Data Processing Record
Heartcount provides a web‐based software-as-a-service Platform that helps businesses identify what motivates employees with real-time data.
1. Name and contact details
Heartcount is a software company incorporated and domiciled in Novi Sad, Serbia.
Legal name: Heartcount d.o.o.
Address: Milutina Milankovića 1i/4, Belgrade (Serbia)
Contact email: contact@heartcount.com
2. Transfers of personal information to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) GDPR, the documentation of suitable safeguards.
Heartcount is fully compliant with GDPR, ensuring an adequate level of personal data protection.
Heartcounts’s internal database is hosted in Amazon Web Services data centers and managed by Amazon Web Services (AWS RDS). Amazon Web Services, Inc. is located in the United States and is bound by Standard Contractual Clauses entered into with Heartcount.
Heartcount’s email delivery service provider is ActiveCampaign, LLC (“Postmark”). ActiveCampaign, LLC is located in the United States and is bound by Standard Contractual Clauses entered into with Heartcount.
Heartcount’s SMS delivery service provider is Infobip Ltd (“Infobip”). Infobip Ltd is located in the United Kingdom and is bound by Standard Contractual Clauses entered into with Heartcount.
Heartcount’s product discovery and re-engagement tool provider is Intercom R&D Unlimited Company (“Intercom”). Intercom is located in the United States and is also bound by Standard Contractual Clauses entered into with Heartcount.
Personal information collected by Heartcount
Categories of personal information collected by Heartcount |
Categories of data subjects for which such personal information is collected |
Categories of processing activities in connection with such information |
Heartcount user credentials User credentials permit the users to access the Heartcount Platform and include emails, phone numbers and password hashes. |
|
|
Employee profiles The account administrator creates a profile for each of their employees, which contains the first name, last name, language, gender and email or phone number of the employee. Each employee has access to their employee profile and can update their information. Managers can assign to one or more teams. |
|
|
Answers to surveys Employees answer surveys such as “How did you feel at work this week?” and “What has your relationship with your colleagues been like this week?” Employees can also choose to leave a comment on a survey. Heartcount’s internal database includes the identity of the survey respondents. |
|
|
Employee notes Company and group managers can leave notes on employee profiles that can serve as conversations about the specific employee between multiple managers. |
|
|
General description of the technical and organisational security measures in place
Pseudonymisation and encryption of personal information |
|
Pseudonymisation |
Heartcount cannot pseudonymize the “survey answers” data in the database, otherwise it would not be able to reveal the identity of an employee in the confidential (identified) version of Heartcount. Heartcount cannot pseudonymize the “user profile” data in the database, otherwise the managers could not view, add or modify user properties related to their employees. |
Encryption |
The data is encrypted in transit with HTTP over TLS. Certificates are 2048 bits and private keys are stored in a specific secret vault. Data is encrypted at rest using AES-256. |
Ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services |
|
Confidentiality |
Heartcount has measures in place to ensure that no person is allowed to access personal information without authorization. Such measures include, without limitation:
|
Integrity |
Heartcount has measures in place to ensure that the data integrity is maintained. Such measures include, without limitation:
|
Availability |
Heartcount has measures in place to ensure that personal information is available and is used properly in the intended process. Such measures include, without limitation:
|
Resilience |
Heartcount has measures in place to ensure that the Heartcount Platform is resilient. Such measures include:
|
Ability to restore the availability and access to personal information in a timely manner in the event of a physical or technical incident |
|
If causes of outage are within Heartcount’s control, its recovery time objective (RTO) is about 12 hours or less. See measures described above with respect to “availability”. |