In doubt about something?

Frequently Asked Questions​

The Response Team

  • Will the manager be told that an employee has been in contact with the response team?

    No – the conversation with the response team remains anonymous to the company.

  • Why should I talk to the response team, how will it help me?

    The response team consists of industrial psychologists who are trained to talk about issues that concern your work life and/or your personal life. The conversation can help you find solutions to the issues that affect your well-being

  • Who is the psychological response team?

    The psychological response team is managed by Worklife Barometer, who has a contract with Falck Healthcare and the Danish Mental Health Foundation concerning the manning of the response team. All are industrial psychologists with at least 3 years of work experience.

  • When will the response team contact me? How soon?

    Generally speaking you will be contacted in 3 cases: 1) if your well-being is in the red zone, 2) if a significant decrease in well-being is registered (compared to the previous measurement) and your score is in the yellow zone or 3) if your score is in the yellow zone (without having decreased significantly since the previous measurement). In case of 1) and 2) proactive action is taken, and you will receive a call within 2 weekdays. In case of 3) you have to press the “contact me” button yourself. When you do so, someone from the response team will get back to you within 2 weekdays.

  • What is the task/role of the response team? How can the response team help? What can I expect to gain from the contact?

    The response team has a preventive function and does not do actual psychological treatment. We know from several scientific studies, that early attention to a given problem (while the person affected is still able to act), is efficient in relation to going through with a change. The response team can help create an understanding of the situation and can sometimes help to describe an emotion. What you can get from a contact with the response team is “good advice” concerning how to act on the situation that caused the lack or decrease of well-being. If it is considered necessary, you will be offered a follow-up call, where someone from the response team will call you and “make sure” that any agreed action has been taken.

  • What happens if I have used all my conversations with the response team and my level of well-being turns "red"?

    You will receive a message in the app saying that your well-being is at a critical level and you should seek assistance from a healthcare professional.

  • What does the response team ask about?

    The response team will begin by asking questions about the situation, based on whether you are aware yourself of why your level of well-being has caused a call. They will try to clarify the following: The cause of theproblem, the ability to handle the situation, whether the stressful situation has been short or long term, as well as the extent of the problem. During the conversation an agreement is made about what the employee should do, and in some cases, a follow-upcall will be made to ensure that action is taken.

  • What do I do, when I can no longer use the response team?

    The app will automatically notify you if the available number of conversations is exhausted, and you will be advised to contact your immediate manager or HR if you believe, you are in need of help.

  • What do I do if I can't pick up the phone when the response team calls?

    The first time the response team calls you, they will always cautiously ask whether you are in a position to talk. If you don’t pick up the phone, they will leave a message and a number on which you can call them back. The second time they call, they will also send you a SMS. After their fourth try, you will receive a message that they haven’t been able to get in touch with you, and that they won’t try to call you again. You are always welcome to ”activate” the response team by requesting that they contact you.

  • Is it possible to indicate a preferred calling time? So I won't be contacted by the response team just anytime?

    You can return an SMS to the industrial psychologist after the first (missed) call – or you can agree on another time for the conversation, when the industrial psychologist first calls you. In order to protect your anonymity we won’t send any communication concerning the response team via e-mail. If you don’t have access to a mobile phone, the best option is to tell the response team when you are free to talk to them.

  • How will they get in touch with me? Is it inside or outside working hours?

    The response team is open daily from 8 until 20 (until 16 on Fridays) and attempts will be made to reach you both inside and outside working hours. You can also suggest that the psychologist try to call you again at a specific time which suits you better.

  • How often can I use the response team?

    You can use the response 2 times a year. Each use consists of a preliminary conversation, with the possibility of a follow-up conversation.

  • Do I have to talk to the response team if my well-being is in the "red zone" or is decreasing?

    You can always send a message to stating that you don’t want to go through with the conversation, or you can just tell the psychologist, that you don’t want the conversation.

  • Can the response team grant you consultations with other psychologists with a view to an actual course of treatment?

    The response team is not able to grant you consultations with other psychologists. However, they can guide you towards a course of treatment via your health insurance, private practitioner, municipality etc..

  • Can I reject talking to the response team?

    Yes – talking to the response team is voluntary. However, we always recommend that you spend a few minutes on a short talk.

  • At which number will I get contacted?

