Earning and maintaining our customers’ trust is critically important to us. We care deeply about our customers’ long-term success and building meaningful partnerships that evolve with their needs and priorities.
We build products and services designed to inspire people and support business.
Trust starts with transparency.
As a lifelong partner, earning and maintaining our customers’ trust is critically important to us.
We are committed to providing direct, timely, and relevant information about our privacy, security, and compliance practices.
This includes information about:
The personal information customers provide us, and which is required for us to execute our agreements, executed with our customers
The data we collect, both as a controller and as processor
Special categories of data, such as biometric data
Our use and retention of the personal information entrusted to us
Any government requests for access to customers’ data that we receive
Our geographic footprint as a global company with offices in multiple countries, serving customers across the world
Our cross-border transfers of personal information
Our robust security practices and ISO 27001, ISO 27017, and ISO 27018 certifications
Our customers’ ability to make data-subject access requests
We generally market and sell our products and services to businesses, not consumers. Our commitments regarding the personal information we collect, use, and disclose about the end users of those products and services are largely driven by our contracts with our business customers. The information provided below is intended to help our business customers understand our privacy practices. If you are an end user of one of our products or services, you are encouraged to contact your employer with questions about how your personal information is being collected, used, and disclosed.
Information We Collect
Information We Collect as a Controller
UKG acts a data controller in connection with UKG Employee Vault, when you visit our website, and in other instances as set forth in our Privacy Notice. To learn more about the personal information UKG collects as a Controller, view the UKG Privacy Notice.
Information We Collect as a PROCESSOR
Other than in the instances listed above, UKG customers are the controllers of the personal information that they collect, create, communicate, and store in our products. UKG does not give anyone access to the personal information maintained in those products unless:
It is permitted to do so in its contract with the customer.
The customer instructs UKG to do so.
The customer consents (e.g., subprocessors used by UKG).
If UKG is legally obligated to do so.
If UKG has a legitimate interest (as defined under GDPR and other applicable laws) to do so.
For more information about our data-processing practices, including where we store data for our products, how we secure that data, and our data-retention practices, request a copy of our Privacy Product Statements from [email protected]. To learn more about our obligations as a processor, see the UKG Customers Data Processing Agreement.
Use of Information We Collect
Why We Use Personal Information
When we act as a controller, we use personal information for several purposes, including communicating with individuals regarding our products and services, improving our website or those products and services, and for managing job applications for people interested in working at UKG. For more information, visit our Privacy Notice.
When we act as a processor, the personal information we collect is used to deliver our products and services to customers. In many cases, the personal information we process about our customers’ employees and job applicants (i.e., end users) is determined by our customers, who control what information they need in order to use our products and services efficiently and effectively. Any personal information we use is done in accordance with our Customers’ Data Processing Agreement and Privacy Product Statements.
These Product Privacy Statements explain how we collect, use, disclose, or otherwise process the information of our customers’ employees and job applicants (each an end user) on behalf of our business clients in connection with our products and services. If you are an end user using our services on behalf of, or as allowed by, one of our business clients that has engaged us to provide services to them and their employees and/or job applicants, we act as the data processor and UKG business clients are the data controllers with respect to your personal information.
Because our business clients are data controllers, it is primarily them who must undertake efforts regarding how information is collected and processed in accordance with data-protection laws. Therefore, if you have questions or concerns about the processing of your information as an end user, you should contact your employer directly or refer to its separate privacy policies.
Our processing of your information in connection with the services is governed by our Product Privacy Statement and the applicable business client agreement. Our Product Privacy Statements are not a substitute for any privacy notice that UKG customers are required to provide to end users.
UKG has a data-retention policy and a decommissioning procedure that are designed to ensure customer data is being disposed of appropriately and in accordance with our commitments to customers. Our procedures are designed to ensure that the original, archive, backup, and ad hoc copies are properly deleted.
