Lattice Privacy Practices
Frequently Asked Questions

Wave
What personal information does Lattice collect?
Lattice collects varying types of personal information through its services and website, and receives some personal information from third parties. The information we collect or receive is purely commercial. For example, from users of our services we collect company email addresses, job titles, company names, and location. Through our website, we collect contact information, professional or employment-related information, and any other information provided to us by visitors to the site. Our website also automatically collects technical information information like IP addresses and online activity through the use of browser cookies. For more information about how Lattice uses cookies, you can visit Section 6 of our Privacy Policy

How does Lattice use or process personal information?
Lattice uses the information it collects for legitimate business and commercial purposes including providing and improving our services, for sales and marketing activities, and to ensure technical functionality. You can review a full list detailing how we use the personal information we collect in Section 7 of our Privacy Policy

Is the personal information Lattice collects secure?
Lattice maintains a comprehensive (SOC 2 Certified) information security program that includes technical, physical, administrative, and contractual safeguards to secure our data throughout all aspects of transfer, storage, and processing. For example, Lattice requires all of our customers, vendors, and subprocessors to enter into a Data Processing Addendum that establishes a high standard for data security and privacy throughout all aspects of the commercial relationships. A comprehensive list of the technical security measures we employ to protect personal data is available here.

Does Lattice sell personal information to third parties?
No. Lattice will never sell the personal information it collects through its services or website to third parties. With the event participant’s consent, Lattice may share contact information of event participants with event sponsors. For additional information about sharing of event participant contact information, see Section 7 of our Privacy Policy.

Does Lattice disclose personal information to third parties?
In some cases, yes. Lattice primarily discloses personal information to third party service providers who perform certain functions on Lattice’s behalf necessary to providing our services.  Examples of service providers include cloud hosting providers, communications providers, and analytics companies. Our service providers must strictly adhere to Lattice’s policies restricting further sharing of any data they receive or access and are always required to inter into a Data Processing Addendum. For additional information about our information sharing practices, you can visit Section 8 of our Privacy Policy.   

Does Lattice provide a mechanism for individuals to exercise their privacy rights or get more information?
Yes, individuals that live in jurisdictions that provide privacy rights such as California and the European Union, or who have questions about our privacy practices can contact us at privacy@lattice.com or can visit www.lattice.com/privacy/request. Individuals seeking to exercise their privacy rights may be required to verify their identity. Employees of Lattice customers seeking to exercise their privacy rights with respect to personal data collected through the use of our services will be directed to their employer (the controller of their personal data).

Is Lattice compliant with Europe’s General Data Protection Regulation (GDPR)?
Yes, Lattice embraces a continuous commitment to maintain compliance with all applicable data protection laws, including the GDPR.  This includes requiring the Standard Contractual Clauses (SCCs) in all of Lattice’s commercial relationships involving the transfer of personal data outside of the European Economic Area (EEA). Our intention is to ensure adequate protection of data transferred to us from Europe. In light of recent European Court rulings, Lattice has implemented new measures to ensure that our SCCs remain a valid data transfer mechanism. For details about these new measures, you can find additional information here.   

How long does Lattice store personal data?
By default, Lattice stores its customers’ active employees’ personal data for the duration of the services contract term plus six months. Six months after the termination or expiration of a customer contract, all employee personal data is automatically deleted. Additionally, the administrator or authorized representative of any Lattice customer may request deletion of employee data (on an individual or aggregate basis) at any time.

Can I delete personal data or request deletion of personal data?
If Lattice has stored or processed your personal data in relation to your use of the website or sales or marketing activities, please see Question 6 above for information on submitting requests to obtain, edit, or delete personal information.For users of Lattice services, our customer is the controller of your data and may delete data within the customer Lattice instance at any time.  If you are an active employee of a Lattice customer and would like to request, edit, or delete your personal data from Lattice, please contact your employer’s Lattice administrator for assistance.  Additionally, our customer may request permanent deletion of your Lattice user account at any time.  This would, of course, mean that you would no longer be able to benefit from the use of our software platform, so it is not recommended for active employees.  For former employees of a Lattice customer, the customer administrator may request deletion of the user’s personal data at any time. 

How does Lattice use anonymized customer data?
We use anonymized data, meaning aggregate customer data that cannot be associated with an individual or customer, to analyze usage trends across all of our customers, generate statistics, and establish benchmarks. Some examples are:

-5000 reviews were launched last quarter
-75% of our customers are using the Goal Tracking tool
-1000 pieces of feedback were given in May

We do not use, see, or share any piece of data that is specific to any employee. This data is solely for broad, aggregated usage across our platform to help us understand how our product is being used, make improvements, and generate additional value for our customers and platform users.

Do all Lattice customers have to enter a Data Processing Addendum (“DPA”)?
Yes.  As of 2021, Lattice requires all customers (new and legacy) to enter into a DPA.  Our Terms of Service for 2021 incorporates our DPA by reference, so for new customers, no further action is required to enter the DPA.  Lattice customers that would prefer an executed copy of the DPA can obtain one by completing the DocuSign process available here.  

Can we use our DPA, or is the Lattice DPA negotiable?
No. We require use of our DPA because it has been tailored to Lattice’s unique characteristics as an enterprise software-as-a-service vendor in the performance management vertical.  Lattice’s DPA has been carefully authored and painstakingly updated to ensure that the rights and compliance obligations of both parties are equitably and satisfactorily addressed.  Individual negotiation of DPAs introduces potential for error that exposes both parties to unnecessary risks.  If you or your legal team has a question or concern about any particular clause or term in our DPA, please do not hesitate to reach out to us, at privacy@lattice.com.

What measures has Lattice taken to ensure that personal data is not accessed by governmental actors in violation of data protection laws?
Lattice employs data privacy and information security best practices to reduce the likelihood of governmental intrusion.  For additional details on Lattice’s point of view in respect of the Schrems II ruling, please see here.

Will Lattice comply with the new Standard Contractual Clauses, California Privacy Rights Act (CPRA), UK Privacy Law (after Brexit), Canadian Consumer Privacy Protection Act (CPPA), Personal Information Protection Act of British Columbia, Colorado Consumer Data Privacy Act….?
The majority of Lattice’s end users reside in the United States and the EEA.  We understand that maintaining the confidentiality of our users’ personal information and compliance with data protection laws is of paramount importance to our customers.  For these reasons, we continue to invest heavily in information security and data privacy compliance, leveraging internal and external legal, privacy, and engineering resources to dutifully employ best practices and maintain our regulatory compliance obligations, SOC 2 certification, and customer contractual requirements.  While we cannot predict the future, it is safe to assume that we will continue to maintain compliance with all national and most, if not all, regional data privacy laws, to the extent that we can reasonably do so.  We have compliance initiatives in place for all anticipated GDPR (Standard Contractual Clause updates) and CPRA compliance requirements.  If you have a specific question about our compliance with a specific regional regulation, please do not hesitate to contact us at: privacy@lattice.com. 

How can I get additional information about Lattice’s data privacy or information security practices?
Please do not hesitate to contact us at privacy@latttice.com. 

