Enter your business email
Responsible Workfront Entity
Workfront Inc. (“Workfront”) is the controller of your Personal Data and is responsible for its processing, unless expressly specified otherwise in a contractual agreement between parties. This Privacy Statement does not apply to the extent we offer to our customers various cloud products and services through which our customers create their own websites and applications running on our platforms, sell or offer their own products and services, send electronic communications to other individuals or collect and analyze Personal Data from individuals.
EU-US & SWISS-US Privacy Shield Compliance
Workfront commits to resolve complaints about our collection or use of your Personal Data. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Workfront at: [email protected] Workfront has chosen to cooperate with EU data protection authorities (DPAs) and comply with the information and advice provided to it by an informal panel of DPAs in relation to such unresolved complaints (as further described in the Privacy Shield Principles). Please contact us to be directed to the relevant DPA contacts. As further explained in the Privacy Shield Principles, a binding arbitration option will also be made available to you in order to address residual complaints not resolved by any other means. Workfront is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
Personal Data Collection
The following Personal Data may be collected in the course of using the Service or visiting our web sites:
- Family and Given names
- Email Address
- IP Address
- Company name
- Job role/title
- Phone number
Does Workfront process any Special Categories of Data for its customers?
Workfront does not process any Special Categories of data as a Controller entity. Workfront as a processor for its customers will not transfer special categories unless expressly stated. Customers may submit special categories of data into the Workfront platform, to the extent of which is determined and controlled by the customer in its sole discretion except as limited in contract: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Purposes for which we may process Personal Data
Personal Data could be used for the following purposes:
- Administer the Service
- Personalize the Services for you
- Enable your access to and use of the Service
- Supply you access to the services that you purchase
- Send you statements and invoices
- Marketing communications, with an opt-out option for users who wish to exercise their choice to decline to participate in these communications
We take reasonable and appropriate measures to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction. These measures are appropriate to the risks involved and the nature of the Personal Data. Although Workfront seeks to protect the privacy of others who use our Service, there is inherent risk in internet based activities so there is no 100% guarantee of absolute security.
Passively Collected Information
When you interact with us through the Service, we and third parties that provide functionality on the Service, may engage, receive, collect and store certain types of information through automatic data collection tools including cookies, encrypted authentication tokens and similar technology. Such information, which is collected passively using various technologies, may include but is not limited to information about your device, referring/exit pages and URLs and number of clicks. Workfront may store such information itself or such information may be included in databases owned and maintained by Workfront affiliates, agents or third party service providers. The Service may use such information and pool it with other information to track, for example, the total number of visitors to our Service, the number of visitors to each page of our Service, and the domain names of our visitors’ Internet service providers. Such information that we collect will allow Workfront to make decisions on how to provide better products and better services for our users.
Do Not Track
Third Party Sites
Personal Data Sharing
There are certain circumstances in which we may share your Personal Data with certain third parties without further notice to you, as set forth below: Business Transfers: As we develop our business, we might decide to sell or buy businesses or assets. In connection with any potential or actual corporate sale, merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, dissolution or similar event or transaction, Personal Data may be disclosed to third parties as it may be part of the assets potentially transferred or otherwise relevant to the transaction. Agents, Consultants and Third Parties: Like many businesses, Workfront sometimes hires other companies to perform certain business-related functions, including to help us understand and improve the use of our Service. We may share any information we receive with vendors and service providers retained in connection with the operation of our business. With respect to Personal Data that is subject to our Privacy Shield registration, before disclosing Personal Data to a subcontractor or third-party agent, Workfront will obtain assurances from the recipient that it will: (a) use the Personal Data only to assist Workfront in providing the Service; (b) provide at least the same level of protection for Personal Data as required by the Privacy Shield Principles; and (c) notify Workfront if the recipient is no longer able to provide the required protections. Upon notice, Workfront will act promptly to stop and remediate unauthorized processing of Personal Date by a recipient. Workfront will remain liable for onward transfers to its subcontractors and third-party agents. Legal Requirements: Workfront may disclose your Personal Data if requested, subpoenaed and/or if we are required to do so by law, regulation, legal process, or by any court of competent jurisdiction or any inquiry or investigation by any governmental, official or regulatory body which is lawfully entitled to require any such disclosure, or otherwise in the good faith belief that such action is necessary to (i) comply with a legal obligation, (ii) protect and defend the rights or property of Workfront or a third party, (iii) act in urgent circumstances to protect the personal safety of users of the Service or the public, or (iv) protect Workfront against potential legal liability.
Workfront may use the Personal Data collected to occasionally provide newsletters, marketing or promotional materials, and other information that is relevant to the users and administrators of our Service. You have the choice to select not to participate in these communications. An “Opt Out” option is available via link in email communications or you by sending us an email request at [email protected].
Effective Date: January 28, 2019
EU Data Privacy
General Data Protection Regulation (GDPR)
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. Workfront fully complies with all relevant data privacy requirements under EU General Data Protection Regulation (GDPR) regulations:
- Employee training on compliant security and privacy procedures.
- Published Privacy Policies and Notices to inform customers of Workfront’s compliance capacities and posture.
- Configurable privacy and compliance features to our customers.
- Privacy Impact Assessments
- Records of data processing activities.
International transfer of Personal Data
Your Personal Data may be collected, transferred to and stored by us in the United States and by our affiliates in other countries where we operate. Our office locations are listed on our website.
