Workfront's privacy notice outlines how information about you is collected, used, and protected.
Last Updated: June 5, 2020
Enter your business email
PRIVACY NOTICE DOCUMENTATION
Workfront Inc. (“Workfront”) takes the protection of our customer’s privacy seriously. This Privacy Notice informs you of our policies regarding the collection, use, and disclosure of all personally identifiable information (“Personal Data") and other data that is provided to us through use of each of our websites and mobile applications on which a link to this Privacy Notice is displayed and all products and services made available through those websites, including, without limitation our SaaS offerings (collectively, the “Services”).
Responsible Workfront Entity
Workfront is the Processor of your Personal Data and is responsible for its processing, unless expressly specified otherwise in a contractual agreement between both parties. This Privacy Notice does not apply to the extent we offer to our customers various cloud products and services through which our customers create their own websites and applications running on our platforms, sell or offer their own products and services, send electronic communications to other individuals or collect and analyze Personal Data from individuals. Workfront is fully committed to the security and privacy of customer data. Workfront will continue to invest in our privacy and security programs as the privacy regulatory landscape changes and expands.
Personal Data Collection
The following Personal Data may be collected in the course of using the Service or visiting our web sites:
- Family and Given names
- Email Address
- IP Address
- Company name
- Job role/title
- Phone number
Does Workfront process any Special Categories of Data for its customers?
Workfront does not process any Special Categories of data as a Processor entity to deliver its Service. Customers may submit special categories of data into the Workfront platform only when expressly stated in contract, to the extent of which is determined and controlled by the customer in its sole discretion except as limited in contract: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Purposes for which we may process Personal Data
Workfront uses Personal Data for the following reasons in the course of using the Service or visiting our web sites. The legal bases for processing are set out in the table below:
|Processing Purpose/Activity||Legal Basis|
|Administer the Service||Performance of a Contract|
|Personalize the Services for you||Performance of a Contract|
|Enable your access to and use of the Service||Performance of a Contract|
|Supply you access to the services that you purchase||Performance of a Contract|
|For customer announcements, statements and invoices||Performance of a Contract|
|Direct Marketing communications; these include an unsubscribe option for users who wish to exercise their choice to decline to participate in these communications||Consent/Legitimate Interest|
|Data analytics to improve our products/services, customer relationships and experiences||Performance of a Contract|
We take reasonable and appropriate measures to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction. These measures are appropriate to the risks involved and the nature of the Personal Data. Although Workfront seeks to protect the privacy of others who use our Service, there is inherent risk in internet based activities so there is no 100% guarantee of absolute security.
International transfer of Personal Data
Workfront is located in the United States. Your Personal Data may be collected, transferred to and stored by us in the United States and by our affiliates in other countries where we operate. Our office locations are listed on our website. Whenever we transfer personal information to other jurisdictions, we will ensure that the information is transferred in accordance with this Privacy Notice and as permitted by applicable data protection laws.
Therefore, your Personal Data may be processed outside the European Economic Area (EEA), and in countries which are not subject to an adequacy decision by the European Commission and which may not provide for the same level of data protection as the EEA. In this event, we are self-certified with the EU-US & SWISS-U Privacy Shield, otherwise we ensure the recipient of your Personal Data offers an adequate level of protection, for instance by entering into standard contractual clauses for the transfer of data as approved by the European Commission (Art. 46 GDPR), or we will ask you for your prior consent to such international data transfers.
EU-US & SWISS-US Privacy Shield Compliance
Workfront complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework(s) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and the United Kingdom and/or Switzerland, (as applicable) to the United States in reliance on Privacy Shield. Workfront has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in our privacy notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern. For more information on Privacy Shield compliance, please visit https://www.privacyshield.gov/.
Workfront commits to resolve complaints about our collection or use of your Personal Data. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Workfront at: [email protected] Workfront has chosen to cooperate with EU data protection authorities (DPAs) and comply with the information and advice provided to it by an informal panel of DPAs in relation to such unresolved complaints (as further described in the Privacy Shield Principles). Please contact us to be directed to the relevant DPA contacts. As further explained in the Privacy Shield Principles, a binding arbitration option will also be made available to you in order to address residual complaints not resolved by any other means. Workfront is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
Rights as Data Subjects
As an individual you have certain rights as a data subject to exercise with the company in relation to Personal Data or Information we hold. Depending on the applicable laws and location these rights may include:
- To access your Personal Data held by us (right to access);
- To rectify inaccurate Personal Data and, taking into account the purpose of processing the Personal Data, ensure it is complete (right to rectification);
- To erase/delete your Personal Data, to the extent permitted by applicable data protection laws (right to erasure; right to be forgotten);
- To restrict our processing of your Personal Data, to the extent permitted by law (right to restriction of processing);
- To transfer your Personal Data to another controller, to the extent possible (right to data portability);
- To object to any processing of your Personal Data carried out. Where we process your Personal Data for direct marketing purposes or share it with third parties for their own direct marketing purposes, you can exercise your right to object at any time to such processing without having to provide any specific reason for such objection;
- Not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects ("Automated Decision-Making"). Automated Decision-Making currently does not take place on our websites; and
- To the extent we base the collection, processing and sharing of your Personal Data on your consent, to withdraw your consent at any time, without affecting the lawfulness of the processing based on such consent before its withdrawal.