UKG will only retain personal information for the length of time necessary to fulfill the purpose(s) for which the information was collected or as required or permitted by applicable laws, including the resolution of disputes and in accordance with our customer contracts.
Disclosure of Personal Information
We do not sell your personal information to third parties. Please review the sections below to learn more about how we might disclose personal information.
Affiliates and Subsidiaries
We might share your personal information with our affiliates and subsidiaries in order to deliver a product or service or to complete a task that you request.
Third Parties (Suppliers/Service Providers)
We might engage with third parties (suppliers and/or service providers) in order to deliver a product or service, perform certain functions such as enhancing and/or delivering our product and service offerings, or complete a task that you requested.
We have contracts with third-party providers (suppliers and/or service providers) to perform certain functions on our behalf, and only at our direction. Our third parties are bound by confidentiality agreements, only have access to your personal information to the extent necessary to provide these contracted services, and are only permitted to process your personal information in accordance with our instructions (and for the purposes we disclose).
UKG might disclose your personal information if we in good faith believe that it is necessary:
To comply with the law or with a legal process.
To protect and defend our rights and property.
To protect against misuse or unauthorized use of our website.
To protect the personal safety or property of our users or the public (among other things, this means that, if you provide false information or attempt to pose as someone else, information about you may be disclosed as part of any investigation into your actions).
In connection with, or during negotiations for, an acquisition, merger, asset sale, or other similar business transfer that involves all or substantially all of our assets or functions where personal information is transferred or shared as part of the business assets (provided that such party agrees to use or disclose of personal information consistent with our Privacy Notice or gains your consent for other uses or disclosures).
We will not cross-reference your personal information with that of any other customer or entity. UKG does not support “back door” access to any of its products, services, or operations (including our data stores) by any government or third party. UKG does not share its encryption keys or provide the ability to break our encryption keys with any government or third party.
UKG is committed to publishing data regarding requests or demands for customer data received from law enforcement and national security agencies. We publish this data twice per year (covering a reporting period of either January to June or July to December). These reports are published six months after the end of a given reporting period in compliance with restrictions on the timing of publishing those reports. View the current UKG Transparency Report.
Global Laws and Regulations
We commit to comply with all applicable laws and regulations including, but not limited to, the following outlined below.
General Data Protection Regulation (GDPR)
The GDPR is a comprehensive data-protection law that regulates the processing of personal data of European Union (EU) residents and provides individuals rights to empower individuals by giving them more control over their personal data. The GDPR enshrines major principles such as privacy by design, privacy by default, and implementation of strong technical and organizational measures designed to protect personal data.
The GDPR is not limited to the EU. It applies to all organizations that target, collect, or use the personal data of any EU resident and mandates organizations to:
Know what data they hold and have appropriate rights to use the data.
Be accountable and able to answer questions about what type of data they hold, and, in some cases, delete data they no longer need.
Notify supervisory authorities of data breaches.
Use vendors that comply with the principles of the GDPR.
Offer European Essential Guarantees by challenging governments’ requests to access personal data.
UKG Commitments to GDPR
UKG is committed to compliance with the GDPR and all applicable laws. We have enhanced processes to prepare to address the rights of people in the EU, we have generated written guidance to help our customers understand how our products collect and use personal data, and we are prepared to answer questions from our customers as well as our employees.
California Residents — California Privacy Notice
The California Consumer Privacy Act (“CCPA”) provides certain privacy-related rights to California residents. Learn more about UKG privacy practices and compliance with the CCPA.
UKG Suppliers' Compliance with Privacy Laws and Regulations
All UKG suppliers processing personal data must agree to the terms in UKG Data Processing Addendum and the Supplier Standard Contractual Clauses to the extent applicable.
Transfers of Personal Information
International Transfers of Personal Information
Our hyper-connected world is reliant on data transfers. But this cannot come at the expense of privacy. Individuals, companies, regulators, and policymakers must be able to trust that data stored or accessed across borders does not result in a diminishing level of protection. Secure and seamless personal data transfers are essential for the sake of building trust, delivering growth, and firing up innovation. UKG is committed to high standards of data protection, not just in the EU but also to when that data is transferred worldwide.
