Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Staffbase is a German employee communication platform headquartered in Chemnitz. It is used by large enterprises across Europe to publish internal news, run employee surveys, branch communications by audience and reach employees through web, mobile and email. Tenants for European customers are hosted on AWS in Frankfurt.
Staffbase is a leading European employee communication platform, founded in 2014 and headquartered in Chemnitz, Germany. Large enterprises such as DHL, Audi, Adidas and Wuerth use Staffbase to run internal news, employee app channels, surveys and personalised content delivery through web, mobile and email. Staffbase acquired Bananatag in 2021 to add email distribution to the suite.
Staffbase runs a multi tenant SaaS that combines a content management system for internal news, an employee app available on iOS and Android, a desktop intranet (Staffbase Hub), an email distribution module (Staffbase Email) and an analytics layer. Authentication uses the company''s identity provider (Azure AD, Okta, Google Workspace) over SAML or OIDC. Content can be targeted by employee segments using HR attributes.
Staffbase sets strictly necessary cookies (sb_session, sb_token, sb_csrf) for authentication and CSRF protection. Optional functionality cookies remember theme and reading preferences. Read receipts, click events and survey responses are processed on the server. The mobile SDK uses Firebase Cloud Messaging or Apple Push Notification Service for push, which involves Google and Apple as sub processors but not as advertising vendors.
Staffbase processes employee data on behalf of the employer as a data processor under Article 28 GDPR. The standard legal basis is legitimate interest of the employer for non mandatory communications and the employment relationship for mandatory ones. In Germany the works council (Betriebsrat) and the federal data protection law (BDSG) impose additional consultation obligations. Read receipt analytics and engagement tracking should be carefully scoped to avoid being characterised as employee monitoring.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Strictly necessary cookies do not require consent. Optional push notifications, geo location for site specific news, and analytics that link engagement to individual employees should be presented as separately consentable preferences inside Staffbase. Public marketing widgets that load Staffbase content on external sites must be gated by a CMP because Art 5(3) ePrivacy applies in that context.
European customers are hosted in AWS eu central 1 (Frankfurt) with no transfer to the United States in production. Support and engineering access from outside the EU is governed by Staffbase DPA and Standard Contractual Clauses. The mobile push notification path uses Google FCM and Apple APNs as sub processors, which are listed in the Staffbase DPA. Customers should verify the region locked at provisioning and the sub processor list in their privacy notice.
Sign the Staffbase DPA and pin the EU region. Consult the works council before activating analytics features that reveal individual engagement. Limit read receipt visibility to aggregate dashboards. Configure SSO with the corporate IdP and disable Staffbase native accounts where possible. Document Staffbase, FCM and APNs in the records of processing. Review survey templates so that questions stay within the works agreement.
Websites using Staffbase must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required for typical Staffbase deployments because the platform processes employee personal data at scale, may include profile pictures, organisation chart data, geolocation for mobile push, and survey responses that can include opinions and sentiment. The DPA must specifically describe employee monitoring constraints, the works council role, and any cross border access by support staff. Employee representatives must be consulted in jurisdictions where this is mandatory (Germany Betriebsrat, France CSE).
Sample consent text
This intranet uses Staffbase to deliver internal communications, notifications and surveys. Strictly necessary cookies are set to keep you signed in and to load content. Optional features such as push notifications, analytics on read receipts and personalised content delivery require your separate consent and can be reviewed at any time in your Staffbase preferences.
Third-party domains contacted
staffbase.comapp.staffbase.comcdn.staffbase.comapi.staffbase.comfcm.googleapis.compush.apple.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| sb_session | Strictly Necessary | Session | First party session cookie used to maintain the authenticated browser session on the Staffbase tenant. |
| sb_token | Strictly Necessary | 8 to 24 hours | First party authentication token issued by Staffbase or the corporate IdP after SSO login. |
| sb_csrf | Strictly Necessary | Session | First party CSRF protection cookie used to mitigate cross site request forgery on form submissions. |
| sb_locale | Preferences | 1 year | First party preference cookie storing the language selected by the employee. |
Staffbase uses cookies for user preferences — inform visitors with a consent banner.
Staffbase sets strictly necessary cookies sb_session (browser session), sb_token (authentication token, typically 8 to 24 hours) and sb_csrf (session, CSRF protection). Optional cookies remember theme and language preferences. The mobile SDK does not use cookies; it uses Firebase Cloud Messaging and Apple Push Notification Service tokens.
Strictly necessary cookies for authentication do not require consent. Optional features such as push notifications, geo location for site specific news and analytics that link engagement to an individual employee should be presented as separate preferences and consented to inside the Staffbase app or web settings.
Performance of the employment contract (Art 6(1)(b) GDPR) for mandatory communications such as HR notices, health and safety alerts and policy updates. Legitimate interest of the employer (Art 6(1)(f)) for non mandatory engagement, with a documented balancing test and works council consultation where required. Consent (Art 6(1)(a)) for optional features.
European tenants are hosted in AWS Frankfurt with no production transfer to the United States. Support and engineering teams may access the tenant from non EU locations under Standard Contractual Clauses. Firebase Cloud Messaging and Apple Push Notification Service involve Google and Apple as sub processors, with their own transfer mechanisms.
Yes. Staffbase processes employee personal data at scale, can include behavioural analytics (read receipts, click maps), and may be considered a tool for systematic monitoring of employees. A DPIA is recommended and in many cases legally required. The works council must be consulted in Germany and in France (CSE).
Sign the EU DPA, pin the region at provisioning. Configure SSO with the corporate identity provider and disable native Staffbase accounts. Limit engagement analytics to aggregate dashboards. Consult the works council before activating individual click and read tracking. Document Staffbase, FCM and APNs in the records of processing and in the employee privacy notice.
Comparable European employee communication platforms include Beekeeper (Switzerland), Workvivo (Ireland, Zoom owned), LumApps (France), and Speakap (Netherlands). For Microsoft heavy environments, SharePoint Viva Engage or Yammer are alternatives. Each has its own hosting region, DPA terms and feature footprint.
List the three strictly necessary cookies (sb_session, sb_token, sb_csrf) with their duration and purpose. Mention the optional functionality cookies (theme, language). On the mobile side, document FCM and APNs in the privacy notice with their respective transfer mechanisms. The intranet privacy notice should also describe engagement analytics and how to opt out.