- To not be subjected to discrimination (Right to non-discrimination)
- To Opt Out of Selling of Personal Information (Right to Opt Out of Sales)
To exercise your rights, please contact us using the Data Subject Access Request Portal below. As the data processor, Workfront has the obligation to “assist the controller” in responding to requests of Data Subjects to exercise their rights under applicable Data Protections Laws and shall not respond to any such requests or complaints unless expressly authorized to do so by the Data Controller.
If you are a resident of California, under the age of 18 and have registered for an account with us, you may ask us to remove content or information that you have posted to our websites. Please note that your request does not ensure complete or comprehensive removal of the content or information, because, for example, some of your content may have been reposted by another visitor to our websites.
Data Subject Access Request Portal
To keep your Personal Data accurate, current, and complete, please contact us using the DSAR Portal below. Upon receipt of a verifiable request, we will update or correct Personal Data in our possession, as the Processor entity, that you have previously submitted via the Service.
Right of Choice for Individuals
Individuals have the right to choose (opt-out) whether your personal data is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by you.
- Workfront processes personal data when requesting a ‘demo’ of our product to register you as a new customer and provide administration of our website and Products. “Opt-in” boxes are provided when required by law, for explicit consent upon direct marketing and email subscriptions.
- Workfront may use the Personal Data collected to occasionally provide newsletters, product announcements, or promotional materials, and other information that is relevant to the users and administrators of our Service. You have the choice to select to not participate in these communications. An “Unsubscribe” option is available via link in email communications.
- Workfront’s Cookies tracking requires explicit consent given by the ‘Accept’ button on our Cookie Banner. These can be managed by accessing the Cookie preference centre, where Cookie categories are explained for purpose and can be ‘unselected’ to opt-out.
- Workfront maintains a fully compliant data processing agreement and ensures requirements are met by third parties and sub-processors. The choice to an objection to a sub-processor can be made by contacting Workfront. The Data Controller authorizes the Data Processor to engage the sub-processors in the country locations for the Service-related activities specified as described, Data Processor shall inform the Data Controller of any addition or replacement of such sub-processors giving the Data Controller an opportunity to object to such changes.
Workfront will only retain your Personal Data for as long as necessary to fulfill the purposes for which we collected it as specified in this Privacy Notice, including for the purposes of satisfying any legal, regulatory, accounting, and reporting requirements and for the establishment, exercise or defense of legal claims in the countries where we do business.
Personal Data is deleted (“delete" meaning to irrevocably erase, remove, anonymise or otherwise obliterate Personal Data such that it cannot be recovered or reconstructed) or returned within 60 days following termination of Services, or within 30 days upon a verified request using our DSAR Portal on this page.
Passively Collected Information
When you interact with us through the Service, we and third parties that provide functionality on the Service, may engage, receive, collect and store certain types of information through automatic data collection tools including cookies, encrypted authentication tokens and similar technology. Such information, which is collected passively using various technologies, may include but is not limited to information about your device, referring/exit pages and URLs and number of clicks. Workfront may store such information itself or such information may be included in databases owned and maintained by Workfront affiliates, agents or third party service providers. The Service may use such information and pool it with other information to track, for example, the total number of visitors to our Service, the number of visitors to each page of our Service, and the domain names of our visitors’ Internet service providers. Such information that we collect will allow Workfront to make decisions on how to provide better products and better services for our users.
Do Not Track
Workfront does not market or willingly collect Personal Data from children under the age of 16. If you are under the age of 16, please do not submit any Personal Data through the Service. We encourage parents and legal guardians to monitor their children’s Internet usage and to help enforce our Privacy Notice by instructing their children never to provide Personal Data on the Service without their permission. If you have reason to believe that a child under the age of 16 has provided Personal Data to Workfront, please contact us below, and we will delete that information
Third Party Sites
This Privacy Notice applies only to the Service. The Service may contain links to other web sites and/or services not operated or controlled by Workfront (the “Third Party Sites”).Workfront carefully assesses which third party links are to displayed on its website and ensures these third-parties are equipped with an equal level of security, protection and endorsement for individual rights. The policies and procedures we described here do not apply to the Third Party Sites. The links from the Site do not imply that we endorse or have reviewed the Third Party Sites. We suggest contacting those sites directly for information on their privacy policies.
Personal Data Sharing
There are certain circumstances in which we may share your Personal Data with certain third parties without further notice to you, as set forth below: Business Transfers: As we develop our business, we might decide to sell or buy businesses or assets. In connection with any potential or actual corporate sale, merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, dissolution or similar event or transaction, Personal Data may be disclosed to third parties as it may be part of the assets potentially transferred or otherwise relevant to the transaction.
