Employee Privacy and Data Protection Policy

Effective Date: June 30, 2025

At Sambatek, we value the privacy and security of employee information and protect it with integrity and purpose. As part of your employment, we collect and use limited personal data to meet legal obligations and manage essential employment functions. This Privacy Policy and Data Policy (“Policy”) explains what information we collect, how we use and protect it, who we share it with, and the rights you have under applicable law.

This Policy applies to all current, former, and prospective employees of Sambatek located in the following states: Minnesota, Texas, North Carolina, Florida, Arizona, South Carolina, Wisconsin, and Nebraska. It applies exclusively to internal employee data and does not cover personal data collected from website visitors or external contacts collected when acting as a consumer.

This Policy does not apply to your use of Sambatek products, services, or websites in a personal or a consumer capacity, or outside the scope of your employment or engagement with Sambatek. To learn more about Sambatek’s data privacy practices that cover your use as a consumer, please refer to our Sambatek Privacy Notice available on our website.

This Policy is not intended to create and shall not be interpreted to create any express or implied contract for employment, for any specific benefit or treatment, or for continued access to any system service, or facility. And nothing in this Policy shall be construed to limit Sambatek’s ability to process employee data as necessary to comply with applicable laws, fulfill contractual or regulatory obligations, or conduct internal investigations related to alleged misconduct, policy violations or legal claims, subject to any applicable legal requirements.

To the extent this Policy conflicts with applicable local, state, or federal law, such law shall control.

Your use of Paylocity as part of your employment is subject to the practices described in this Privacy Policy.

1. Information We Collect

Sambatek collects personal data at various stages of the employment lifecycle and specifies it here in accordance with the principles of transparency, purpose limitation, and data minimization. This helps ensure employees understand what data is collected, when it is collected, and why.

a. Recruitment

  • Contact information: Name, address, phone number, email address
  • Application materials: Resume, cover letter, references
  • Demographic/Equal Employment Opportunity (EEO) information (voluntary): Race, ethnicity, veteran or disability status
  • Background screening data: Criminal and employment background checks (via AssureHire)

b. Onboarding

  • Government-issued identifiers: Social Security Number (SSN), I-9/work authorization, driver’s license or state ID
  • Banking and tax information: Bank account details for direct deposit, tax withholding information
  • Emergency Contacts details: Name, phone number, relationship to employee
  • Benefits enrollment information: Elections for health, dental, vision, retirement, or other benefits (processed through vendors such as Brown & Brown; HIPAA-covered data is not collected by Sambatek)
  • Offer materials: Offer letter, signed acknowledgment forms, employment agreement (if applicable)

c. During Employment

  • Employment and compensation information: Job title, department, manger, salary, performance reviews, disciplinary actions
  • Time and attendance records: Time tracking work schedules, PTO usage, leave of absence (e.g., FMLA)
  • Health or disability-related information data: Information provided for ADA accommodations, workers’ compensation, or medical leave (processed only as needed and subject to applicable law)
  • Benefits administration: Coverage elections, dependent data, benefits-related communications
  • Workplace systems access and usage: Company email, login credentials, internal communications, badge access logs, and other IT systems data (primarily via Paylocity and third-party providers). Sambatek may monitor these systems for legitimate business purposes such as security, compliance, and productivity, in accordance with applicable law

d. Offboarding

  • System and facility access: System access is revoked by our third-party IT provider as soon as administratively possible
  • Recordkeeping: Hard copy records record for 7 years; electronic records retained indefinitely, subject to ongoing business need and data retention policy

If a background check is required for your role, we will provide a separate written notice and obtain your written authorization in accordance with the Fair Credit Reporting Act (“FCRA”). If a background screen includes interviews with personal contacts to gather information about your character or mode of living, it may qualify as an investigative report under FCRA. In such a case, you will be informed of your right request additional details about the nature and scope of the investigation.

Sambatek and any third-party service providers that maintain or possess consumer information for employment purposes are required to take reasonable measures to protect such information from unauthorized access and to ensure its secure disposal in accordance with applicable data protection and consumer privacy laws.

