ShareGate Data Processing Record
Published on October 3, 2023
What's in this page
Workleap Platform Inc. provides ShareGate, a migration and Microsoft 365 Management solution.
All capitalized terms not defined herein shall have the meaning set forth in the ShareGate End User License, Maintenance and Support Agreement (the “EULA”), found on the Terms page of its website or in the Regulation (EU) 2016/679 (the General Data Protection Regulation).
1. Name and Contact Details of Workleap Platform Inc.
Workleap Platform Inc. is a software company incorporated and domiciled in Quebec, Canada. It is a subsidiary company of Workleap Technologies inc., also incorporated and domiciled in Quebec, Canada. Workleap Platform Inc. does not have any EU established operations.
Legal name: Workleap Platform Inc.
Address:
1751 Rue Richardson, suite 1.050
Montreal, Quebec, Canada, H3K 1G6
Contact email (security or technical matters): support@sharegate.com
Contact email (privacy matters): legal@sharegate.com
2. Transfers of Personal Data to a Third Country or an International Organization
Workleap Platform Inc. is located in Canada. In Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC, the European Commission has recognised Canada as providing adequate protection of personal information.
Microsoft, Inc.
ShareGate’s internal database is hosted in Microsoft Azure data centers located in the United States and in Canada. Microsoft and Workleap Platform are bound by Standard Contractual Clauses.
MongoDB, Inc.
ShareGate’s database management service is MongoDB Atlas, provided by MongoDB. This service is hosted in the United States and in Canada on Microsoft Azure infrastructure. MongoDB and Workleap Platform are bound by Standard Contractual Clauses.
Zendesk, Inc.
ShareGate’s customer service tool is Zendesk. This service is hosted in the United States. Zendesk and Workleap Platform are bound by Standard Contractual Clauses.
Atlassian, Inc.
ShareGate’s team collaboration tool is Jira. This service is hosted in the United States. Atlassian and Workleap Platform are bound by Standard Contractual Clauses.
Slack Technologies, LLC.
ShareGate’s internal communications tool is Slack. This service is hosted in the United States. Slack Technologies and Workleap Platform are bound by Standard Contractual Clauses.
Box, Inc.
ShareGate’s cloud content management and file sharing tool is Box. This service is hosted in the United States. Box and Workleap Platform are bound by Standard Contractual Clauses.
Inversoft, Inc.
ShareGate’s security access management is FusionAuth. This service is hosted in the Canada, with support services provided from the United States. Inversoft and Workleap Platform are bound by Standard Contractual Clauses.
trycourier.com, Inc.
Trycourier.com is ShareGate’s notification delivery service. This service is provided from the United States of America. Trycourier.com and Workleap Platform are bound by Standard Contractual Clauses.
3. Instructions for Processing of Customer Personal Information
Sharegate will Process Customer Personal Information in accordance with the following instructions:
Categories of Customer Personal Information collected by Workleap | Categories of Data Subjects for which Customer Personal Information is Processed | Purposes for which Workleap Processes Customer Personal Information | Nature of Processing | Duration of Processing |
---|---|---|---|---|
User credentials (such as emails, names, etc.) User credentials permit the users to access ShareGate and include emails and authentication tokens. For further clarity, users’ passwords are NOT part of such user credentials. | All Users of ShareGate | - provide, maintain and improve ShareGate - prevent or address service, security, support or technical issues with ShareGate | Handling, storing, sharing with the Sub-processor, accessing and reviewing Customer Personal Information for the processing purposes set out adjacent. | As long as necessary for the purposes described in the EULA and/or Privacy Policy, unless a longer retention is required by law. |
User profiles ShareGate uses the permission granted to Microsoft Azure to create a profile for each User, which contains the first name, last name, company name and email of the User. | Users of ShareGate which have activated the Services, as described in the EULA. This category of Customer Personal Information is not collected where Customer only uses the Migration Tool. | - provide, maintain and improve the Services provided via ShareGate - prevent or address service, security, support or technical issues with ShareGate | Handling, storing, sharing with the Sub-processor, accessing and reviewing Customer Personal Information for the processing purposes set out adjacent. | As long as necessary for the purposes described in the EULA and/or Privacy Policy, unless a longer retention is required by law. |
Diagnostic data (Migration Tool) - In the context of providing support services, Workleap’s support team does not have access to Customer Data (as defined in the EULA) nor to the machine hosting the Migration Tool, but may require Users to provide Diagnostic Data (as defined below) to investigate what prevents the normal functioning of the Migration Tool. When Users activate the diagnostic mode in the Migration Tool, the migration report, the Migration Tool error log, the copy manifest and the capture of the Migration Tool’s HTTP/HTTPS traffic stream (collectively, the “Diagnostic Data”) may be transmitted to Workleap. - Given that the Diagnostic Data may sometimes contain Customer Data, it is possible that Workleap has access to Customer Personal Information that was included in the documents and data stored in Customers’ own Microsoft SharePoint and Microsoft 365. Workleap doesn’t have any control over who would be the Data Subject related to such Customer Personal Information, since the Customer Personal Information would be in the Users’ documents. - The Diagnostic Data may also include Users’ credentials that permit Users to access ShareGate or the Migration Tool. | Any User of the Migration Tool | - provide, maintain and improve the Migration Tool - prevent or address service, security, support or technical issues with the Migration Tool | handling, storing, sharing with Sub-processors, accessing and reviewing Customer Personal Information for the Processing purposes set out adjacent | As long as necessary for the purposes described in this Data Processing Addendum, unless a longer retention is required by law. |
