Get a demo of Culture Amp

Simply fill out the form and we’ll be in touch soon.

Skip to main content

Get a demo of Culture Amp

Simply fill out the form and we’ll be in touch soon.

Technical and Organisational Measures

In this page

Version effective date: 10 June, 2026

Schedule C - Technical and Organisational Measures

Culture Amp’s Information Security Program is designed to protect Customer Personal Data and support the secure operation of its SaaS platform. The program includes the following measures:

  1. Security Management & Governance

    1. Security Program

      Culture Amp maintains a comprehensive security program including a continuous improvement framework aligned with industry standards.

    2. Certifications & Audits

      Culture Amp maintains ISO/IEC 27001 certification and a current SOC 2 Type II attestation report covering its platform and services, subject to annual external audits. The latest certificate and report are available via our Trust Centre at security.cultureamp.com.

    3. Risk & Change Management

      Security is embedded into Culture Amp's change management processes. Culture Amp operates structured internal risk management processes to assess, manage, and mitigate security risks.

  2. Technical & Organisational Measures

    1. Hosting & Data Residency

      All production systems are hosted on Amazon Web Services (AWS). To facilitate regional compliance and minimise cross-border transfer risk, data is hosted in the customer's selected region:
      • US Region: Hosted in US West (Oregon), with backups in US East (N. Virginia)
      • EU Region: Hosted in Europe (Ireland), with backups in Europe (Frankfurt)
      • APAC Region: Hosted in Asia Pacific (Sydney), with backups in Asia Pacific (Melbourne)

    2. Data Protection & Encryption

      • In Transit: All Customer Data is encrypted in transit using Transport Layer Security (TLS 1.2 or higher) with secure cipher suites.
      • At Rest: Customer data is encrypted at rest using Advanced Encryption Standard (AES-256) or stronger.
      • Key Management: Encryption keys are managed via a secure Key Management Service (KMS) with annual key rotation.
      • Access Credentials: Preference is given to short-lived, dynamically generated credentials (Just-In-Time access) over static, long-lived credentials for system-to-system communication where reasonably practicable.
      • DLP (Data Loss Prevention): Culture Amp has implemented a DLP strategy and tooling to monitor and protect personal data from unauthorised exfiltration.

    3. Access Management

      Culture Amp enforces the principle of least privilege and mandates Multi-Factor Authentication (MFA) for all internal systems used to deliver the Services.
      • Access reviews occur annually to ensure continued business need.
      • Access to all Culture Amp systems is revoked immediately upon termination of employment or contract.
      • Customer data is logically segregated from other tenant data within our multi-tenant cloud environment.

    4. Network Security

      Culture Amp segregates production environments from corporate and development environments.
      • Network defenses include Web Application Firewalls (WAF) and Intrusion Detection Systems (IDS) to detect and block malicious traffic.
      • Centralised logs, including system and application activity, are stored in our Security Information Event Management (SIEM) solution and retained for 180 days. Logs are retained for incident response and security monitoring purposes only and are not disclosed to customers.

    5. Secure Development

      Culture Amp aligns its software development lifecycle (SDLC) with OWASP and NIST standards. All code changes require peer review and automated security testing, including Software Composition Analysis (SCA) and Static Application Security Testing (SAST), prior to deployment.

    6. Vulnerability Management

      Culture Amp performs continuous vulnerability monitoring across production environments, codebases, and assets.
      • Third-party libraries and code are scanned prior to being merged to code repositories to prevent critical vulnerabilities from being released to production.
      • Regular external vulnerability scanning is performed on all production systems and cloud services.
      • Vulnerability remediation SLAs are enforced as follows:
        • Critical: Mitigated within 48 hours.
        • High: Mitigated within 5 days.
        • Medium: Mitigated within 30 days.
        Compensating controls may be implemented where direct remediation is not immediately feasible.