Sensitive Personal Data. Some of the personal data we collect may be classified as sensitive personal data under applicable law. This may include, for example, social security numbers, race/ethnicity, disability status, or geolocation. Such data is collected and used only as necessary for employment-related purposes, such as payroll, benefits administration, equal opportunity report, and accommodation request. This data is subject to heightened protection, including role-based access and secure storage protocols.

Automated Decision-Making. Sambatek does not currently use any automated tools or algorithms in employment-related decision-making, such as hiring, timekeeping, or performance evaluation. If such tools are introduced in the future, employees will be provided notice of their use, the logic involved, and any rights available under applicable law

2. Purpose of Use of Personal Data

Data TypePurpose of Use
Contact information (name, phone, email)Workplace communication; HR documentation; emergency contacts; onboarding
Social Security Number (SSN) and tax informationPayroll processing; tax withholding and reporting (e.g., W-2, IRS, state filings)
Banking information (direct deposit)Payroll disbursement via direct deposit
Health/disability and leave informationProcessing leave requests and providing reasonable accommodations under ADA/FMLA and applicable state laws; OSHA compliance; Health plans and benefits
Demographic / Equal Employment Opportunity (EEO) informationGovernment reporting: diversity and inclusion analytics (voluntary when collected)
System and building access logs (e.g., badge swipes, login activity)Physical security; IT and facility security; access control; audit and compliance monitoring
Time and attendance recordsTimekeeping; attendance tracking; PTO and leave management
Employment and performance data Hiring; orientation; and integration into HR systems

3. Third-Party Vendors and Service Providers

Sambatek uses trusted third-party vendors, to support HR, payroll, benefits, recruiting, and compliance operations. We work with reputable third-party vendors that are obligated by applicable law to handle personal information appropriately.

Key Vendors and Their Roles

  • Paylocity
  • Our cloud-based HR and payroll platform. Paylocity processes employee data for payroll, onboarding, time tracking, benefits administration, and performance documentation.
  • Deltek and Ajera
  • Used for timekeeping, project assignments, and financial tracking. These platforms may process employee time entries, job classifications, and billing-related data for internal business operations.
  • AssureHire:
  • Used for pre-employment background checks. If a background screening is required for your role, you will receive a separate notice and be asked to provide written consent as required by the Fair Credit Reporting ACT (FCRA). AssureHire processes verification data, including criminal history, on a strictly confidential basis.
  • Brown & Brown:
  • Our insurance broker, Brown & Brown, has access to employee benefit elections and enrollment data needed to assist with group benefits administration. They do not access or store protected health information (PHI) subject to HIPAA.
  • ClearCompany
  • We use ClearCompany as part of our recruitment and onboarding platform. ClearCompany handles candidate and new hire data during the hiring and onboarding process, including resume submissions, interview scheduling, and job offers.

Sambatek may share employee personal information with authorized service providers who support our human resources, payroll, benefits, IT, or compliance operations. In the event of a merger, acquisition, corporate reorganization, or sale of assets, employee data may be transferred as part of the transaction. We may also share information with affiliated entities under common ownership or control, where permitted by law and consistent with the purposes outlined in this policy.

Sambatek does not sell employee personal data. The type and amount of data shared with third parties is limited to the minimum necessary to fulfill specific, legitimate business purposes.

4. Access Controls

Sambatek limits access to employee personal data based on each individual’s role and responsibilities, applying the principle of least privilege. Only those with a legitimate business need may access specific categories of employee information, and all access is governed by internal security protocols and contractual obligations where applicable.

  • HR personnel have full access to personnel records, including Social Security numbers (SSNs), dates of birth (DOB), benefit election information, and background check data, as required to manage core HR functions.
  • Managers and supervisors have administrative-level access to HR data, including access to personnel records, time tracking, scheduling, and performance evaluations, as necessary to support their management responsibilities.
  • Finance personnel have access to sensitive data such as SSNs, DOBs, and banking information solely for the purposes of processing payroll and fulfilling tax reporting obligations.
  • IT personnel have limited access to employee identifiers, including names, usernames, and employee ID numbers, in order to provision and maintain secure access to Sambatek’s systems.
  • Brown & Brown, Sambatek’s benefits broker, has access only to employee benefit election data needed to assist with group benefits administration. Brown & Brown does not access or process any protected health information (PHI) subject to the Health Insurance Portability and Accountability Act (HIPAA).

