Reflektive is a cloud-based Software-as-a-Service provider of Strategic Human Resources solutions. Reflektive’s solutions include performance reviews, real-time feedback, goal management, workforce analytics, and employee engagement. Reflektive can integrate seamlessly with a number of popular productivity applications, including Gmail (via a browser extension), Outlook for Windows and OSX, JIRA and Slack.
Reflektive takes data security seriously. In order for your company to build trust with your employees and get the most out of the Reflektive platform, employee privacy and data must be secure and tamper-proof.
General Security Overview
Reflektive customers interact with Reflektive in the following ways:
- Connecting to Reflektive Web Servers
- Visiting the Reflektive Website
- Using the Reflektive Extension (Chrome, Safari, Firefox)
- Using the Reflektive Outlook (Windows/Mac) Plugin
For detailed information on how Reflektive handles data and security through these channels, please look through the following .pdf documents.
SOC 2 Type-1 Compliance
Creating a culture of engagement and satisfaction requires an unparalleled level of transparency and trust. Every day, employees rely on their employer to keep their personal information safe, and companies in turn rely on software providers to protect employee data. As human resources systems move to the cloud in order to facilitate HR processes, companies like Reflektive carry the burden of storing that information in the most secure way.
Customers have always relied on us to keep the data of their people — their most important asset — safe. With an increase in demand from enterprise clients and their distributed workforces, Reflektive achieved SOC 2 Type 1 compliance, a way to provide third-party approval of the way we manage information stored in the cloud.
Governed by the American Institute of CPAs (AICPA), the stringent SOC 2 security examination and compliance standards allow companies to rely on our scalable solution with confidence to support real-time feedback, agile goal alignment, employee engagement and performance management.
SOC 2 Type-2 Compliance
The SOC 2 Type-2 reports concern policies and procedures over a specified time period; for this more rigorous designation, systems must be evaluated for a minimum of six months.
SOC 2 Type II reports are the most comprehensive certification within the Systems and Organization Controls protocol. Businesses seeking a vendor such as an I.T. services provider will find SOC 2 Type II is the most useful certification when considering a possible service provider’s credentials.
For Reflektive's SOC 2 Type-2 report, please click here.
Reflektive has been SOC2 Type II certified since 6/1/2017. Its most recent certification is for the audit period ending 11/30/2019, and Reflektive is now on an annual SOC2 audit schedule running from 12/1 to 11/30.
What is Privacy Shield?
Privacy Shield is a joint certification from the US Department of Commerce, European Commission, and Swiss Administration that affirms that Reflektive adheres to privacy practices that comply with EU data protection laws and Swiss data protection laws. This gives EU and Swiss companies confidence that they can allow Reflektive to store their data in US-based datacenters, and helps Reflektive avoid the cost and overhead of hosting data in the EU.
To learn more about Privacy Shield, review the links below.
Frequently Asked Questions on Privacy Shield:
- Is Reflektive Privacy Shield Certified?
Yes, Reflektive is certified as of August 18th, 2017. Certification lasts one year, at which point we will certainly act to re-certify.
- How did Reflektive become Privacy Shield Certified?
Privacy Shield compliance is granted via application to the US Department of Commerce. Reflektive provided evidence of data protection practices and committed publicly to follow those practices, and was then certified.
- How can I prove that Reflektive is Privacy Shield Certified?
Reflektive’s official listing as a Privacy Shield compliant company can be found here.
- Where does Privacy Shield apply?
Reflektive is certified for both the EU and Switzerland. The EU certification includes all nations in the EU at present. This should replace any need for Model Clauses going forward.
The General Data Protection Regulation (GDPR) is a new framework of data protection laws for the European Union. Organizations collecting personal data of EU residents must adequately ensure protection of that data under these laws. Essentially, any company that does business in the EU and captures any kind of personal data about any EU resident will have to be in compliance.
To learn more about GDPR, feel free to open the link below.
How are Reflektive Customers Impacted?
Any Reflektive Customer that has EU employees or does business with EU residents and enters any personal data about those persons into Reflektive becomes a “Data Exporter” under GDPR. Reflektive is in turn a “Data Processor” under the GDPR. As a Data Exporter using Reflektive, Customers must:
- Obtain EU resident consent to record and use personal data
- Set data retention periods
- Respond to resident requests for access to or deletion of personal data
- Ensure “Data Processor” vendor compliance with personal data protection
How will Reflektive Provide Support?
Reflektive is fully committed to protecting the personal data of its clients. Currently, Reflektive complies with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, and Reflektive is underway and ahead of schedule on its GDPR Compliance program.