    When you accept the declaration of consent you will be asked to register a phone number. You decide whether to register your personal phone number or your work phone number. You are encouraged to register a mobile phone number – if possible – as it is easier to have a discreet conversation over a mobile phone.

  • The Questions In The App

  • Why do I need to keep participating if my well-being is good and doesn't change?

    Each month all the answers are collected into reports on well-being, so it is important that we receive the answers every month. Poor well-being is typically a condition that develops over time, and it can be difficult for one self to see it coming. The Howdy measurements help make visible the development and they make it possible to deal with potential issues before they escalate.

  • Why do I need to answer the same questions over and over again?

    The 5 questions have been scientifically tested around the world, and have proven to be very precise. The scientific foundation is based on exactly these 5 questions.

  • Why am I asked about things that are so private, such as mood, sleep and energy? Why don't you just ask about issues that concerns the workplace?

    The solution focuses on the complete person. Personal life and work life are connected. You are not just unwell in your work life but also in your personal life.

  • When does well-being come out as being good or bad in the measurements?

    The questions in Howdy are converted into a score on a scale from 0 and 100. If you have a low score and/or a significant decrease in your score, this will trigger a certain feedback in the app and/or contact with the response team. A well-being score below 35 is marked as “red”. A well-being score between 35 and below 50 is marked as “yellow”. A well-being score above 50 is marked as “green”.

  • I am never entirely rested when I wake up, but that doesn't mean that I don't feel good. Which impact does that have on whether my well-being is marked as "red"?

    On its own, a lack of sleep does not trigger “red well-being” or contact with the response team. It is your answers to the 5 questions which, taken together, are used to assess your level of well-being. The scientific model ensures that the proper reservations are taken in relation to the balance in the answers.

  • How does one ensure a correct evaluation of one's well-being? Having one bad day doesn't mean that I'm about to become stressed. Everybody has good and bad days?

    An important element of the science behind the questions is to try to reflect over the past 14 days, so that you don’t make your answers based on just a single day.

  • Can the manager see what the individual employee is answering?

    All answers are anonymous to the company and they are collected in an anonymised form for use in the reports.

  • Technical Details and Getting Started

  • Will I receive reminders during vacations and holidays as well?

    Yes, you will. Howdy measures your overall well-being –in your work life as well as in your personal life. Therefore, the Howdy solution is also relevant during a vacation.

  • Why do I need to disclose my postal code?

    Various municipalities provide different services to their citizens. Therefore, the response team needs to know in which municipality you reside.

  • Who do I contact if I don't want to use Howdy anymore?

    If you don’t want to use Howdy anymore, you may contact:

  • Where do I find the statistics of my own development in well-being between measurements?

    When you log in to Howdy (via the app or via the web version) you can find your own figures in the menu at the bottom of the screen (the choice in the middle). The web version is here:

  • When will I receive a reminder to participate in the survey?

    If you have signed up as a user, the reminders will arrive in 14 days intervals. If you haven’t signed up as a user yet, you will receive a friendly reminder about once a month. If you no longer wish to receive these reminders, you can contact Worklife Barometer, and the reminders will stop.

  • When will I be reminded to answer the Howdy questions?

    You will receive a reminder that it is time to answer two weeks after your last response. It is recommended that you participate about every two weeks, as experience shows that 2 weeks is the optimal time period for reflection and that it will give the best overview of the development in your well-being.

  • What happens if I forget to answer?

    It doesn’t matter if you forget to answer the questions once in a while, but try to answer at least once a month so that your responses can be included in the monthly reports on well-being.

  • What do I do if I forget my password?

    Go to and enter your e-mail. You will then receive a new mail with a link to your profile.

  • To what do I give my consent?

    The Danish Data Protection Agency requires a declaration of consent in order for WorklifeBarometer to be allowed to process data about you. Worklife Barometer conforms to strict requirements concerning security, handling and processing of data.

  • Is participation voluntary?

    Yes, it is voluntary, but everybody is encouraged to participate -even if you already feel satisfied. The precondition for creating a better work environment for everybody is a high level of participation, so that the proper initiatives can be put into place.

  • How far back can I see my well-being?

    The app will show you the last 10 measurements.

  • How do I get started?

    You’ll receive an invitation with a personal link.

  • How do I get started with Howdy?