Access to employee personal data is restricted and monitored. It is granted only to authorized personnel for defined business purposes in accordance with Sambatek’s privacy and data security standards.

You may access and manage certain parts of your information by logging into Paylocity at https://access.paylocity.com/If you need assistance updating your records or correcting inaccurate data, please contact HR. If we process any personal information based on your consent (such as optional demographic disclosures), you have the right to withdraw that consent at any time by contacting HR.

All medical and genetic information is maintained in confidential medical files that are stored separately from general personnel records. Access to this information is strictly limited to authorize HR personnel or others with a legitimate business need and handled in compliance with the Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA).

5. Your Rights

Depending on your state of employment, you may have certain rights under state or local laws that govern the collection, use, and maintenance of your personal information. This policy is intended to comply with all such applicable laws. Employees who have questions about their rights or wish to exercise them may contact Human Resources for more information.

These rights may allow you to, including but not limited to, the right to:

  • Access your personal data
  • Correct or update inaccurate or outdated information
  • Be free from retaliation for exercising your privacy rights
  • Withdraw your consent for voluntary disclosures, such as demographic information
  • Request deletion of certain personal data, subject to legal and business recordkeeping requirements

You may submit a written request to Human Resources to review your personnel file. If you believe your personal information has been mishandled, you may also raise a privacy-related concern or file a complaint with Human Resources. Response timelines vary depending on your state of employment.

6. Data Security, Storage, and Retention

Sambatek stores employee data using secure cloud-based platforms, including Microsoft 365 and Paylocity. Third-party vendors that are obligated by applicable law to handle personal information appropriately. We implement reasonable administrative, technical, and physical safeguards to protect employee personal data from unauthorized access, use, or disclosure. These measures include:

  • Role-based access controls and multi-factor authentication for authorized users
  • Secure storage in cloud-based platforms such as Paylocity, which maintains its own physical and technical safeguards
  • Regular security testing, monitoring, and vulnerability assessments
  • Breach response protocols, including notification to affected individuals when required by applicable law

Personal data is retained only as long as necessary for employment, legal compliance, or business purposes. Paper records containing personal data are retained for up to seven (7) years after the end of the employment relationship, unless a longer retention period is required by law. Electronic records may be retained for a longer period, including indefinitely, when needed for ongoing business operations, legal compliance, or historical recordkeeping.

7. Changes to This Policy
We may update this Employee Privacy Policy from time to time to reflect changes in our business practices, technologies, or legal obligations. If material changes are made, we will notify employees through appropriate internal channels and update the effective date in the handbook or HR system.

8. Contact Us

If you have any questions about this Privacy Policy, how your personal information is handled, or if you wish to exercise your rights under applicable law, please contact:

 Paige McDaniel, SPHR 

Human Resources Generalist

pmcdaniel@sambatek.com

763.297.3718

Appendix A – Key Definitions

Some of the terms in this policy are governed by state and federal law. Where definitions vary, we adopt those most protective of employee privacy consistent with applicable requirements.

Employee: Includes current, former, and prospective employees, interns, and contractors whose personal data is processed in the context of employment or potential employment with the Company.

Personal Data (or Personal Information): Information that identifies, relates to, describes, or is reasonably capable of being associated with an individual. This may include your name, contact details, government ID numbers, and employment records.

Sensitive Personal Information: A subset of personal data that includes information which, if mishandled, could create a heightened risk of harm to an individual. This may include data related to identity, finances, health, biometrics, or protected characteristics such as race or sexual orientation.

Processing: Any operation performed on personal data, including collection, use, storage, sharing, disclosure, or deletion, whether automated or manual.

Service Provider: A third party that processes personal data on behalf of the company under an obligation to safeguard the data and use it only for specified business purposes.

Protected Characteristics: Characteristics protected under federal and state employment law, including race, color, sex, religion, national origin, disability, age, and genetic information.

Medical Information: Information related to an individual’s physical or mental health, medical condition, or disability status.

Consumer Report / Investigative Consumer Report: Background or credit check information obtained from a third-party agency for employment purposes.