- Process Personal Data only in compliance with the GDPR
- Process Personal Data only as a Processor acting on behalf of such Client
- NOT process any Personal Data for Reflektive’s own purposes or of any third party
- Provide customers with a SOC 2 Type II data security environment
- Provide customers’ EU resident employees or customers with a “right to be forgotten” process
- Assist customers in responding to data access requests from individuals
- Use “Privacy by Design” principles for its data protection programs, processes and projects
- Prepare and offer Clients a Data Processing Agreement setting forth Reflektive’s GDPR compliance
In sum, Reflektive Customers can rest assured that Reflektive will comply with the GDPR as a Processor processing Personal Data of EU residents.
How is data collected, processed, and stored?
Basic identifying information about employees and their reporting relationships is imported into Reflektive from the customer organization’s employee system of record. This information is subsequently refreshed through periodic imports as necessary to reflect changes. Review, Goal, and Survey data are generated by employee users in the course of using Reflektive’s application. All data processed by Reflektive is appropriately access controlled, and always securely transmitted and stored.
Are there business requirements for processing and storing Personally Identifiable Information (PII)?
Yes, Reflektive’s core functionality involves facilitating and enhancing performance-focused communication between employees and their managers and colleagues. This requires very basic identifying information (name, email address). Customers may choose to include additional identifying information to enhance the user experience, but this is completely optional and controlled on an administrative level.
What PII is processed and stored by Reflektive?
The following data elements are required for the employee users of Reflektive’s applications:
- User Login ID
- Email Address
- User IP Address
And the following employee data elements are optional based on application usage and customer preference:
- Preferred Name
- Employee ID
- Date of Birth
- Hire Date
- Photo URL
- Employee Status (Active/Terminated)
- Employment Type (e.g., Full-Time, Part-Time, Contract)
- Job Title
- Job Location
- Termination Date
- Division Name
- Department Name
- Manager Employee ID
- Manager Name
- Manager Email Address
- Reviews Data (unstructured)
- Goals Data (unstructured)
- Survey Data (unstructured)
- Operational User Data (e.g., user activity within the application)
- Recruiting Data (e.g., Applicant and Application Process Information)
- Compensation Data (e.g., Currency, Amount, etc.)
How is PII data used?
Names and photos are used so employees can find and reference each other within Reflektive applications, much like a social network. Employees provide real-time feedback to each other, participate in performance reviews with their managers, define and track goals, complete surveys, and perform analytics.
With the exception of a very limited set of required data elements used for the basic identification of employees and their managers (Company, Name, User ID, and Email Address), the use of PII within Reflektive’s solutions is optional: Each customer organization decides which additional PII data elements--if any--are desirable to process and store within Reflektive’s applications.
How are user authorization credentials stored?
User accounts can be managed either by the Reflektive application or by a customer’s preferred third party Single Sign-On (SSO) provider. Reflektive-managed user account passwords are encrypted with secure one-way hashing. Supported third party authenticators (Google Sign-in, SAML providers, etc) do not require Reflektive to store any passwords.
How is PII data used? Is the data traffic between a Reflektive user’s browser and the Reflektive application in the cloud encrypted?
Yes, Reflektive supports TLS 1.2 (256 bit encryption of data in flight)
Is data stored in a single-tenant or multi-tenant environment?
Reflektive application data is processed and stored in a multi-tenant environment: the data is logically segregated by company (as opposed to physically segregated in discrete instances of the application and database).
How often is data backed up?
Reflektive creates full backups of all system data on a daily basis. These backups are encrypted at rest, and are retained for 30 days. Reflektive also maintains a hot standby of the main application database to ensure high availability. Does Reflektive keep audit trails? All administrative actions performed within Reflektive are logged. All internal system access is logged. Reflektive Security & Privacy FAQ
Confidential - Subject to NDA V1.8 March 3, 2020
Who within Reflektive has access to customer data?
Primarily just Reflektive’s customer support staff. A small number of high-level system administrators also has access in order to maintain the system.. All data access is logged and audited.
Does Reflektive perform security testing?
Reflektive performs security testing throughout its development lifecycle, and also runs automated vulnerability scans against its production web application on a weekly basis. At least annually, Reflektive engages a specialized third party security firm to perform a rigorous manual penetration test.
What does Reflektive do to detect suspicious activity on its platform?
Reflektive logs privileged operations, authorized & unauthorized access attempts, and a broad range of system and application-level events, which are filtered and monitored to detect anomalies/suspicious activity. Reflektive also leverages a real-time application self-protection solution to identify and block malicious traffic.
Print this Guide
Use this guide for reference or share it with your team by saving or printing this page. Right-click anywhere on this page to save or print.