Diagnostic data (Services) - In the context of providing support services, Workleap’s support team may request access to Customer Data (as defined in the EULA) or Diagnostic Data (as defined below) to investigate what prevents the normal functioning of the Services. “Diagnostic Data” means the migration report, the error log, the copy manifest which may be transmitted to Workleap. - Given that the Diagnostic Data may sometime contain Customer Data, it is possible that Workleap has access to Customer Personal Information that was included in the documents and data stored in Customers’ own Microsoft SharePoint and Microsoft 365. Workleap doesn’t have any control over who would be the Data Subject related to such Customer Personal Information, since the Customer Personal Information would be in the users’ documents. | Users of Services accessed through ShareGate | - provide, maintain and improve the Services - prevent or address service, security, support or technical issues with the Services | Handling, storing, sharing with the Sub-processors, accessing and reviewing customer personal information for the processing purposes set out adjacent. | As long as necessary for the purposes described in the Terms, unless a longer retention is required by law. |
Data Contained in Migrated Files (Services) - By using certain functionalities of the Services, Customer may transfer files containing Customer Personal Information. Such files are hosted temporarily by Workleap as a migration is performed. Hosting is done on Microsoft Azure cloud infrastructure located in Canada, in conjunction with database management services provided by MongoDB in Canada. - Workleap does not access or otherwise use Customer Personal Data processed in this context, and has no control over, or knowledge of, the nature of Customer Personal Data processed in this context. | Categories will vary depending on the Customer, but may include Users, Customer employees, Customer’s customers, etc. | Provide the Services via ShareGate | Temporary storing of data in the course of a migration | As long as necessary to perform the migration operation |
4. General Description of the Technical and Organizational Security Measures in Place
All capitalized terms not defined herein shall have the meaning set forth in the End User License, Maintenance and Support Agreement and in the Data Processing Addendum, as applicable.
Workleap has implemented and maintains the following technical and organizational security measures:
Pseudonymisation and encryption of Customer Personal Information | |
Pseudonymisation | - It is Workleap’s policy to pseudonymize Customer Personal Information whenever possible. - Workleap cannot however pseudonymize the “diagnostic” data because it cannot control what will be included in the diagnostic logs. |
Encryption | - The data is encrypted in transit with HTTP over SSL. Certificates are 2048 bits and private keys are stored in a specific secret vault. Weak cyphers are disabled. - The data is also encrypted at rest by Workleap and the Sub-processors. - Encryption keys are managed with limited number of employees and secured in a vault with regular rotations. |
Ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services | |
Confidentiality | Workleap has measures in place to ensure that no person is allowed to access Customer Personal Information without authorization. Such measures include, without limitation: - Workleap manages accesses to Customer Personal Information based on the role-based access control (RBAC) permissions model on a need to access basis and least privileged basis. In order to perform technical investigations, Workleap’s customer success agents and developers may request Customer’s consent to access Customer Personal Information for investigative purposes only. - Workleap has a secure authentication process in place. - All Workleap employees are subject to a criminal background check to ensure that they are not guilty of a job-related offense. - Workleap’s internal database is located at a Microsoft Azure datacenter. Microsoft Inc. conforms to global security standards such as ISO 27001, FedRAMP, SOC 1 and SOC 2. - Workleap has measures in place to control physical security at its office (including security guard at building entrance, alarm system, visitor registration). - Workleap, all Workleap employees and the Sub-processors have signed a non-disclosure agreement. - The data is encrypted in transit with HTTP over SSL. Certificates are 2048 bits and private keys are stored in a specific secret vault. Weak cyphers are disabled. The data is also encrypted at rest. Encryption keys are managed with limited number of employees and secured in a vault with regular rotations. - Regular updates concerning current security attacks are sent to Workleap’s employees to raise awareness. - Workleap adopted a comprehensive data breach response plan as part of its Security Program. |
Integrity | Data integrity is enforced through our Sub-processors’ own systems in accordance with industry standards. |
Availability | ShareGate has measures in place to ensure that Customer Personal Information is available and is used properly in the intended Process. Such measures include, without limitation: - Workleap has implemented Azure Security Center to prevent malware in the hosting environment and a centralized antimalware solution to prevent malware in the office with periodic full scans and firewall integration. - Workleap is in the process of adopting and operationalizing a disaster recovery plan. It is Workleap’s objective that this disaster recovery plan be fully operationalized as quickly as possible. |
Resilience | Workleap has measures in place to ensure resilience. Such measures include: - Workleap’s infrastructure can scale depending on the load. - Workleap’s infrastructure is redundant in the same data center. - Workleap’s database server is redundant. |
Ability to restore the availability and access to Customer Personal Information in a timely manner in the event of a physical or technical incident | |
If causes of outage are within Workleap’s control, its recovery time objective (RTO) is about 8 hours or less. See measures described above with respect to “availability”. | |
Process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing | |
- Access control: Accesses are reviewed regularly and every time a team changes. - Vulnerability assessment: External tests are performed at least once a year - Logs centralization: Workleap uses SIEMs to aggregate its logs. |