Additional Privacy Resources

Privacy Overview
Privacy Policy
Privacy FAQs
Data Processing Addendum
Schrems II
Security Measures
Subprocessors
Privacy Request
Job Applicant Privacy Policy

Job Candidate Privacy Policy

Wave

1. INTRODUCTION  

1.1.What is the purpose of this document?

Lattice (“Lattice” or “we”) is committed to protecting your personal data and your privacy.  We endeavor to ensure that any personal data we collect about you will be held and processed strictly in accordance with European and Californian data protection legislation, and applicable data protection legislation.

If you are resident in the EU, this will include the European General Data Protection Regulation (“GDPR”) or, if you are resident in a country that has adopted a local law to implement or adopt the GDPR such as the United Kingdom (together “GDPR Subjects”), the applicable local law implementing or adopting the GDPR (“Applicable Local Laws”). Please see the section “Additional Information for GDPR Subjects” below, for further information.

If you are a resident of California, this will include the California Consumer Privacy Act of 2018 (“CCPA”). Please see the section “Additional Information for California Consumers” below, for further information.

The terms Personal Data, Data Controller and processing have the meanings given to them in the GDPR (which can be accessed here), unless otherwise indicated.

When we refer to “personal data” in this Privacy Notice, we mean any information about you from which you can be identified. It does not include data where your identity has been removed (anonymous data).

The term CCPA refers to the Californian Consumer Privacy Act of 2018 which adds Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code of the State of California. “

Lattice has created this Job Candidate Privacy Notice to explain how and why we collect Personal Data about you (“Your Data”), what that data is, under what circumstances we may disclose or transfer it, and how long we store it for. It provides you with certain information that must be provided to you under the GDPR, CCPA and other applicable data protection legislation.

1.2.What does this Notice cover?

This Privacy Notice sets out information relating to the Personal Data we collect from or about you when you apply to work for us, whether as an employee, worker or contractor. It will apply when you submit your CV or an application form directly to us, through our online recruitment portal, https://lattice.com/careers, or where your CV or application form has been sent to us by a recruitment agent on your behalf.

1.3.How do I contact Lattice?

For the purposes of the GDPR and Applicable Local Laws, Lattice is the “data controller” of Your Data. This means that we are responsible for deciding how we hold and use Your Data.

If you have any queries regarding this notice or complaints about our use of Your Data, please contact us at privacy@lattice.com or at the address below and we will do our best to deal with your complaint or query as soon as possible.

Lattice
600 Battery St Floor 2
San Francisco, CA 94111

2. INFORMATION ABOUT OUR USE OF YOUR DATA

2.1.THE KIND OF INFORMATION WE HOLD ABOUT YOU  

In connection with your application for work with us, we will collect, store, and use the following categories of Personal Data about you:

  • The information you have provided to us in your online application, curriculum vitae and covering letter or email.
  • Any information you provide to us during an interview.

This information is likely to include the following types of Personal Data:

  • Name
  • Email address
  • Postal address
  • Date of Birth
  • Qualifications
  • Experience
  • Employment history
  • Educational history
  • Skills

We may also collect, store and use the following types of more sensitive personal information (known as “Special Category Data”), where this information is relevant to the role you are apply for and/or you choose to disclose it to us:

  • Information about your race or ethnicity
  • Information about your health, including any medical condition, health and sickness records.
  • Information about criminal convictions and offences.

2.2.HOW IS YOUR PERSONAL INFORMATION COLLECTED?  

We collect personal information about you in a variety of ways. The majority of the information we collect will come directly from you in the following ways:

  • Information you voluntarily upload to our careers/recruitment website;
  • notes made by our recruitment team during a recruitment interview;
  • information from official documentation you provide to us such as for background checks

Other details may be collected indirectly from the following sources:

  • You, the candidate
  • recruitment agencies
  • your named references
  • background check providers
  • credit reference agencies
  • third party platforms such as Indeed or LinkedIn, if these were used to apply for the role; and
  • publicly available sources such as social media sites (to the extent necessary and relevant to the job role).

If you have submitted your application through our recruitment portal, Greenhouse, we may also link the data you provide to us with other publicly available information about you that you have published on the internet, including sources such as LinkedIn and other social media profiles.


2.3.HOW WE WILL USE INFORMATION ABOUT YOU?

We will use the personal information we collect about you to:

  • Assess your skills, qualifications, and suitability for the role advertised.
  • Carry out background and reference checks, where applicable.
  • Communicate with you about the recruitment process.
  • Keep records related to our hiring processes.
  • Comply with legal or regulatory requirements, such as right to work checks.

Our legal basis for processing Your Data in this way is that it is necessary for our legitimate interests to decide whether to appoint you to the role, since it would be beneficial to our business to appoint someone suitable to that role. Where we are processing Your Data in order to comply with legal or regulatory requirements, our legal basis is that it is necessary for compliance with a legal obligation to which we are subject.

Further, we will process certain of your personal information to decide whether to enter into an employment contract with you.

Once you submit your CV and covering letter to us (or your recruitment agent provides them to us), we will process that information to decide whether you meet the basic requirements to be shortlisted for the role and, if so, invite you for an interview.

  • A recruiter will review your application and either move you through process or reject you
  • If moved through, the recruiter will reach out to schedule a call with a member of the recruiting team
  • If that call goes well, there will be another call with the hiring manager
  • In some cases, there is a take home assignment
  • Following this, there is a round or 2 of onsite interviews
  • After an onsite, the team will debrief
  • If the debrief is positive, the recruiter will reach out to collect references
  • Either after references are checked or while they are being checked the team will extend an offer
  • Once a verbal offer is accepted a written offer will be sent
  • Once the written offer is signed, a background check will be conducted


2.4.WHAT HAPPENS IF YOU FAIL TO PROVIDE PERSONAL DATA?

You are not obliged to provide us with Personal Data. However, if you decline to provide information when requested, and this information is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully. For example, if we require a credit check or references for this role and you fail to provide us with relevant details, we will not be able to take your application further.

2.5.HOW WILL WE USE PARTICULARLY SENSITIVE PERSONAL INFORMATION?  

We will use your Special Category Data in the following ways, only with your consent:

  • We will use information about your medical or disability status to consider whether we need to provide appropriate adjustments during the recruitment process, for example whether adjustments need to be made during a test or interview.
  • We will use information about your race or national or ethnic origin to ensure meaningful Equal Employment Opportunity/Affirmative Action record keeping, reporting, and other legal requirements.

Our legal basis for using your Special Category Data is consent. Providing U.S. Equal Opportunity Information and Self-Identification of Disability is completely voluntary.

2.6.HOW WILL WE USE INFORMATION ABOUT CRIMINAL CONVICTIONS?

If we decide to offer you the role, we may undertake checks to establish whether you have any criminal convictions. We will only collect criminal conviction data where it is appropriate given the nature of your role and where the law permits us.

2.7.WILL YOU BE SUBJECT TO AUTOMATED DECISION-MAKING?  

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.


2.8.WILL WE SHARE YOUR DATA WITH THIRD PARTIES?  