Agents, Consultants and Third Parties: Like many businesses, Workfront sometimes hires other companies to perform certain business-related functions, including to help us understand and improve the use of our Service. We may share any information we receive with vendors and service providers retained in connection with the operation of our business. With respect to Personal Data that is subject to our Privacy Shield registration, before disclosing Personal Data to a subcontractor or third-party agent, Workfront will obtain assurances from the recipient that it will: (a) use the Personal Data only to assist Workfront in providing the Service; (b) provide at least the same level of protection for Personal Data as required by the Privacy Shield Principles; and (c) notify Workfront if the recipient is no longer able to provide the required protections. Upon notice, Workfront will act promptly to stop and remediate unauthorized processing of Personal Data by a recipient. Workfront will remain liable for onward transfers to its subcontractors and third-party agents.
Legal Requirements: Workfront may disclose your Personal Data if requested, subpoenaed and/or if we are required to do so by law, regulation, legal process, or by any court of competent jurisdiction or any inquiry or investigation by any governmental, official or regulatory body which is lawfully entitled to require any such disclosure, or otherwise in the good faith belief that such action is necessary to (i) comply with a legal obligation, (ii) protect and defend the rights or property of Workfront or a third party, (iii) act in urgent circumstances to protect the personal safety of users of the Service or the public, or (iv) protect Workfront against potential legal liability.
Do Not Sell My Personal Information
We do not sell, rent, or share personal data we collect directly from you or about you from third parties with third party Advertisers for their own marketing purposes, unless you choose in advance to have such information shared for this purpose.
Workfront shall not discriminate against a Consumer by:
- Denying goods or services to the consumer,
- Charging different prices or rates for goods or services (including through the use of discounts, other benefits or penalties),
- Providing a different level or quality of goods or services to the consumer, and
- Merely suggesting that the consumer will receive a different price or rate or a different level or quality.
The Service and our business may change from time to time. As a result, at times it may be necessary for Workfront to make changes to this Privacy Notice. We reserve the right to update or modify this Privacy Notice at any time and from time to time without prior notice. Please review this Notice periodically, and especially before you provide any Personal Data. This Privacy Notice was last updated on the date indicated below. Your use of the Service after any changes or revisions to this Privacy Notice shall indicate your agreement with the terms of such revised Privacy Notice.
Data Protection Officer
Workfront has appointed a Data Protection Officer (DPO) responsible for overseeing the implementation of the privacy program within the organization.
Please feel free to contact us if you have any questions about our Privacy Notice or the information practices of the Service.
Attn: Data Protection Officer/Privacy Office
3301 Thanksgiving Way, Suite 100,
Lehi, Utah 84043
Email: [email protected]
Workfront maintains a current list of sub-processors authorized to process personal data for Workfront’s Services. For purposes of transparency and clarity, Workfront performs due diligence on the information security practices and data protection compliance of all third-party sub-processors and requires each to commit to written obligations regarding their security controls and applicable regulations for the protection of personal data, including safeguards to govern international transfers of data.
What is a Subprocessor
A subprocessor is a third party data processor engaged by Workfront who has or potentially will have access to customer data, and they are integral to the nature of our product or business to perform our Services. Workfront engages different types of sub-processors to perform various functions as explained in the tables below.
|Name||Related Workfront Service||Source (Data Repository)||Corporate Location||Website|
|Amazon Web Services, Inc. (AWS)||Cloud hosting provider and Data Storage||Cloud Storage||United States & EU (Ireland & Germany)||AWS|
|Google Analytics||Customer usage tracking and website traffic monitoring||Workfront Platform
|United States||Google Analytics|
|Google Cloud Platform (GCP)||Cloud hosting provider and Data Storage||Cloud Storage||United States||GCP|
|Marketo||Marketing and Campaign Management||Workfront Website||United States||Marketo|
|Pendo||Application Usage Analytics||Workfront Applications||United States||Pendo|
|Salesforce||Customer Relationship Management tool and ticketing System||Workfront Hub||United States||Salesforce|
|Totango||Customer Support||Workfront Website||United States||Totango|
Workfront undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed sub-processors that will or may have access to or process Service Data.
As our business grows and evolves, the Subprocessors we engage may also change. We will endeavor to provide notice of any new Subprocessors to the extent required under Agreements, along with posting such updates here. Please check back frequently for updates.
Requesting More Information about a Sub-processor
Submit a request via the Data Subject Access Request portal below to receive more information on a sub-processor regarding its role for Workfront and its security controls, including third-party security reports or certifications.
After reviewing information related to a particular sub-processor obtained through the above link, an objection to a sub-processor can be made by also following the link above and specifying ‘Sub-processor objection’. The Data Controller authorises the Data Processor to engage the sub-processors in the country locations for the Service-related activities specified as described Data Processor shall inform the Data Controller of any addition or replacement of such sub-processors giving the Data Controller an opportunity to object to such changes.
For further information please contact[email protected]