GDPR Compliance

When you use UnivoCorp, your organization is typically the Data Controller—responsible for determining how and why personal data is processed.

UnivoCorp acts as a Data Processor—we process personal data on behalf of your organization according to your instructions and our Data Processing Agreement.

We process personal data based on the lawful bases defined in GDPR Article 6. For our customers, processing is typically based on contractual necessity or legitimate interests.

For employee data that our customers store in UnivoCorp, the lawful basis is determined by the customer as the Data Controller.

GDPR grants individuals specific rights over their personal data. These include the right to access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and objection.

UnivoCorp provides tools within the platform to help you respond to data subject requests. Employees can also access and update their own data through self-service.

When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place as required by GDPR.

We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for such transfers. We also assess the data protection laws of the destination country.

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by GDPR Article 32.

These measures include encryption, access controls, regular security assessments, employee training, and incident response procedures.