We will only share Your Data with the following third parties for the purposes of processing your application:

  • Background check providers
  • Candidate profiling service provider (if we ask you to undertake a candidate profile test)
  • Our recruitment portal provider Greenhouse
  • Contractors/consultants providing HR services to Lattice.


All our third-party service providers and other entities in the group are required to take appropriate security measures to protect Your Data in accordance with the law and in line with our policies. We do not allow our third-party service providers to use Your Data for their own purposes. We only permit them to process Your Data for specified purposes and in accordance with our instructions.

2.9.WHAT DATA SECURITY DO WE HAVE IN PLACE?

We have put in place appropriate security measures to prevent Your Data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to Your Data to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process Your Data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

2.10.HOW LONG WILL WE USE YOUR DATA FOR?

We will normally retain Your Data for as long as necessary to assess your candidacy for a position with Lattice,

Please note that, in certain circumstances, we may retain limited information about you for the period of time during which you are able to bring a discrimination claim under your local law. We retain the information for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. We will only retain the minimum amount of Personal Data required in these circumstances and will securely delete all other Personal Data that we hold about you.

3. ADDITONAL INFORMATION FOR GDPR SUBJECTS and CALIFORNIA RESIDENTS

3.1.EU privacy rights

Under the GDPR or Applicable Local Laws , you have certain rights with respect to your Personal Data, including those set forth below.  

  • right to request access – you may obtain confirmation from us as to whether or not Your Data is being processed and, where that is the case, access to Your Data;
  • right to erasure – you have the right to obtain the erasure of Your Data without undue delay in certain circumstances
  • right to data portability – you have the right to receive Your Data in a structured, commonly used and machine-readable format;
  • right to withdraw consent – where you have provided your consent to us processing Your Data, you have the right to withdraw your consent at any time. This can be done by emailing (insert e-mail address) at any time;
  • right to rectification – you have the right to obtain rectification of inaccurate personal data we hold concerning you;
  • right to restriction of processing or to object to processing – you may require us to restrict the processing we carry out on Your Data in certain circumstances or to object to us processing Your Data;
  • right to lodge a complaint – you may lodge a complaint with the supervisory authority in the EU Member State where you are resident or where you work.  For further information on your rights, please see the supervisory authority of your country or EU Member State.

3.1.1 No fee usually required

You will not have to pay a fee to access Your Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

3.1.2 What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

3.1.3 Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

3.2.California privacy rights

California residents have the following rights with respect to their Personal Data:

  • Right to request disclosure – You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:
  • The categories of personal information we collected about you.
  • The categories of sources for the personal information we collected about you.
  • Our business or commercial purpose for collecting or selling that personal information.
  • The categories of third parties with whom we share that personal information.
  • The specific pieces of personal information we collected about you (also called a data portability request).
  • If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
  • sales, identifying the personal information categories that each category of recipient purchased; and
  • disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
  • Right to request deletion - You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.

We may deny your deletion request in certain circumstances as specified in the CCPA., such as because we need the data to comply with our legal obligations or because we or our service providers need it complete the transaction for which we collected the personal information.

We do not sell any Personal Data provided to us by job candidates. We use the information solely for the purposes of the recruitment process.

3.2.1 Background check providers

If you are applying for a role in our United States office, we use background check providers, Goodhire, local to those offices. It may, therefore, be necessary to transfer your data to third parties outside the EEA in these instances.  

Whenever we transfer Your Data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

Please contact us if you want further information on the specific mechanism used by us when transferring Your Data out of the EEA.

Additional Privacy Resources

Privacy Overview
Privacy Policy
Privacy FAQs
Data Processing Addendum
Schrems II
Security Measures
Subprocessors
Privacy Request
Job Applicant Privacy Policy

Lattice's Privacy Approach

Wave
In recent years, constantly changing privacy laws and regulations have challenged even the most heavily capitalized and legally sophisticated organizations. Meeting modern data privacy requirements around the world is no easy task. Here at Lattice, we are proactive and agile when it comes to privacy compliance, investing prudently to manage compliance risks, maintain (and in some cases establish) industry best practices in information security and data privacy, and earn our customers’ trust. We proactively monitor changes in legal requirements and the compliance needs of our customers so that we can immediately respond to changes in the law, and efficiently offer compliant solutions to our customers and their employees. 

Here are some examples of our work in action:

Proactive Approach. Lattice’s proactive monitoring of likely regulatory developments in the EU led to our prediction that the EU-US Privacy Shield would be invalidated by the EU courts. In Fall, 2020, it was. Thanks to our foresight, our customers were already positioned to comply with the new ruling because we opted to rely on the Standard Contractual Clauses instead of the Privacy Shield. View Lattice’s position statement on the Schrems II ruling here.

Privacy by Design. Our legal and engineering teams collaborate to implement privacy practices during the design and development of our software. As a result, we have completely anonymized our analytics database. That means we can deliver comprehensive benchmarking results to our customers without incremental risk to the preservation of user personal data.

Vendor Management. We understand that with data privacy, you are only as strong as the weakest link. That is why we assess the data privacy posture of all of our vendors, with enhanced scrutiny applied to those that process customer data. We require each vendor that subprocesses data to enter into our standard Data Processing Addendum. You can view and subscribe to a list of subprocessors of Lattice customer data at http://www.lattice.com/subprocessors.

Trust and Accessibility. Lattice is a people company; we prioritize the human element. We understand the need to offer individuals and our customers choice and transparency around the collection and processing of their data. That is why we have a dedicated privacy team ready to respond to any data privacy questions or requests. You can contact our privacy team at: privacy@lattice.com. For additional information about our privacy practices and your rights, please visit our Privacy Policy.

Transparency and Evolution. We collaborate internally and externally, with our legal and data privacy counsel, Data Protection Officer, E.U. Representative, and our customers and end users, as part of an iterative process to develop and implement workable privacy practices and solutions. We are happy to share some of these learnings in an effort to promote continued evolution, including this list of frequently asked questions and answers.

Additional Privacy Resources

Privacy Overview
Privacy Policy
Privacy FAQs
Data Processing Addendum
Schrems II
Security Measures
Subprocessors
Privacy Request
Job Applicant Privacy Policy

Privacy Policy

Last Updated: February 17, 2021

Wave

We recommend that you read this Privacy Policy in its entirety to ensure you are fully informed; if you only want to access a particular section, click the relevant link below to jump to that section:

1. Overview
2. About Us
3. Lattice as a Service Provider
4. Privacy Principles
5. What Information Do We Collect?
6. Cookies and Similar Tracking Technologies
7. How Do We Use Your Personal Information?
8. What Information Do We Share or Disclose to Others?
9. Links to Third Party Websites
10. How We Protect Your Personal Information
11. Social Media Features
12. Your Privacy Rights
13. CCPA Personal Information Notice
14. How to Contact Us
15. Retention of Personal Information
16. Information About Minors
17. Updates to This Privacy Policy
18. European Representative
19. International Data Transfers

1. Overview

Degree, Inc., doing business as Lattice, (“Lattice,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains who we are, how we collect, use and share Personal information about you and how you can exercise your privacy rights. This Privacy Policy describes (unless a different privacy notice is displayed) our privacy practices regarding the personal information we collect from individuals in the usual course of business, including when you:

· Visit any of our websites (such as https://lattice.com/); visit our social media pages; receive communications from us; or register for, attend and/or otherwise take part in any of our events, tutorials, webinars or contests (collectively “Visitors”); and

- Register to or otherwise use any of the Lattice Services as an applicant, team member or employee of one of our Customers (collectively “Users”), when we act as a controller of your Personal Information.