    You will receive an invitation via e-mail from Worklife Barometer. The mail contains a short intro to Howdy as well as a link to the page on which you can to register as a user.

  • How do i change my preferred language?

    To change your default language. Open up the app on your smartphone and log in with your credentials.

    Once the app is open, click the profile icon in the bottom right corner – that will open up the profile settings.

    Inside the profile settings, there is an option called Language, this might vary according to your current language. If you click that option, a list of available languages will show – now simply click your desired language and press change.

    Now the app will reload itself and all text will now be in your preferred language.

  • For how long will I keep receiving invitations to register as a user?

    In the beginning you will receive an invitation once a week. Afterwards you will receive an invitation every two weeks until you register as a user.

  • For how long can I answer after receiving a reminder?

    You can submit your answer within 14 days. After this time, the period will “close” and “no answer” is registered in the system. Shortly thereafter you will receive a new reminder for a new “open” period of 14 days.

  • Do I need a smartphone in order to participate?

    You can send in your answers from a PC, tablet or a mobile phone. In your profile, you select whether to receive an e-mail and/or SMS. So you can make your answers on the unit that suits you the best.

  • Security

  • Will you be able to guarantee that data stays within EU jurisdiction / territory?

    Yes, that’s a part of ISO27018. However please bear in mind that some data might transits out of EU. E.g. when sending e-mails, Text Messages or Push notifications. For that very same reason we will never send Personal Information nor Health Information through these channels.

  • When a customer terminates its business arrangements with you – how long after the termination do you hold or keep customer data on disk, backup media etc. before it is purged.

    As per consent we do not purge all data. We use and store some data in a statically form. In the event of a business termination we purge PII within a week from the notice of termination has been effective. Backups are retained for 35 days. Customer information such as e-mails, invoices, meeting notes, contracts etc. may be stored longer.

  • Please provide us with your latest audit report - SSAE16 SOC 2 and/or ISAE 3402 based on infrastructure controls – this documentation is often readily available by your hosting or cloud provider.

    Is available from Microsoft Azure and for further details please see document

  • Please provide us with any security process or control certification such as ISO27001/2 and describe what is covered by your certification (ISO27001 SoA).

    Is available from Microsoft Azure and for further details please see document “WLB Security document.pdf”

  • Please provide us with any privacy audit process or control certification such as ISO27018 or ISAE 3000 and describe what is covered by your certification or audit control report.
  • Please provide us with a copy of your Information Security Policy.
  • Please provide information on where or at which datacenters data will reside.

    Microsoft Azure using their European data centers.

  • Please elaborate on what levels of security is built into your login system - i.e. do you provide 2 factor authentication?

    Internally, yes 2FA is enabled for relevant staff/applications. Externally, it depends on your own configuration at your STS.

  • Please elaborate on what level of hardening that is performed on your Server and Database environment.

    All accounts accessing our Azure-tenant requires 2FA through Azure AD. Database: We use Azure SQL Server instances which have all been set up with SQL Server Audit, Azure SQL Threat Detection and IP restrictions. Web Servers: Only accepts HTTPS, checked weekly by Detectify and in real-time by Azure Security Center.

  • Please elaborate on how you manage tenant access and authorization to your solution and do you provide any form of federation framework or Single Sign On (SSO)?

    Internally, all access is controlled by Azure AD. External access (like the HR department of Grundfos or our response teams) my sign in with either 1) their own company credentials through Azure AD or own operated STS, or 2) a local Username/Password account (backed by Azure AD B2C).

  • Please elaborate on how you ensure that SoD is managed by your IT operations team (NOC, etc.) or your subcontractor’s IT operational team and the tenant’s services and their data.

    We are a small development team, so segregation of duties can be difficult.
    However, we ensure that code entering production is peer-reviewed by at least one other team member of the development team. Also, only our CTO has privilege to release in our production environment.

  • Please elaborate on how data is deleted – from your systems and backups and what is data retention on customer data?

    See #43 and the following statement from our Hosting Provider: Data deletion on physical storage devices. If a disk drive used for storage suffers a hardware failure, it is securely erased or destroyed before Microsoft returns it to the manufacturer for replacement or repair. The data on the drive is completely overwritten to ensure that the data cannot be recovered by any means. When such devices are decommissioned, they are purged or destroyed according to NIST 800-88 Guidelines for Media Sanitation.