UKG operates globally and, as such, may process personal data worldwide to provide customer support; in connection with UKG cloud operations activities (however, UKG database administrators generally do not have reason to access customer data); in connection with UKG subprocessors, a list of which is available below and their own subprocessors where applicable; and in connection with UKG professional services and/or implementation operations.
Asian-Pacific Economic Cooperation (APEC)
UKG privacy practices comply with the APEC Cross-Border Privacy Rules System (CBPR). The APEC CBPR system provides a framework for organizations to ensure the protection of personal information transferred among participating APEC economies. Learn more information about the APEC framework.
European Economic Area (EEA), United Kingdom, and Switzerland Cross-Border Data Transfers
Strict data protection laws govern the transfer of personal data from the EEA, United Kingdom, and Switzerland to countries deemed by the European Commission as not offering an equivalent standard of protection, including the United States.
To address this requirement for our customers with operations in the EEA, the U.K., and Switzerland, UKG has incorporated the European Commission’s approved standard contractual clauses, also referred to as the “SCCs,” into our Customer Data Protection Addendum and in our Supplier Data Protection Addendum, and has incorporated the SCCs adopted on June 4, 2021, into our current templates. View full copies of our SCCs for Suppliers and for Customers.
Beginning September 27, 2021, UKG started using the new SCCs, which were adopted on June 4, 2021, for all new agreements, order forms and other customer and supplier transaction documents.
- If your company entered into an agreement with UKG on or after September 27, 2021, or have already updated your existing agreements with the new SCCs, no action is required. The new SCCs have been incorporated into our Customer and Supplier DPAs and will apply to all UKG products & services agreements and to the provision of any products or services to UKG requiring the processing of EU data subjects.
- If your company entered into an agreement with UKG prior to September 27, 2021, the new SCCs are incorporated by default into our Supplier and Customer DPAs and will apply to the provision of any products or services to UKG requiring the processing of EU data subjects and to all UKG products & services agreement. This is a regulatory requirement for all businesses who transfer personal data outside the European Economic Area.
- If you require an amendment to include the new SCCs, please reach out to [email protected].
Note that these changes to our Customer and Supplier Data Processing Addendums (“DPA”) are only necessary if your company shares the personal data of EU data subjects with UKG, if UKG processes it on your company’s behalf, or if your company processes such data on UKG’s behalf.
The SCCs creates a contractual mechanism to meet the adequacy requirement to allow for the transfer of personal data from the EEA to a third country. Learn more about the SCCs.
UKG has further assessed all transfers to countries deemed by the European Commission as not offering Essential European Guarantees in accordance with the European Court of Justice Decision ECLI:EU:C:2020:559 of 16 July 2020 (known as Schrems II). To learn more about how UKG complies with Schrems II, see the UKG Transfer Risk and Impact Statement and UKG Schrems II Statement. For more information about Schrems II, please see our FAQs.
Data Subject Rights
If you have a question or requesting concerning your personal information held by UKG, including your personal information collected through your use of our products, please email [email protected]. More information on how we respond to data-subject requests is available in the UKG Privacy Notice.
The current list of subprocessors is available here.
UKG expects all UKG suppliers to comply with our Supplier Code of Conduct and ethical expectations, regardless of local business practices or social customs. For more information, please see our Governance and Business Ethics page.
UKG has many dedicated policies, practices, and protocols to protect our IT infrastructure, networks, devices, and data from unauthorized access, collection, retention, and use of sensitive, confidential, and/or proprietary customer or user data, including Personally Identifiable Information (PII). We are committed to continually improving our incident response, staff training, and additional mechanisms to ensure the security of customer and user data.
Get a more detailed look at our comprehensive ESG program, policies, and practices, as well as our progress from the past year.