"You" may, depending on the context, be a Visitor or a User of one or more of the Lattice Services.  

This Privacy Policy does not apply to Personal Information relating to Lattice’s employment or recruitment-related activities. For purposes of this Privacy Policy, “Personal Information” means any information relating to an identified or identifiable individual (e.g., name, address, email address, or phone number)

2. About Us

We are Lattice, a company headquartered in San Francisco, California.  We make people management software to help improve employee performance, engagement, and overall workplace satisfaction. In support of our mission to make work meaningful, we provide a hosted platform and related tools, including the Lattice web and mobile applications (the"Lattice Services"), that help people teams across the globe to more effectively manage and engage with their employees to improve their performance and turn their companies into the best places to work.  You can find out more about us and the Lattice Services here.  

If you are resident in the European Economic Areas ("EEA"), UK orSwitzerland, the controller of your Personal Information that we process for the purposes described in this Privacy Policy is Degree, Inc., (doing business as Lattice).

3. Lattice As A Service Provider

Lattice Customers are organizations who use the Lattice Services to help them manage and engage with their applicants, employees and other personnel.  Lattice processes Personal Information in these services only according to our Customer's and their User's instructions (as defined in our Customer agreements). If you have questions about Personal Information you have entered into the Lattice Services used by one of our Customers, or want to exercise any of your rights regarding your Personal Information, our Customer contract requires that we redirect your inquiry back to that Customer.  This Privacy Policy does not apply to the Personal Information we process as a service provider or processor on behalf of our Customers.  

Lattice is not responsible for the privacy or security practices of our Customers, which may differ from those set out in this Privacy Policy. Please review the relevant Customer's privacy policy to understand more about their data processing activities.

4. Privacy Principles

Lattice follows these principles in order to protect your privacy:

- We do not collect any more Personal Information than is necessary to provide the Services or to fulfill our legitimate business purposes;
   
- We only use your Personal Information for the purposes we specify in this Privacy Policy, unless you are notified otherwise;      

- We do not keep your Personal Information after it is no longer needed; and

- Other than as specified in this Privacy Policy, we do not share your Personal Information with third parties and are not in the business of selling your Personal Information.

5. What Information do we Collect?

The information we collect depends on the ways you interact with Lattice and the choices you make (including your privacy settings), the products and features you use, your location and applicable law.

 A. Information We Collect

(i) Information You Provide to Us

Visitors
When a Visitor to our website contacts us and/or registers for information, content or an event sponsored by Lattice, we will collect certain personal information so that we may fulfill the Visitor’s request or keep in touch with them in connection with our sales and marketing activities (always in accordance with a Visitor's marketing preferences).  The Personal Information we collect and we may have collected in the past twelve (12) months include:

· Identifiers, such as your name and business e-mail address;
· Professional or employment-related information, such as company name, job level, functional role and title;
· Inferences, such as your contact preferences; and
· Any other information you provide to us when completing any "free text" boxes in our forms or when you interact with us in the context of troubleshooting and support.

If you register to attend a Lattice-sponsored event, we may also require certain additional Personal Information including:

·Emergency contact (in some instances); and
·Dietary preferences (in some instances).

Users

If you are a User, you (or your team administrator) may provide certain Personal Information to us through the Lattice Services - for example, when you register for a Lattice account to access and use the Lattice Services, when you consult with customer support or send us an email or communicate with us in any way (for example, to make a support request).

The Personal Information we collect may include:

·Business information (such as your name, job title, the person you report to, phone number, email address and country);
·Personal information that you provide to us or that is collected on behalf of our customer as it relates to your employment (such as gender, t-shirt size, or dietary preferences);
·Marketing information (such as your contact preferences);
·Account log-in credentials (such as your email or username and password when you sign up for an account with us and the unique User/ team ID assigned to you in our systems);
·Troubleshooting and support data (which is data you provide or we otherwise access in connection with support queries we receive from you. This may include, for example, contact or authentication data, the content of your chats and other communications with Lattice, and the product or service you are using related to your help inquiry); and

·Billing information (including your credit card numbers and associated identifiers, billing address and background information, but only where you pay for the Lattice Services).

If you ever communicate directly with us, we will maintain a record of those communications and responses.

(ii) Information We Collect Automatically

Visitors
As is true of most websites, when you visit our sites or interact with our emails, we gather certain technical information from your browser or device automatically and store it in log files.  In some (but not all) countries, including countries in the European Economic Area ("EEA"), UK and Switzerland, this information is considered  Personal Information under data protection laws. To the extent that this automatically-collected data includes, or is linked to, Personal Information, we will treat the data in accordance with this Privacy Policy.  

This information we collect includes:

· Identifiers, such as your internet protocol (IP) addresses and browser type; and
· Internet or other electronic network activity, such as your internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and clickstream data.

We use this information to analyze trends, to improve and personalize our marketing activities and websites, to administer our websites and guarantee their security and continued proper functioning, to track Visitors’ movements around the website and to gather non-identifiable, demographic information about our user base as a whole. We may link this automatically-collected data to Personal Information provided by Visitors, or to other publicly available information hosted on the internet, so that we can better gauge our Visitors’ needs and provide specific information to best serve them.

In some cases, we may use cookies and related technologies to collect or manage certain information from your browser and computer. Please see the section on Cookies below for more information.

Users
When you use or interact with the Lattice Services, we automatically collect or receive certain information through our Services (for example in log files) and through other technologies (such as cookies) about your device and usage of the Lattice Services. In some (but not all) countries, including countries in the European Economic Area ("EEA"), UK and Switzerland, this information is considered 'personal data' under data protection laws. Please see the section on Cookies below for more information.

The information we collect includes:

· Log and usage data, which is service-related, diagnostic, usage and performance information our servers automatically collect when you access or use the Lattice Services and which we record in log files. This log data may include the Internet Protocol (IP) address, device information, browser type and settings and information about your activity in the Services (such as the date/ time stamps associated with your usage, pages and files viewed, searches and other actions you take (for example, which features you use)), device event information (such as system activity, error reports and hardware settings).

· Device data, such as information about your computer, phone, tablet or other device you use to access the Lattice Services. This device data may include information such as your IP address (or proxy server), device and application identification numbers, location, browser type, hardware model, Internet service provider and/or mobile carrier, operating system and system configuration information. If you are using our mobile app, we may also collect information about the phone network associated with your mobile device, your mobile device’s operating system or platform, the type of mobile device you use, your mobile device’s unique device ID and information about the features of our mobile app you accessed.

· Location data, such as information about your device's location, which can be either precise or imprecise. How much of this information we collect depends on the type and settings of the device you use to access the Lattice Services.  For example, we may use GPS and other technologies to collect geolocation data that tells us your current location (based on your IP address).  You can opt out of allowing us to collect this information either by refusing access to the information or by disabling your Location setting on your device. Note however, if you choose to opt out, you may not be able to use certain aspects of the Lattice Services.