  • If your system or service is Hosting based - Please provide us with a description of what type of hosting model you have based your solution on – is it co-location, fully managed services and who is your hosting provider?

    Microsoft Azure

  • If your system or service is Cloud based - Please provide us with a description of what type of Cloud service model you have based your solution on – is it private, public or hybrid and who is your Cloud provider?

    Microsoft Azure

  • If your system or service is Cloud based - Please provide us with a description of what type of Cloud Computing model you have based your solution on – is it IaaS (Infrastructure-as-a-Service), PaaS (Platform-as-a-Service) or SaaS (Software-as-a-Service).

    Microsoft Azure – SaaS

  • If your system or application is Web based which security measures have been built into your code to avoid OWASP Top 10 web risks.

    Use [Link] or [Link] and [Link] for guidance.

    We used Detectify to stay up to date with the current OWASP Top 10

  • If your system or application is Web based and connects to a data base what measures have been taken to mitigate SQL Injection

    All interactions between our web servers and database servers are carried out by Entity Framework which ensures that no SQL statements are written “by hand” and all values are parameterized. Also, we have applied SQL Database Threat Detection to capture any anomality.

  • If your system or application is mobile app based which security measures have been built into your code to avoid OWASP Top 10 mobile issues.

    For reference see [Link].

    Our app is built on top of the Cordova Framework which we upgrade regularly whenever new version are released. As such, our apps are just a website run locally on the device while interacting with our API’s. This also means that the only code we maintain is javascript/HTML/CSS.

    • M1 – Improper Platform Usage
      We only ask for the permissions we need. Currently that is internet connectivity, data storage, push notification, device id (used by push)
    • M2 – Insecure Data Storage
      We only store a user token for the logged in user. No PII og health data is stored locally on the device.
    • M3 – Insecure Communication
      We only connect over SSL/TLS (Grade A) to our API
    • M4 – Insecure Authentication
      The user token is validated at each request to our servers
    • M5 – Insufficient Cryptography
      See M3
    • M6 – Insecure Authorization
      See M3
    • M7 – Client Code Quality
    • M8 – Code Tampering
      The code in the app can be tampered with by hooking the phone up to a standard Web Inspector or Chrome Browser as it is just a website. That doesn’t mean that it insecure – the security lies at the server-level API – just like a normal website
    • M9 – Reverse Engineering
      Yes, it can be reverse engineered just like a webpage. Therefore, no cryptographic constants and ciphers or intellectual property are stored in the app.
    • M10 – Extraneous Functionality
      We have a seperate process for building and testing the app in debug mode to ensure that no extraneous functions are not needed.

  • If your system is designed to process, store or transmit privacy data is it compliant with the EU General Data Protection Regulation – if so please provide evidence of data flow diagrams for the system and list of personal data master data and data categories as prescribed by the EU GDPR.

    We are designing our system around GDPR and we will comply and disclose data categories before May 2017, but we are not ready to disclose that information yet.

  • How and which security measures have been built into your API’s – Please elaborate.

    Our API’s uses JWT and like technologies to facility authentication and authorization. Furthermore, we use Azure AD (and Azure AD B2C) to detect malicious login attacks.

  • Have you ever been subjected to data leakage issues that have not been reported to the authorities?


  • Has the system or application been tested for security vulnerabilities and has your code been screened for security issues – please elaborate

    We use Detectify to test our services for vulnerabilities on a weekly basis. The system scans for 500+ known attacks and constantly adding more. If any new vulnerabilities show up then our Security Team is notified automatically.

  • Has the system or application been tested for privacy breach vulnerabilities – please elaborate.

    We use Detectify to test our services for vulnerabilities on a weekly basis. The system scans for 500+ known attacks and constantly adding more. If any new vulnerabilities show up then our Security Team is notified automatically.

  • Do you utilize any form of SDL – Security Development Lifecycle in your code development framework.

    We strive to follow the SDL for Agile Development where applicable in our software lifecycle. Code modifications to security related modules (database access and filtering, authentication, authorization etc.) is marked for Security Review by another Team Member with the necessary training and seniority.
    We use filtering and escaping libraries the validate and mitigate XSS and Injection attacks. Furthermore, large parts of our authentication and cryptography relies on proven technologies like Azure AD, Azure AD B2C and Azure KeyVault.

