, age, job title, users, work email, work phone, mobile, job title, department, location, IP address, browser agent, device type, profile image, twitterID, LinkedInID, userID)
Contact details (address, email and telephone number etc.)
Information technology data such as IP address, browser agent, device type or where a website accessed from.
Analytics data, including platform usage and content consumption.
Any other types of personal data which may be provided by the customer from time to time via data synchronisation process to facilitate customised functions and integrations with third party applications.
Data is stored within a Microsoft Azure Data centre in the same legal boundary as the data controller’s Microsoft 365/ Microsoft Entra ID tenant. Additionally, DR copies of the data is Geo-replicated to a Microsoft Azure Datacentre within the same judicial data boundary.
All customer personal data is stored on Microsoft Azure Databases with Transparent Data Encryption 256 bit AES, and Microsoft Azure Storage Accounts with Storage Encryption 256 bit AES. Keys are managed by Microsoft.
In addition, our sub-processors will hold personal data too and locations are available on the sub-processor list.
We transfer personal data outside of the UK and EEA to third countries such as the US to help deliver our services. Where we do this we ensure transfers are in accordance with applicable data protection laws such as using applicable standard contractual clauses.
Our DPA prohibits the disclosure of any personal data of this nature as it is not required for the provision of the services.
It is the responsibility of the customer to inform their data subjects about the processing of personal data using the Unily services. The Unily platform provides the necessary tools for customers to communicate directly with their data subjects should they wish to communicate this information through the platform itself.
In instances where Unily processes personal data for its own purposes (e.g. for our business contacts), information regarding privacy can be found in the Unily Privacy Notice and other related privacy documentation.
Access to personal data by Unily employees is only permitted in accordance with the customer's documented instructions, as set out in the DPA. The Addendum also requires that Unily employees are subject to appropriate confidentiality obligations. The locations of Unily affiliates with staff who may access personal data are listed in our sub-processor list. Typically, only the Operations Engineering and Support teams, as well as authorised project team members, have access to customer data.
Unily utilises a secure encrypted password vault which is fully audited and hides credentials from end users. Access to customer’s credentials are recorded with originating IP, end user, computer and date and time.
You can find details of our standard data safeguards to ensure the security of our customers’ personal data here. These measures are also referenced in our DPA.
Yes. Unily maintains a formally documented, comprehensive and accurate ROPA that is reviewed regularly. This includes an internal record of the processing activities carried out by Unily on behalf of its customers.
Unily is a processor – When customers (and their staff) use our services to process personal data in the content they upload to the services. Unily acts as processor. Customers can use the self service function to manage its personal data within the intranet, including dealing with data subject rights. We use a data protection compliant DPA to set out our commitments as processor.
Unily is a controller – When Unily collects personal data and determines the purposes and means of processing that personal data – for example, when we process business contact information to arrange our service contract with you or deal with payments. See our Privacy Notice for details on how Unily processes personal data as a controller.
Unily customers as the controllers are responsible for making sure that their usage of the Unily services complies with applicable data protection law. Unily also makes a commitment in its Data Protection Addendum to only use the personal data in accordance with the customer's documented instructions.
The Unily services are generally self-serve and allow customers to manage the personal data they maintain in the platform, including in response to data subject requests. To the extent that a customer requires Unily’s assistance to respond to a data subject request, Unily will provide reasonable assistance as described in its DPA.
Please refer to our DPA and our SCC Addendum FAQs for this information. Unily may transfer customer data across borders to our sub-processors. Our sub-processor list contains details of our sub-processors used, their location, the processing purpose and the transfer mechanism used where applicable.
Up-to-date information about the identities and the locations of Unily’s sub-processors can be found here. Customers may subscribe to notifications of new sub-processors by following the instructions available at the above link. Unily will notify all subscribed customers before authorising a new sub-processor to process customer data.