This information is used to:

· maintain the security of the Lattice Services;
· provide necessary functionality;
· improve performance of the Lattice Services;
· assess and improve your experience of the Lattice Services;
· review compliance with applicable usage terms;
· identify future opportunities for development of the Lattice Services;
· assess capacity requirements;
· identify customer opportunities and for the security of Lattice generally (in addition to the security of the Lattice Services); and
· analyze overall trends, to help us provide and improve the Lattice Services, and to improve their security and proper functioning. 

(iii) Information We Collect from Third Parties 
In order to enhance our ability to provide relevant marketing, offers and services to you and update our records, we may obtain information about you from other sources, such as public databases, joint marketing partners, affiliate programs, data providers, social media platforms, as well as from other third parties. This information may include your:  mailing address, job title, functional role, business email, phone numbers, intent data (or user behavior data), IP addresses, social media profiles, social media URLs and custom profile.  We process this data for the purposes of: updating our records; targeted advertising; event promotion; optimizing our sites and the Lattice Services; for our sales and marketing activities, including to send marketing emails.

6. Cookies and Similar Tracking Technologies

Lattice uses a technology called "cookies" to store session information. A cookie is a small amount of data, which often includes an anonymous unique identifier, which is sent to your browser from a website's computers and stored on your computer's hard drive.  

We use both session ID cookies and persistent cookies. A "session ID cookie" expires when you close your browser. We use session ID cookies to track your login status. This cookie is only ever transmitted over HTTPS. A "persistent cookie" remains on your hard drive for an extended period of time. We use persistent cookies to determine from where you were referred to our website, as well as the last user ID that you used to log in. Lattice may set and access Lattice cookies on your computer; cookies are required to use the Lattice Services. You can remove persistent cookies by following directions provided in your Internet browser's "help"directory. Click here for more information on cookies, including how to disable them. If you disable cookies, you may still use our website, but your ability to use some areas of our website, such as contests or surveys, will be limited.  

Google Analytics: We use cookies served by Google Analytics to collect limited data directly fromService Users browsers to enable us to better understand your use of the Services, including making use of the demographics and interests reports services of Google Analytics. Further information on how Google collects and uses this data can be found at www.google.com/policies/privacy/partners/. You can opt-out of all Google supported analytics within the Services by visiting https://tools.google.com/dpage/gaoptout.  

We also partner with third-party ad networks to manage our advertising on other sites and with third-party analytics companies to assist us with analyzing the use of our own website. These third-party companies use cookies, web beacons, pixel tags, and related technologies to collect information about your activities on this and other websites to provide you targeted advertising based upon your interests and to provide measurement and analytic services.  

Specifically, we use the following third-party services: Microsoft’s Bing Ads, Google Ads andAnalytics, Quora Ads, LinkedIn Ads, Twitter Ads, Facebook Ads, Instagram Ads, and Hotjar Analytics. To learn more about third-party advertising, and to opt out of certain ad-targeting activities, please visit: preferences-mgr.truste.com, aboutads.info/choices, and youronlinechoices.com. To learn more about Microsoft’s privacy practices, see: privacy.microsoft.com/en-us/privacystatement; to opt-out of interest based advertising with Microsoft, see https://about.ads.microsoft.com/en-us/resources/policies/personalized-ads. To learn more about Google’s advertising policies, see: policies.google.com/technologies/ads; your ad settings with Google, see: adssettings.google.com; andGoogle’s ad personalization, see: policies.google.com/technologies/partner-sites. To learn more about Quora’s privacy practices, see quora.com/about/privacy; to opt-out of interest based advertising with Quora, see: http://www.aboutads.info/choices and https://www.youronlinechoices.com/. To learn more about LinkedIn’s privacy practices, see linkedin.com/legal/privacy-policy; to opt-out of interest based advertising from LinkedIn, see www.aboutads.info/choices and www.youronlinechoices.eu and www.youradchoices.ca/choices. To learn more aboutTwitter’s privacy practices, see twitter.com/en/privacy; to opt-out of interest based advertising from Twitter, see https://optout.aboutads.info. To learn more about Facebook’s privacy practices, see facebook.com/policy.php; to opt-out of interest based advertising with Facebook, see http://www.aboutads.info/choices and http://www.youronlinechoices.eu/. To learn more about Hotjar’s analytics services and privacy practices, see the ‘about Hotjar’ section of Hotjar’s support site; to opt-out data collection by Hotjar, see https://www.hotjar.com/legal/compliance/opt-out/.Thissite is being monitored by one or more third-party monitoring software(s), and may capture information about your visit that will help us improve the quality of our service. You may control the data being collected from your visit by visiting https://smart-pixl.com througha universal consumer options page located at https://smart-pixl.com/Unsub/unsub.html. 

“DO NOT TRACK” SETTING Currently, various browsers offer a “do not track” or “DNT” option which sends a signal to websites’ visited by a user about the user's browser DNT preference setting. Lattice does not currently respond to browsers' DNT signals with respect to the website, in part, because no common industry standard for DNT has been adopted by industry groups, technology companies or regulators, including no consistent standard of interpreting user intent. Lattice takes privacy and meaningful choice seriously and will make efforts to continue to monitor developments around DNT browser technology and the implementation of a standard.

7. How do we use your Personal Information?

Lattice processes personal information for the following business and commercial purposes, and if you are a resident in the EEA or UK, on the legal basis identified below:

· Providing our websites and Lattice Services: In reliance on our legitimate interest, we process your personal information to operate and administer our websites, and to provide, operate, and maintain the Lattice Services;

· Communicating with you about the Lattice Services: We may send you service, technical and other administrative or technical email, messages and other types of notifications(such as distribution and product updates and product patches and fixes) in reliance on our legitimate interests in administering the Lattice Services and providing certain features. These communications are considered part of the LatticeServices and in most cases you cannot opt-out of them.  If an opt-out is available, you will find that option within the communication itself;

· Providing necessary functionality: We process your personal information in reliance on our legitimate interest to provide you with the necessary functionality required during your use of our websites and Lattice Services.

