Unily processes personal data to deliver and support our employee experience platform for customers. This includes enabling core platform functionality such as user profiles, collaboration features, and communication tools, as well as ensuring the platform is secure, reliable, and tailored to each customer’s needs.

Customers have control over what personal data they submit to, and collect using, the Unily platform. As such, the type of personal data processed may differ depending on each customer's individual requirements. Examples of the data that may be processed include:

• Personal details (name, date of birth, age, job title, department, location, profile image, LinkedInID)
• Contact details (work email, work phone, mobile, etc.)
• Any other types of personal data which may be provided by the customer from time to time via data synchronisation process to facilitate customised functions and integrations with third party applications.

Data is stored within a Microsoft Azure Data centre in the same legal boundary as the data controller’s Microsoft 365/ Microsoft Entra ID tenant.  Additionally, DR copies of the data is Geo-replicated to a Microsoft Azure Datacentre within the same judicial data boundary.
All customer personal data is stored on Microsoft Azure Databases with Transparent Data Encryption 256 bit AES, and Microsoft Azure Storage Accounts with Storage Encryption 256 bit AES. Keys are managed by Microsoft.
In addition, our sub-processors will hold personal data too and locations are available on the sub-processor list.
We transfer personal data outside of the UK and EEA to third countries such as the US to help deliver our services. Where we do this we ensure transfers are in accordance with applicable data protection laws such as using applicable standard contractual clauses.

Ultimately the customer is responsible for determining what categories of personal data are submitted to the Unily platform, however, it is important to note that the disclosure of sensitive personal data of this nature is not required for the provision of the services. Given the nature and purpose of our services, we do not generally process this type of data.

It is the responsibility of the customer to inform their data subjects about the processing of personal data using the Unily services. The Unily platform provides the necessary tools for customers to communicate directly with their data subjects should they wish to communicate this information through the platform itself.
In instances where Unily processes personal data for its own purposes (e.g. for our business contacts), information regarding privacy can be found in the Unily Privacy Notice and other related privacy documentation.

Access to personal data by Unily employees is only permitted in accordance with the customer's documented instructions, as set out in the DPA. Unily employees are subject to appropriate confidentiality obligations. The locations of Unily affiliates with staff who may access personal data are listed in our sub-processor list. Typically, only the Operations Engineering and Support teams, as well as authorised project team members, have access to customer data.

Unily applies strict administrative, technical, and monitoring controls to prevent unauthorised internal access to customer data. Access to production environments and customer sites is limited to named, authorised personnel under the principle of least privilege, with all elevated access managed through our Privileged Identity Management System (PIMS). PIMS enforces request, approval, and logging processes, ensuring permissions are time-bound and appropriate, with senior staff providing approvals.

All actions, including authentication, configuration changes, and data access, are logged and monitored in real time through our Security Information and Event Management (SIEM) platform, which alerts our security team to any unusual or unauthorised behaviour.

You can find details of our standard data safeguards to ensure the security of our customers’ personal data here. These measures are also referenced in our DPA.

For all end-user data processed within the Unily platform, Unily acts as a processor. Customers remain in control of that data and can use our self-service tools to manage it, including handling data subject rights requests. Our role and responsibilities as a processor are set out in our DPA, which is designed to ensure compliance with data protection laws.

Unily acts as a controller when we collect and use personal data for our own business purposes. For example, we process contact details to set up service contracts and manage billing. In these cases, Unily determines how and why the data is used. Please see our Privacy Notice for full details of how we process personal data as a controller.

Unily customers as the controllers are responsible for making sure that their usage of the Unily services complies with applicable data protection law. Unily also makes a commitment in its Data Protection Addendum to only use the personal data in accordance with the customer's documented instructions.

The Unily platform includes specific ‘self-serve’ features that give customers (and, to some extent, end-users) control over personal data within the platform. For example:

• End-users can amend or delete their own profile content (where populated and captured natively through Unily), posts, comments, and similar items - removing the need for formal erasure or rectification requests in such cases.
• Front-end user records can be deleted when employees leave the company, while associated platform content is retained in a depersonalised form. Alternatively, security administrators can permanently delete user records in response to erasure requests or when users depart.
• Unily’s APIs enable organizations to retrieve certain user data, including personal and profile information, in response to GDPR data access requests, depending on the nature of the request. This data can be exported in a structured, commonly used format such as JSON.