    7. Independent Penetration Testing

      Culture Amp undergoes independent, third-party penetration tests of its application and infrastructure at least annually. The executive summary of our latest penetration testing report is available at our Trust Centre at security.cultureamp.com.

    8. Endpoints

      All Culture Amp employee laptops utilise Full Disk Encryption (FDE), Endpoint Detection and Response (EDR) tooling, Secure Web Gateways (SWG), Data Loss Prevention (DLP) and centralised Mobile Device Management (MDM).

    9. Physical Security

      As Culture Amp stores all Customer Data in AWS, physical security of the hosting infrastructure is managed by AWS in accordance with their physical security controls (https://aws.amazon.com/compliance/data-center/controls/). Culture Amp maintains a Physical Security Standard for its corporate offices, mandating use of alarms, access passes, visitor registration, CCTV monitoring, and separated work zones.

    10. Non-Human Identities

      System and service accounts are managed with the same security rigor as human identities, including unique naming conventions, and restricted API scopes.

  3. Third-party Management

    1. Third-Party Management

      Culture Amp assesses the security and privacy risks of new third-party vendors and systems prior to adoption. We implement contractual, organisational, and technical controls commensurate with the assessed risk of the vendor.

  4. Resilience & Insurance

    1. Business Continuity/Disaster Recovery

      Culture Amp maintains and annually tests documented BCP/DR (Business Continuity Plan/Disaster Recovery) plans. Backups are performed daily and retained for 90 days in a secondary, geographically separated AWS region.

  5. Personnel & Security Awareness

    1. Background Checks

      Culture Amp conducts background checks on employees (including criminal history and working rights) where legally permissible and in accordance with local regulations.

    2. Security Training

      All Culture Amp employees undergo security awareness training upon onboarding and at least annually. Culture Amp also delivers security alerts and educational content internally.

  6. CULTURE AMP PLATFORM SECURITY

    1. Authentication

      The Culture Amp platform supports the following methods of authentication:
      • Local password authentication (as specified by the user);
      • Google Apps integration (OAuth); or
      • Customer specified SAML compliant identity provider (IdP) for Single Sign-On (SSO)

    2. Password Policy

      For accounts utilising local passwords, the following non customisable password policy is enforced:
      • Minimum length: 8 characters;
      • Complexity: At least 3 of 4 categories (uppercase/lowercase/symbol/number);
      • Lockout threshold - Account lockout occurs after 5 failed attempts;
      • Lockout period - 60 minutes.
      Local passwords are encrypted using the bcrypt algorithm with a unique salt for each hash.

    3. Authorisation & Role-Based Access Control (RBAC)

      The Culture Amp platform supports granular, configurable access levels (e.g., Account Administrator, Account Reporter, Manager) to control visibility over reports and administrative functions.

    4. User Management

      Provisioning, deprovisioning, and authorisation of platform users are managed directly by the customer's designated platform Administrators.

    5. Tenant Segregation

      Culture Amp is a multi-tenant platform. Tenant isolation is enforced at the application layer via robust logical segregation and strict authorisation controls, ensuring that data is not exposed to other customer accounts.

    6. Secure Communications

      All communications with the Culture Amp platform are encrypted using HTTPS via TLS 1.2 and above, utilising strong cipher suites. Cipher suites and protocols are regularly reviewed and updated in alignment with industry best practices.

  7. General

    1. Supplementary Information

      Supplementary Information relating to Culture Amp's Security Program, including current security policies, external audit report summaries and certifications may be found in the Customer Trust Center, available at https://security.cultureamp.com/. The information in the Customer Trust Center is provided for informational purposes only. No content, statement, representation, or document made available through the Customer Trust Center forms part of this Agreement, or creates any form of contractual obligation.

    2. Scope Limitations and Beta Releases

      Participation in Beta or Early Access Program (EAP) releases provides a preview of functionality. While reasonable security measures are applied, pre-release versions may not fully implement all controls described in this Schedule. Participation is voluntary.

Invest in your people and create impact