· Transactional considerations: We process your personal information to complete transactions, and send you related information, including purchase confirmations and invoices, to perform our contract with you and to the extent necessary in reliance on our legitimate interest;

· Handling contact and support requests: If you fill out a “Contact Us” web form or request support as a User, or if you contact us by other means including via a phone call, we process your PersonalInformation to perform our contract with you and/or (if we have not entered into a contract with you) to the extent it is necessary for our legitimate interest in fulfilling your requests and communicating with you;

· Administering Events: We process your personal information to plan and host events or webinars for which you have registered or that you attend, including sending related communications to you, billing, registration and to connect you with other event attendees, to perform of our contract with you, or to the extent necessary for our legitimate interests in fulfilling your requests to attend any such events;

· Developing and improving our websites and services:  We process your Personal Information to analyze trends and to track your usage of and interactions with our websites. marketing activities and Lattice Services to the extent it is necessary for our legitimate interest in developing, improving and troubleshooting our websites, marketing activities and the Lattice Services and providing you with more relevant content and service offerings, or where necessary, in reliance on your consent;

· Sending marketing communications: We will process your Personal Information for marketing purposes in accordance with your preferences, such as to communicate with you via email, SMS or telephone about services, features, surveys, newsletters, promotions or events we think may be of interest to you and/or to provide other news or information about Lattice and/or our select partners, in each case in reliance on our legitimate interest in conducting direct marketing or where necessary with your consent. Please see the "Your Privacy Rights" section below, to learn how you can control the processing of your Personal Information by Lattice for marketing purposes;

· Displaying personalized advertisements and content: We process your Personal Information to conduct marketing research, advertise to you, provide personalized information about us on and off our websites and to provide other personalized content based upon your activities and interests to the extent it is necessary for our legitimate interest in supporting our marketing activities or advertising the Lattice Services or, where necessary, to the extent you have provided your prior consent (please see the "Your Privacy Rights" section, below, to learn how you can control how the processing of your Personal Information for personalized advertising purposes);

·Promoting the security of our websites and services: To the extent necessary for our legitimate interests in promoting the safety and security of our websites and services, we use your PersonalInformation to investigate and prevent fraudulent transactions, unauthorized access to the websites, Lattice Services, and other illegal activities;

· For our business purposes, such as data analysis, audits, fraud monitoring and prevention, developing new products and features, enhancing, improving or modifying our products and services, identifying usage trends and expanding our business activities in reliance on our legitimate interests; and

· Complying with legal obligations: We process your Personal Information when cooperating with public and government authorities, courts or regulators in accordance with our legal obligations under applicable laws to the extent this requires the processing or disclosure of Personal Information to protect our rights or is necessary for our legitimate interest in protecting against misuse or abuse of our websites, theLattice Services, protecting personal property or safety, pursuing remedies available to us and limiting our damages, complying with judicial proceedings, court orders or legal processes or to respond to lawful requests.

· Reviewing compliance with applicable usage terms: We process your Personal Information to review compliance with our contract with you or your organization (where applicable) to the extent that it is in our legitimate interest to ensure adherence to the relevant terms; and

·  Other purposes: We will process your Personal Information for other purposes about which we notify you in advance, or for which we receive your consent.

8. What Information We Share or Disclose to Others?

Lattice will not share Personal Information, or otherwise make your PersonalInformation available to any other parties except as provided in this Privacy Policy. Parties with whom we may share your Personal Information, pursuant to any applicable agreements, include:

Event Co-Sponsors: If you sign up for an event or content that is co-hosted by Lattice and one of its partners or co-sponsors, your  Personal Information may be shared with that partner or co-sponsor. Please see our partner or co-sponsors’ privacy policies for further information about how they use Personal Information.

Legal or regulatory bodies and agencies: Lattice will share your information, including Personal Information, in order to respond to investigations, court orders, legal processes, or to investigate prevent or take action regarding illegal activities, suspected fraud, or situations involving potential threats to the physical safety of any person, violations of Lattice’s Terms of Service, or as otherwise required by law. If Lattice is required by law or an order of a court of competent jurisdiction to disclose your information, Lattice will promptly notify you of this requirement, if permitted by the court or applicable law, so that you may seek a protective order or other appropriate relief.

Service providers: In order to provide our websites, the Lattice Services to you and undertake our marketing and business activities, it may be necessary for us to disclose your information to contracted third parties and service provider partners who perform certain functions on our behalf.  Examples include payment providers (to authorize, record, settle and clear payment card transactions); cloud hosting providers (to provide data storage and processing services); communications providers (to process new queries and to manage our emails); and analytics companies to perform analysis. These third-party service providers or vendors may use data we provide to them only as instructed by Lattice.

Business transfers: If Lattice is involved in a merger, acquisition, or sale of all or apportion of its assets, Personal Information may be transferred to the acquiring person or entity, in which case you will be notified via email and/or a prominent notice on our website of any such change in ownership or uses of Personal Information, as well as any choices you may have regarding Personal Information.

Advertising partners: We may partner with third party advertising networks, exchanges and social media platforms to display advertising on our websites or to manage and service advertising on other sites and we may share Personal Information with them for this purpose. Please see the section above  "Cookies and Other Similar Technology"  for further information.


Our website includes links to other websites whose privacy practices may differ from those of Lattice. If you submit information to any of those sites, your information is governed by the privacy policies that apply to those sites. We encourage you to carefully read the privacy policy of any website you visit.

10. How We Protect Your Information

All of your Personal Information remains private and confidential. The security ofyour Personal Information is important to us. When you enter sensitive information (such as a credit card number) on our order forms, we encrypt the transmission of that information using secure socket layer technology (SSL).

Lattice maintains a comprehensive written information security program that complies with applicable law and generally accepted industry standards. Our program includes appropriate administrative, technical and physical safeguards, procedures and practices to protect Personal Information submitted to us, both during transmission and once we receive it. No method of transmission over theInternet, or method of electronic storage, however, is 100% secure. Therefore, we cannot guarantee its absolute security. If you have any questions about security on our website, the Lattice® web application owned and operated by Lattice, or the Lattice Services, please contact us using the contact information below.

Lattice and its representatives will never request your account credentials. You should never share your Lattice account information, including your username and password, with anyone else. We recommend that you use a unique password for your Lattice account that is not associated with other websites. You should check your Lattice account regularly to ensure that your Personal Information has not been tampered with or altered. Any suspicious activity regarding your account, including automated messages or calls from parties you cannot identify, should be reported to your site administrator and Lattice using the contact information below.

11. Social Media Features

Our websites may use social media features, such as the Facebook “like” button, the “Tweet”button and other sharing widgets (“Social Media Features”). You may be given the option by such Social Media Features to post information about your activities on a website to a profile page of yours that is provided by a third-party social media network in order to share with others within your network. SocialMedia Features are either hosted by the respective social media network or hosted directly on our website. To the extent the Social Media Features are hosted by the respective social media networks and you click through to these from our website, the latter may receive information showing that you have visited our website. If you are logged in to your social media account, it is possible that the respective social media network can link your visit to our websites with your social media profile. Your interactions with Social MediaFeatures are governed by the privacy policies of the companies providing the relevant Social Media Features

12. Your Privacy Rights

When acting as a controller, and depending on your location, your jurisdiction, and subject to applicable law, you may have the rights below with regard to the PersonalInformation we control about you. We will respond to your requests within the appropriate timeline under applicable law.

· The right of access means that you have the right to request that we disclose what Personal Information we have collected, used and disclosed about you. You can do so at any time by contacting us using the contact details provided under the "How to Contact Us" heading below.

· The right of deletion means that you have the right to request that we delete Personal Information collected or maintained by us, subject to certain exceptions. As mentioned above, you can doso at any time by contacting us using the contact details provided under the"How to Contact Us " heading below.

·The right to non-discrimination means that you will not receive any discriminatory treatment when you exercise one of your privacy rights.

· You can also ask us to correct or update your Personal Information; object to the processing of your personal information; ask us to restrict processing of your Personal Information or request the portability of your PersonalInformation. Again, you can exercise these rights by contacting us using the contact details provided under the "How to Contact Us " heading below

.· While you cannot opt out of service-related emails if you are an account holder, as this is an essential part of the Lattice Services, you have the right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you, or you can contact us using the contact information below.