As described in our DPA, Unily takes responsibility for the actions of its sub-processors and enters into a written agreement with each sub-processor which imposes equivalent data protection obligations on the Processing of Customer Personal Data by the relevant Sub-processor as those set out in the DPA . In addition, the data transfer mechanisms that Unily puts in place contain comprehensive obligations in respect of sub-processors and Unily also conducts appropriate due-diligence assessments on its sub-processors.
Unily’s approach to handling requests by government or law enforcement agencies to access customer personal data are set out in our security measures here.
Unily has established comprehensive procedures for managing personal data breaches, which are overseen by Unily’s Information Security Manager and the Data Protection Officer. Unily follows a formal Incident Management Policy to investigate, manage, communicate, and resolve incidents, with reporting and tracking being managed through an internal ticketing system. Unily commits contractually in its DPA to notifying customers without undue delay (within 24 hours) of any incident involving the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to customer personal data. The notification process may involve either phone or email contact to the customer’s designated point of contact, and regular updates will be provided until the issue is resolved. We also ensure staff handing personal data receive regular data protection training which includes data breaches and are committed to confidentiality obligations.
Unily processes customer data, including personal data, throughout the contractual term of the DPA/MSA. This is essential for efficient end-user account management and service delivery. Upon contract termination, Unily promptly deletes or returns customer data based on the customer's choice within 35 days.
Additionally, Unily offers supplementary features to assist platform administrators and content owners in content maintenance and governance. This includes a Content Review Lifecycle to keep platform content up-to-date and the ability to delete front-end user records when employees leave the company, while retaining associated platform content in a depersonalised form.
Yes. Unily has appoint a Data Protection Officer who has direct access to the Board by way of reporting to the Chief Operations Officer. Unily’s Data Protection Officer and wider Data Protection Team can be reached at [email protected].
Unily's approach to privacy by design involves a comprehensive review of privacy and data protection concepts during the development (and throughout the lifecycle) of new services and features. Before the release of any new feature, it undergoes a thorough privacy review to ensure it aligns with Unily's rigorous privacy and security programme, as well as the contractual commitments made to customers. Product managers and engineers who design Unily services receive annual training on data protection to ensure they are well-versed in privacy and security principles. Additionally, Unily's Data Protection and Information Security teams support these services, carefully reviewing and providing advice on functionality.
Once a new service or feature is released, it is described in detail in product documentation that is accessible to customers through Universe (see here), to allow them to carry out their own evaluation of its privacy and data protection aspects. Unily also regularly solicits feedback from its customers to further refine its service functionality.
All staff members are required to complete annual online Data Protection, Information Security, and Records Management training. In addition, Unily offers continuous updates on privacy-related developments and changes to its practices through its company intranet. Furthermore, the Data Protection Team provides customised data protection training sessions for key business areas, and specific training on ISO:27001 has also been provided through third-party consultants. Unily maintains staff records to identify training needs and requirements.
Unily implements a range of compliance and internal accountability measures to protect personal data, including internal data protection and information security policies and standards, employee training, and internal audits. Unily makes contractual commitments in its Data Protection Addendum to its customers regarding data protection and security controls, carries out risk assessments to ensure personal data can be transferred adequately outside of Europe, and conducts due-diligence assessments of its vendors, including its sub-processors.
Unily provides features that are present in the front-end of the platform which give the user control over their personal data. For example, users of the platform can edit and/or delete the content of their own profiles, posts, comments and so on. This allows users to delete or rectify their personal data.
In addition, personal data on the platform is accessible by customer admins. This means admin users have access to the back-end of the platform and can extract certain personal data to provide this in response to data subject rights requests/information requests. However, there may be instances where Unily’s assistance is required in response to a customer data subject rights request. Unily commits to assisting our customers with these in our DPA and we provide a ticketing log service our customers can use to request this support.
Yes, Unily has the capability to facilitate the display of customer privacy notices and other user terms to their end-users.
Our customers ultimately decide what personal data is shared. On a general basis see here as an example.