Skip to main content

Eptura Security and Privacy Information

Eptura Knowledge Center

Eptura Security and Privacy Information

We take privacy and security very seriously

Protecting personal privacy is a concern for most organizations in the modern world. Most companies want to know how Serraview assists to manage and address privacy concerns.

Top 9 Tips for Protecting Personal Privacy


1 Understand what PII data Serraview collects

Serraview collects specific data, classified as Personally Identifiable Information (PII) about utilization of our Client's Personnel use of their workplace. This information can include the individual’s name, email address, unique identifier(s), phone number(s), company position, business unit, cost center number, and individual’s location throughout the workplace at different times of the day. No other sensitive data is captured or processed.

2 Understand why Serraview collects this data

Serraview utilizes the data to:

a. To provide workplace management and optimization services, enabling our customers to drive millions of dollars in real-estate savings and cost avoidance through a better understanding of space utilization and productivity improvements.

b. Provide real-time wayfinding services to all personnel, helping them to find their colleagues and facilities that are currently available.

c. Support business continuity teams in managing disasters.

d. Ensure occupational health and safety requirements are met in agile environments e.g. enough first aid officers and fire wardens are on the floor. There's a strong business case for collecting this data for both the business and people utilizing the workplace. 

3 Understand the Current Environment

The information that Serraview collects is normally already available throughout an organization. Employee directories and much of it already public. Physical security systems (e.g. badge swipes) and computer networks already collect information on location of employees.
We have also seen an increase in individuals opting in to share this type of information via social networks in their personal lives. Email signatures and LinkedIn already contain much of the PII collected by Serraview.

4 Understand what the Concerns/Fears may be

The  most common concerns/fears we hear are:

a. Attendance/Performance Monitoring

Employee's fears that data will be used for monitoring their attendance and performance within the workplace. Serraview's Privacy Policy does not support the use of data for this purpose. Many organizations have implemented a monitoring policy to provide this information to employees. We encourage customers to notify their employees that utilization is being tracked for the purpose of, understanding real estate utilization, real-time wayfinding, and risk management. We also allow people to opt-out of tracking if this is a legitimate concern.

b. Personal Security Concerns

Certain employees (typically executives, some lawyers, and people under witness protection) have legitimate security concerns about other people being able to find them. The PII information Serraview processes is not publicly available and is only viewable by employees within the organization. Serraview supports an opt-out for these individuals if required.

Understand what PROTECTIONS Serraview has in Place

a. EU-US Privacy Shield Certified

Serraview is independently certified to the EU-US Privacy Shield framework, which enables the secure collection and transfer of personal data from Europe to the United States. The new mechanism complies with the more stringent European data protection laws, replacing the Safe Harbor privacy framework that was ruled inadequate in 2015. Serraview's privacy management practices have been certified by TrustArc, an independent auditor for privacy compliance (TrustArc are used by several leading SaaS providers to certify privacy compliance, including and Workday). 

b. Compliant with Australian Privacy Principles

Serraview remains compliant with the Australian Privacy Act 1988, and associated Privacy Principles.

c. Privacy Policy

Serraview's Privacy Policy covers information about the information Serraview collects, how long we hold information, alignment with international standards, how we collect personal information, how an individual may request access to their information, our Client's obligations around personal information, why Serraview holds personal information, what we do with the information, how a person may remain anonymous, where personal information is held, how we protect personal information, disclosure of personal information under limited circumstances and how to report complaints with our handling of personal information.

d. Opt-Out

Serraview allows certain individuals to remain anonymous.

e. Data Security & Integrity

Serraview takes data security seriously, Serraview's Information Security Policy ISP.

f. Serraview is independently audited and certified to ISO27001

The most internationally recognized and used information security framework. The ISO27001 security framework is used to develop and host secure applications and protect our client’s data.

g. Data Sovereignty

Australian Customers: Serraview stores data on secure servers located in Australia

American Customers: Serraview stores on secure servers located in the United States.

h. Recourse for Non-Compliance

Serraview has a documented process for managing privacy complaints. Any unresolved privacy or data use concern relevant to the EU-US Privacy Shield can be reported to Arc, a third party dispute resolution provider (free of charge). Under certain conditions, more fully described on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.

Understand what Protections your Organization has in Place

Under international privacy standards, your organization will be classified as an information provider, known as the Data Controller, and as such be responsible for taking steps required by applicable data protection and/or privacy laws. These laws usually require that your organization notify each individual of the information that's being collected, the intended recipients of that information, the purpose for the data collection and an individual’s right to obtain access to that information. Serraview is the Data Processor and take its instruction from the Data Controller.

7 Understand the Regulatory Environment

Work with your Human Resources team to understand if there are any regulatory requirements in your country.

Serraview adheres to International Best Practices and Privacy Principles

As part of Serraview’s compliance, we follow the OECD Privacy Principles. Internationally the OECD Privacy Principles provide the most commonly used privacy framework, and tie closely to the European Union member nations' data protection legislation. The 8 principles include:

a. Collection limitation principle
b. Data quality principle
c. Purpose specification principle
d. Use limitation principle
e. Security safeguards principle
f. Openness principle
g. Individual participation principle
h. Accountability principle

Seek Legal Advice

International privacy legislation is diverse and continually evolves. In an abundance of caution, we recommend that our Customers take steps to ensure compliance with the various privacy and surveillance laws in each of the jurisdictions in which they operate.

Security Policy, Certificates, and Information List

Information Security Policy (ISP)

Issued: January 2023

On Request

Serraview IRAP (ISM) Compliance Statement - Client Report

August 2020

On Request

Information Security Management System - ISO/IEC 27001:2013

We are now officially ISO27001 certified. The certification scope includes: US & Australia and Archibus, Inc - Serraview America, Inc - Serraview Australia, Pty Ltd. - SpaceIQ, LLC - iOffice, LP - Manager Plus Solutions, LP - Hippo Facility Management Technologies, Inc - Teem Technologies, LLC

ISO27001 - IS 671394 - Jan 2022.pdf

EU-US Privacy Shield

We are certified to the to U.S. Department of Commerce and the European Commission’s EU-US Privacy Shield and for more details refer to the Covered Entities.

GDPR Data Processor and Controller Obligations

Issued: April 2020

GDPR Data Processor and Controller Obligations.pdf

Data Protection Policy

Issued: November 2020

Data Protection Policy v 1.2.pdf

Personally Identifiable Information (PII) Data Flow

Issued: April 2020

On Request

  • Was this article helpful?