At PayScale, our mission is to help companies bring modern compensation to life. In support of this mission, it is critical our customers have confidence in the privacy and security of our products. We have designed PayScale products with advanced security technologies to keep the data you provide us safe and we have put in place mechanisms to allow PayScale and our customers to comply with applicable data protection laws.
We leverage industry standard security solutions and practices. PayScale maintains a comprehensive set of IT controls to enable our products to meet compliance obligations and provide our customers secure solutions. Our IT controls include:
- Secure Facilities – The facilities that store your data includes multiple layers of physical security, such as 24-hour physical security, palm print, and RFID and ID identification systems.
- Perimeter Security – Our perimeter network infrastructure is protected by multiple levels of security. We use network segmentation, as well as Security Groups, Network Authentication, and Firewalls to restrict and protect our infrastructure.
- Limited Access to Customer Data – Only trained and authorized employees have access to any customer data loaded into our systems. Also, our corporate networks are restricted from accessing sensitive data. We use modern SSL and HTTPS encryption to protect customer data and communications between our customers and our products.
- Prevention of Unauthorized Access – Customers can only access PayScale products by providing an authenticated username and password combination. Only requests coming from an authenticated user on an HTTPS encrypted connection are allowed access to our servers.
If you have purchased a PayScale product and desire additional information about the IT controls or other security measures we have in place, please contact customer support or email firstname.lastname@example.org and include in your message the name of the organization you are contacting us on behalf of and the PayScale product used by such organization so we can provide you the appropriate information.
System and Organization Controls (SOC) Reports are independent third-party examination reports that detail the security, availability, and the processing integrity of systems used to process user data. These reports help you and your auditors understand the controls we’ve put in place to support operations and compliance.
We are proud to share that PayScale Insight Lab is SOC 2 Type I certified and PayScale MarketPay is SOC 2 Type II certified. Our SOC reports are confidential and are only shared under a non-disclosure agreement or shared with our existing customers who are subject to confidentiality. If you are a PayScale Insight Lab or PayScale MarketPay customer and would like to review our SOC report, please contact our customer support team.
Data Protection Laws
PayScale is committed to complying with applicable data protection laws, such as the European Union (“EU”) data protection laws set out in the General Data Protection Regulation (“GDPR”). GDPR became enforceable on May 25, 2018, and here at PayScale we’ve been hard at work preparing for GDPR by putting in place measures to ensure that we and our customers comply with GDPR and other data protection requirements.
What is GDPR?
TheGeneral Data Protection Regulation(“GDPR”) is a new European privacy regulation that replaced the EU Data Protection Directive (“Directive 95/46/EC”). The goal of GDPR is to strengthen the security and protection of personal data in the EU and create consistency across EU member states on how personal data can be processed, used, and exchanged. If a company hosts, collects, stores, or otherwise processes any personal data of an EU citizen (such as an EU citizen’s name or email address), GDPR requires such company to use data processors that implement the technical and organizational requirements of GDPR.
For our customers that use PayScale products that may process personal data of an EU citizen, we have developed a Data Processing Addendum (“DPA”) that is tailored to our products and includes contractual commitments regarding our compliance with applicable data protection laws, including, GDPR. We are happy to share that as of July 11, 2018, our DPA is a part of our Master Subscription Agreement and all of our customers can rely on the terms of the DPA whenever they use a PayScale product that processes data regulated by data protection laws. This means you can focus on your compensation strategy and attracting and retaining the right talent for your organization and we can focus on delivering and improving our products for you and our customers because no additional engagement or painful contract negotiations is required by our customers to be compliant with GDPR and other data protection laws. You can view a copy of our DPA at https://www.payscale.com/content/legal/dpa.pdf. If you are an existing PayScale customer that does not have our DPA incorporated into your service agreement with us, please email email@example.com to receive a copy of our DPA and include in the message the name of the organization you are contacting us on behalf of and the PayScale product used by such organization.
Additionally, for transparency and to comply with GDPR and other applicable data protection laws, PayScale maintains a list of sub-processors. This list of sub-processors includes our third-party suppliers that we engage to allow us to provide you our products and run our business. You can find information about our current sub-processors at
https://www.payscale.com/content/legal/PayScale-GDPR-Subprocessor-List.pdf. These sub-processors store, have potential access to, or process personal data of an EU citizen. It’s a pretty long list because “process” is broadly defined under GDPR.
What is the Privacy Shield?
The U.S. Department of Commerce, with the European Commission and the Swiss government, created the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks to provide companies with a mechanism to transfer personal data from the EU to the United States in a manner that provides an adequate level of protection under EU data protection laws.
PayScale has certified its compliance with the EU-U.S. and Swiss-U.S. Privacy Shield frameworks to the U.S. Department of Commerce and has been added to the Department of Commerce’s list of self-certified Privacy Shield participants. Our certifications confirm that we comply with the Privacy Shield Principles for the transfer of European and Swiss personal data to the United States. To learn about how we comply with the Privacy Shield principles, go to www.payscale.com/content/legal/privacyshield.pdf. You can learn more about the Privacy Shield and view our certification here.