Therefore, your Personal Data may be processed outside the European Economic Area (EEA), and in countries which are not subject to an adequacy decision by the European Commission and which may not provide for the same level of data protection as the EEA. In this event, we ensure that the recipient of your Personal Data offers an adequate level of protection, for instance by entering into standard contractual clauses for the transfer of data as approved by the European Commission (Art. 46 GDPR), or we will ask you for your prior consent to such international data transfers.
Rights as Data Subjects
Under GDPR you have certain rights as a data subject to exercise with the company in relation to the Personal Data we hold. Depending on the applicable laws and, in particular, if you are located in the EEA, these rights may include:
- To access your Personal Data held by us (right to access);
- To rectify inaccurate Personal Data and, taking into account the purpose of processing the Personal Data, ensure it is complete (right to rectification);
- To erase/delete your Personal Data, to the extent permitted by applicable data protection laws (right to erasure; right to be forgotten);
- To restrict our processing of your Personal Data, to the extent permitted by law (right to restriction of processing);
- To transfer your Personal Data to another controller, to the extent possible (right to data portability);
- To object to any processing of your Personal Data carried out on the basis of our legitimate interests (right to object). Where we process your Personal Data for direct marketing purposes or share it with third parties for their own direct marketing purposes, you can exercise your right to object at any time to such processing without having to provide any specific reason for such objection;
- Not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects ("Automated Decision-Making"). Automated Decision-Making currently does not take place on our websites; and
- To the extent we base the collection, processing and sharing of your Personal Data on your consent, to withdraw your consent at any time, without affecting the lawfulness of the processing based on such consent before its withdrawal.
To exercise your rights, please contact us using the Privacy Request Portal below. We aim to respond to all legitimate requests within 30 days and will contact you if we need additional information from you in order to honor your request.
If you are a resident of California, under the age of 18 and have registered for an account with us, you may ask us to remove content or information that you have posted to our websites. Please note that your request does not ensure complete or comprehensive removal of the content or information, because, for example, some of your content may have been reposted by another visitor to our websites.
Access to Personal Data; Privacy Request Portal
To keep your Personal Data accurate, current, and complete, please contact us using the DSAR Portal below. Upon receipt of a verifiable request, we will update or correct Personal Data in our possession, as the Controller entity, that you have previously submitted via the Service.
Workfront’s data retention is the duration of the contract or 60 days after the data deletion has been requested by Customer via input in the application or a written request. After expiry of the applicable retention periods, your Personal Data will be deleted. If there is any data that we are unable, for technical reasons, to delete entirely from our systems, we will put in place appropriate measures to prevent any further use of such data.
Workfront’s maintains a current list of sub-processors authorized to process personal data for Workfront’s services. For purposes of transparency and clarity, Workfront performs due diligence on the information security practices and data protection compliance of all third-party sub-processors and requires each to commit to written obligations regarding their security controls and applicable regulations for the protection of personal data, including safeguards to govern international transfers of data.
What is a Subprocessor
A subprocessor is a third party data processor engaged by Workfront who has or potentially will have access to or process Service Data (which may contain Personal Data) as listed on the Workfront Data Processing Agreement (DPA). Workfront engages different types of sub-processors to perform various functions as explained in the tables below.
|Name||Related Workfront Service||Source (Data Repository)||Corporate Location||Website|
|Amazon Web Services, Inc. (AWS)||Cloud hosting provider and Data Storage||Data Centers in North America (California & Virginia) & EU (Ireland & Germany)||United States||AWS|
|Google Analytics||Customer usage tracking and website traffic monitoring||Workfront Hub, and Workfront website||United States||Google Analytics|
|Google Cloud Platform (GCP)||Cloud hosting provider and Data Storage||Data Centers||United States||GCP|
|Marketo||Marketing and Campaign Management||Workfront Website||United States||Marketo|
|Salesforce||Customer Relationship Management tool and ticketing System||Workfront Hub||United States||Salesforce|
|Totango||Customer Support||Workfront Website||United States||Totango|
Workfront undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed sub-processors that will or may have access to or process Service Data.
As our business grows and evolves, the Subprocessors we engage may also change. We will endeavor to provide notice of any new Subprocessors to the extent required under Agreements, along with posting such updates here. Please check back frequently for updates.
Requesting More Information about a Sub-processor
Submit a request via the privacy portal below to receive more information on a sub-processor regarding its role for Workfront and its security controls, including third party security reports or certifications.
After reviewing information related to a particular sub-processor obtained through the above link, an objection to a sub-processor can be made by also following the link above and specifying ‘Sub-processor objection’. The Data Controller authorizes the Data Processor to engage the sub-processors in the country locations for the Service-related activities specified as described Data Processor shall inform the Data Controller of any addition or replacement of such sub-processors giving the Data Controller an opportunity to object to such changes.
For further information please contact us below.
Data Processing Agreement (DPA)
Workfront maintains a fully compliant data processing agreement and ensures requirements are met by third parties and sub processors. For a copy of our Customer DPA, please download document below:
Data Protection Officer
Workfront has appointed a chief privacy officer responsible for overseeing the implementation of the privacy program within the organization. Please find information below.
Last Updated January 28, 2019
Attn: Data Protection Officer/Privacy Office
3301 Thanksgiving Way, Suite 100,
Lehi, Utah 84043
Email: [email protected]