· Similarly, if we have collected and process your Personal Information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your Personal Information conducted in reliance on lawful processing grounds other than consent

.·  You have the right to complain to a data protection authority about our collection and use of your Personal Information. For more information, please contact your local data protection authority.

·  Lattice does not engage in any automated decision making with User PersonalInformation.

If your Personal Information has been submitted to us by or on behalf of our Customer (your employer) and you wish to exercise any rights you may have under applicable data protection laws, please inquire with the applicable Customer directly. For more information on how your employer uses your Personal Information, please see your employer’s privacy policy.

13. California Consumer Privacy Act (CCPA) Sale of Personal Information Notice

As mentioned above, Lattice may provide third parties with certain personal information to provide or improve our products and services, for example to deliver products or services at your request. In such cases, we require those third parties to handle the information in accordance with applicable laws and regulations. Lattice does not sell personal information to third parties (pursuant to California Civil Code §§ 1798.100–1798.199, also known as the California Consumer Privacy Act of 2018), nor does Lattice share personal information with third parties for their direct marketing purposes (pursuant to California Civil Code Sec.1798.83).

14. How to Contact Us

You can exercise your rights yourself or depending on your country or state, you may be able to designate an authorized agent to exercise these rights on your behalf. Please note that to protect your personal information, we will verify your identity by a method appropriate to the type of request you are making.For example, this could include sending an e-mail to an account on record, or asking you to identify a recent transaction or communication. We may also request that your authorized agent sign a declaration under the penalty of perjury attesting to their designation as your authorized agent, and that they have written permission from you to make requests on your behalf. We may also need to verify your authorized agent's identity to protect your personal information.

Please use the contact details below, if you would like to:

· Access this policy in an alternative format;
· Exercise your rights;
· Contact Lattice’s Data Protection Officer;
· Learn more about your rights or our privacy practices;
· Designate an authorized agent to make a request on your behalf; or
· For questions related to this Privacy Policy, or about any of your rights. 

E-Mail: privacy@lattice.com 
Request Portal: https://lattice.com/privacy-request 

Alternatively, you can write to us at:Degree,Inc. DBA Lattice
600 Battery Street, Floor 2
San Francisco, California 94111
USA


If you are a California resident and you want to exercise your rights, or you wish for an authorized agent to make a request on your behalf, please contact us on our toll-free telephone number at 1-866-I-OPT-OUT (1-866-467-8688) and enter Service Code 771# or click on the 'Contact Us' button above.

15. Data Retention

We will retain your Personal Information for as long as is necessary to fulfill the services that you have requested, comply with any laws or regulations, resolve disputes, and enforce our agreements. Lattice may retain your data longer for a legitimate business interest where business benefit is not outweighed by your personal rights and freedoms. Data entered into the Lattice Services and processed on behalf of our Customers as a service provider or processor is retained in accordance with any applicable agreement between Lattice and its Customer.

16. Information About Minors

Our website and services are not targeted at children under sixteen (16) years of age. As such, Lattice does not process or disclose Personal Information of minors under sixteen years of age. If you believe we have collected personal information about a child under sixteen, please contact us using the How to Contact Us Section above.

17. Updates to this Privacy Policy

Lattice may update this Privacy Policy from time to time and will notify accountholders of significant changes in the way we treat any Personal Information, by sending a notice to the primary email address specified in your Lattice account. We may also place a prominent notice on our website. We encourage you to periodically review this page for the latest information on our privacy practices.

18. European Representative

For the convenient administration of regulatory compliance concerns related to citizens of the European Union, Lattice has appointed an EU Representative. For questions related to GDRP compliance, or to contact Lattice’s EU Representative, please contact info@rivacy.eu or at:  

RIVACY GmbH / Hammerbrookstr. 90/ 20097Hamburg  

Amtsgericht Hamburg/HRB151916/Steuernummer46/754/02510 

Geschäftsführer: Tim Haufe // Tel.: +49 175 820 36 42

19. International Data Transfers

Your personal information may be transferred to, and processed in the United States and in any other country where Lattice or its affiliates, subsidiaries or third party service providers maintain facilities or personnel.  These countries may have data protection laws that are different to the laws of your country (and, in some cases, may not be as protective). We follow applicable data protection laws when transferring personal data.If you are resident in or a visitor from the EEA, United Kingdom or Switzerland, we will protect your Personal Information when it is transferred outside of such locations by processing it in a territory which the European Commission has determined provides an adequate level of protection for Personal Information; or otherwise implementing appropriate safeguards to protect your Personal Information, including through the use of Standard Contractual Clauses or another lawful transfer mechanism approved by the European Commission.  

Have more questions? We’re here to help, so please contact us.

© 2020 Degree, Inc. All Rights Reserved. Lattice® is a registered trademark of Degree, Inc.California residents: To submit a right to know, delete, or to exercise any of your rights regarding your personal information, click here. To understand your rights and how we handle your personal information, please see our Privacy Policy. 

Additional Privacy Resources

Privacy Overview
Privacy Policy
Privacy FAQs
Data Processing Addendum
Schrems II
Security Measures
Subprocessors
Privacy Request
Job Applicant Privacy Policy

Security Measures

Wave

A. Annual Evidence of Compliance

1. Third Party Security Audit

Lattice is and shall continue to be annually audited against the SOC 2 Type II standard. The audit shall be completed by an independent third-party. Upon Customer’s written request, Lattice will provide a summary copy (on a confidential basis) of the most recent resulting annual audit report, so that Customer can verify Lattice’s compliance with the audit standards against which it has been assessed and this DPA. Although that report provides an independently audited confirmation of Lattice’s security posture annually, the most common points of interest are further detailed below. Lattice shall provide Customer with this initial evidence of compliance within thirty (30) days of written request and annually upon written request.

2. Summary of Web Application Penetration Test

Lattice shall continue to annually engage an independent, third-party to perform a web application penetration test. Upon Customer’s written request, Lattice shall provide a summary of the findings to Customer. Lattice shall address all medium, critical and severe vulnerabilities in the findings of the report within a reasonable, risk-based timeframe. Lattice shall provide Customer with this initial evidence of compliance within thirty (30) days of written request.

3. Security Awareness Training

Lattice shall provide annual Security Training to all personnel. “Security Training” shall address security topics to educate users about the importance of information security and safeguards against data loss, misuse or breach through physical, logical and social engineering mechanisms. Training materials should address industry standard topics which include, but are not limited to:
• The importance of information security and proper handling of personal information.  
• Physical controls such as visitor protocols, safeguarding portable devices and proper data destruction.
• Logical controls related to strong password selection/best practices.
• How to recognize social engineering attacks such as phishing.

4. Vulnerability Scan

Lattice shall ensure that vulnerability scans are performed on servers continuously and network security scans are completed at a minimum annually, in each case using an industry standard vulnerability scanning tool.