In limited cases where a customer requires direct assistance from Unily to fulfil a data subject request, Unily will provide support as outlined in its DPA. Where necessary, customers can log such support requests via Unily’s service request tool.

You can find an up-to-date list of Unily’s sub-processors and their locations here. Customers may also subscribe to receive notifications of new sub-processors by following the instructions on that page. We will always notify subscribed customers before authorising a new sub-processor to process customer data. In addition, Unily:

• Remains responsible for the actions of its sub-processors.
• Enters into written agreements with each sub-processor that impose data protection obligations equivalent to those in our DPA.
• Uses appropriate data transfer mechanisms that include comprehensive requirements relating to sub-processors.
• Conducts due diligence assessments to ensure sub-processors meet our data protection standards.

Unily’s approach to handling requests by government or law enforcement agencies to access customer personal data are set out in our security measures here.

Unily has established robust procedures for handling personal data breaches, overseen by our Information Security Manager and Data Protection Officer.

We follow a formal Incident Management Policy to:

• Investigate, manage, communicate, and resolve incidents.
• Track and report incidents through an internal ticketing system.

As set out in our DPA, Unily will notify customers without undue delay if an incident involves the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to customer personal data. Notifications are sent to the customer’s designated contact, with regular updates provided until resolution.

In addition, all staff handling personal data receive regular information security and data protection training, including breach management, and are bound by strict confidentiality obligations.

Unily processes customer data, including personal data, throughout the contractual term of the DPA/MSA. This is essential for efficient end-user account management and service delivery. Upon contract termination, Unily promptly deletes or returns customer data based on the customer's choice within 35 days.
Additionally, Unily offers supplementary features to assist platform administrators and content owners in content maintenance and governance. This includes a Content Review Lifecycle to keep platform content up-to-date and the ability to delete front-end user records when employees leave the company, while retaining associated platform content in a depersonalised form.

Yes. Unily has appointed a Data Protection Officer who has access to the Board by way of reporting to the General Counsel. Unily's Data Protection Officer and wider Data Protection Team can be reached at privacy@unily.com.

Unily's approach to privacy by design involves a comprehensive review of privacy and data protection concepts during the development (and throughout the lifecycle) of new services and features. Before the release of any new feature, it undergoes a thorough privacy review to ensure it aligns with Unily's rigorous privacy and security programme, as well as the contractual commitments made to customers. Product managers and engineers who design Unily services receive annual training on data protection to ensure they are well-versed in privacy and security principles. Additionally, Unily's Data Protection and Information Security teams support these services, carefully reviewing and providing advice on functionality.
Once a new service or feature is released, it is described in detail in product documentation that is accessible to customers through Universe, to allow them to carry out their own evaluation of its privacy and data protection aspects. Unily also regularly solicits feedback from its customers to further refine its service functionality.

All staff members are required to complete annual online Data Protection, Information Security, and Records Management training. In addition, Unily offers continuous updates on privacy-related developments and changes to its practices through its company intranet. Furthermore, the Data Protection Team provides customised data protection training sessions for key business areas, and specific training on ISO:27001 has also been provided through third-party consultants. Unily maintains staff records to identify training needs and requirements.

Unily has implemented a global privacy compliance framework across the Unily Group. This framework is built on GDPR standards and applies worldwide, ensuring strong protection even where local laws may be less strict. Our measures include:

• A dedicated data protection team ensuring GDPR compliance.
• Contractual commitments in our DPA, including risk assessments for international transfers.
• Privacy assessments and Data Protection by Design in new products and features.
• Applying GDPR standards to all data, not just EU/UK personal data.
• Comprehensive internal data protection and information security policies.
• Mandatory staff training, with advanced training for specialist roles.
• Regular internal audits to review and improve our privacy program.

Unily provides front-end features that give users control over their own personal data. For example, users can edit or delete the content of their profiles, posts, and comments, allowing them to rectify or remove their personal data directly.

Customer admins also have access to personal data through the back-end of the platform. Admins can extract and delete certain personal data to respond to data subject rights requests or other information requests. In some cases, Unily’s support may be required to complete a request. As set out in our DPA, Unily commits to assisting customers with these requests, and a ticketing log service is available for customers to request our support.

Yes, Unily has the capability to facilitate the display of customer privacy notices and other user terms to their end-users.

In general, you can see an example here as an example. Please note that the specific categories of personal data may vary by customer, depending on the types of personal data synchronized to the Unily platform.