  • Can you indicate how often your IT Disaster Recovery Plans are tested?


  • Reports and Follow-Up

  • Why are there more "reds" than the number of persons who have been in contact with the response team?

    There can be several reasons for that. The most frequent explanations are that: 1) The employee has an open case and continues to make his answers every two weeks. The well-being of that person is not immediately affected, and so the answers still place that person in the “red zone”. As that person already has an open case that awaits a follow-up conversation (which is typically 3-4 weeks into the future), a new case is not created. 2) The employee has had 2 cases (the max number per year) within the last 12 months. Therefore, no new cases are created, and the employee is instead advised to contact HR.

  • Where should the level of well-being be on the scale from 0 to 100?

    WHO-5, which is the scientifically developed questionnaire that is being used, has repeatedly shown a national average in Denmark of 70 points. Therefore the average level of well-being in a specific department should also be around 70 points or higher.

  • What are the reports used for?

    We recommend that the monthly well-being reports are used by management and HR to get an impression of the level of well-being in the individual departments. This way it becomes possible to make a targeted and early effort when signs of decreased well-being begin to show in certain groups.

  • What are cause codes/heat-map?

    The cause codes are used for the classification of conversations with the response team, and they are provided in a statistical form as feedback to the company in the regular reports. As per the recommendations of the working environment authorities, there has to be a minimum of 20 persons in a group for a cause code to appear in the report. The cause code(s) is chosen in cooperation with the psychologist. Some further words are added to work-related causes such as “workload, problems with a co-worker, etc.” whereas personal causes are only categorized as “personal causes”. If, for example, the lack of well-being (and, as a consequence, the conversation with the response team) is due to a divorce, the cause will be categorized as “personal cause” without being further specified.

  • What are cause codes?

    After each conversation, a ”cause code” is registered. This helps to give an overview of the problems that cause poor well-being in the individual company.

  • How is the level of well-being assessed? When is the level of well-being critical/satisfactory?

    The average score is calculated on the basis of all answers that have been registered in the specific month. The scale goes from 0–100 and our experience, as well as scientific studies, shows that the average is around 70 points. If the score in a specific group nears 60 points or below on average, this indicates that there is reason to be particularly attentive to the level of well-being in that specific department.

  • How is the average score calculated?

    Each question is assigned a points score, depending on how you answer the question. Higher well-being results in a higher point score being assigned to the question. All questions are added up and together they constitute the average score.

  • Anonymity and Data Management

  • Who can access which data?

    Worklife Barometer is the data controller for all data, and data is stored only on servers administrated by Worklife Barometer. Only a few persons in Worklife Barometer are able to access the technical systems in which the data is stored. The industrial psychologist, to which the individual case has been assigned, has access to the basic information about the person (first name, last name, company, phone number) as well as the response history. Access to these data is only available as long as the case is open. When the case handling ceases, the case “disappears” from the system used by the industrial psychologist.

  • Who can access my data?

    Only Worklife Barometer and the response team can view your answers in order to follow up on your well-being. Worklife Barometer is also allowed to use the information collected for statistical purposes such as benchmarking across personas or other relevant characteristics.

  • What happens to my data if I no longer want to participate or if I leave the company?

    Once you leave the company, they will inform Worklife Barometer that you no longer want Worklife Barometer to store your data, and all personally identifiable data will be removed from the database. Your data may still be included in statistical material – but without Worklife Barometer knowing who answered what.

  • Is it safe and secure to use Howdy?

    Howdy conforms to the strict requirements imposed by the Danish Data Protection Agency concerning data protection and processing, and also conforms to current Danish legislation.

  • How is the anonymity in relation to "red, yellow, green" well-being?

    The number of employees with “red, yellow or green well-being” appears in the reports. It is not shown in any way which persons have scored in which categories of well-being.

  • How is my anonymity ensured in relation to my employer?

    We apply the recommendations of the working environment authorities. Reports are only created for departments/groups in which at least 5 employees have participated in the measurement.

  • How is my anonymity ensured in relation to cause codes?

    A group has to consist of at least 20 persons for the cause codes to appear in a report.

  • How is my anonymity assured if I have been in contact with the response team?

    Only the response team and Worklife Barometer know who has been in contact with the response team. This information is covered by our obligation of professional secrecy.

  • Still have questions?