B. Security

1. Process-Level Requirements

a. Lattice shall implement user termination controls that include access removal / disablement promptly upon termination of staff.
b. Documented change control process will be used to record and approve all major releases in Lattice’s environment.
c. Lattice shall have and maintain a patch management process to implement patches in a reasonable, risk-based timeframe.

2. Network Requirements

Lattice shall use firewall(s), Security Groups/VPCs, or similar technology to protect servers storing Customer Personal Data.

3. Hosting Requirements

a. Where Lattice handles Customer Personal Data, servers shall be protected from unauthorized access with appropriate physical security mechanisms including, but not limited to, badge access control, secure perimeter, and enforced user provisioning controls (i.e. appropriate authorization of new accounts, timely account terminations and frequent user account reviews). These physical security mechanisms are provided by data center partners such as, but not limited to, AWS, Salesforce and Google. All cloud-hosted systems shall be scanned, where applicable and where approved by the cloud service provider.
b. Cloud Environment Data Segregation: Lattice will virtually segregate all Customer Personal Data in accordance with its established procedures. The Customer instance of Service may be on servers used by other non-Customer instances.

4. Application-Level Requirements

a. Lattice shall maintain documentation on overall application architecture, process flows, and security features for applications handling Customer Personal Data.
b. Lattice shall employ secure programming techniques and protocols in the development of applications handling Customer Personal Data.
c. Lattice shall employ industry standard scanning tools and/or code review practices, as applicable, to identify application vulnerabilities prior to release.

5. Data-Level Requirements

a. Encryption and hashing protocols used for Customer Personal Data in transit and at rest shall support NIST approved encryption standards (e.g. SSH, TLS).
b. Lattice shall ensure laptop disk encryption.
c. Lattice shall ensure that access to information and application system functions is restricted to authorized personnel only.
d. Customer Personal Data stored on archive or backup systems shall be stored at the same level of security or better than the data stored on operating systems.

6. End User Computing Level Requirements

a. Lattice shall employ an anti-virus solution with daily signature updates for end-user computing devices which connect to the Customer network or handle Customer Personal Data.
b. Lattice will have a policy to prohibit the use of removable media for storing or carrying Customer Personal Data. Removable media include flash drives, CDs, and DVDs.

7. Compliance Requirements

a. Lattice will, when and to the extent legally permissible, perform criminal background verification checks on all of its employees that provide Services to Customer prior to obtaining access to Customer Personal Data. Such background checks shall be carried out in accordance with relevant laws, regulations, and ethics.
b. Lattice will maintain an Information Security Policy (ISP) that is reviewed and approved annually at the executive level.

8. Shared Responsibility

Lattice’s Service requires a shared responsibility model. For example, Customer must maintain controls over Customer user accounts (such as disabling/removing access when a Customer employee is terminated, establishing password requirements for Customer users, etc.).

Additional Privacy Resources

Privacy Overview
Privacy Policy
Privacy FAQs
Data Processing Addendum
Schrems II
Security Measures
Subprocessors
Privacy Request
Job Applicant Privacy Policy

Lattice Privacy Request

Additional Privacy Resources

Privacy Overview
Privacy Policy
Privacy FAQs
Data Processing Addendum
Schrems II
Security Measures
Subprocessors
Privacy Request
Job Applicant Privacy Policy

Lattice's Data Processing Agreement

Sign Data Processing Addendum
Wave

Additional Privacy Resources

Privacy Overview
Privacy Policy
Privacy FAQs
Data Processing Addendum
Schrems II
Security Measures
Subprocessors
Privacy Request
Job Applicant Privacy Policy

Fair Processing Notice - Cognism

Wave

Additional Privacy Resources

Privacy Overview
Privacy Policy
Privacy FAQs
Data Processing Addendum
Schrems II
Security Measures
Subprocessors
Privacy Request
Job Applicant Privacy Policy

Lattice's Approach to Schrem's II

Wave

Additional Privacy Resources

Privacy Overview
Privacy Policy
Privacy FAQs
Data Processing Addendum
Schrems II
Security Measures
Subprocessors
Privacy Request
Job Applicant Privacy Policy

Lattice's Subprocessor List

10Pines

Software Development Services

251 Little Falls Drive,
Wilmington, Delaware.

Website

Atlassian

Customer support

Level 6, 341 George Street,
Sydney NSW 2000 Australia

WebsiteTermsPrivacy

Amazon Web Services

Hosting & Data storage

410 Terry Avenue North.
Seattle, WA 98109-5210

WebsiteTermsPrivacy

Delighted

NPS

1027 Alma St b,
Palo Alto, CA 94301

WebsiteTermsPrivacy

Fivetran

Data integration

405 14th St, Floor 11
Oakland, CA 94612

WebsiteTermsPrivacy

Gainsight

Customer support

655 Montgomery St, 7th Floor
San Francisco, CA 94111

WebsiteTermsPrivacy

GainsightPX

Customer support

655 Montgomery St, 7th Floor
San Francisco, CA 94111

WebsiteTermsPrivacy

Gong

Customer support

814 Missions Street, Floor 4
San Francisco, CA 94103

WebsiteTermsPrivacy

Google

Email, Docs, Analytics

1600 Amphitheatre Parkway
Mountain View, CA 94043

WebsiteTermsPrivacy

Intercom

Customer support

55 2nd St,
San Francisco, CA 94105

WebsiteTermsPrivacy

Looker

Analytics Tool

2300 Harrison St

San Francisco, CA 94110

WebsiteTermsPrivacy

Loom

Customer support

720 Market St Suite 600,
San Francisco, CA 94102, USA

WebsiteTermsPrivacy

MailGun

Email

620 Folsom St # 100,
San Francisco, CA 94107

WebsiteTermsPrivacy

Mode

Analytics

208 Utah St #400,
San Francisco, CA 94103

WebsiteTermsPrivacy

Retool

Software development tool

545 Sutter Street
San Francisco, CA 94102

WebsiteTermsPrivacy

Salesforce

CRM

The Landmark @ One Market
Suite 300
San Francisco, CA 94105

WebsiteTermsPrivacy

Segment

Analytics

100 California St Suite 700,
San Francisco, CA 94111

WebsiteTermsPrivacy

SendWithUs

Email

3252a 19th St,
San Francisco, CA 94110

WebsiteTermsPrivacy

Sentry

Logging

132 Hawthorne St,
San Francisco, CA 94107

WebsiteTermsPrivacy

Slack

Messaging Integration

500 Howard St,
San Francisco, CA 94105

WebsiteTermsPrivacy

Stripe

Billing

185 Berry St #550,
San Francisco, CA 94107

WebsiteTermsPrivacy

Stitchdata

ETL (Data Movement)

1339 Chestnut Street, Suite 1500
Philadelphia, PA 19107

WebsiteTermsPrivacy

Zendesk

Customer support

989 Market St
San Francisco, CA 94103

WebsiteTermsPrivacy

Zoom

Customer support

55 Almaden Boulevard, 6th Floor
San Jose, CA 95113

WebsiteTermsPrivacy

Additional Privacy Resources

Privacy Overview
Privacy Policy
Privacy FAQs
Data Processing Addendum
Schrems II
Security Measures
Subprocessors
Privacy Request
Job Applicant Privacy Policy