Data privacy and information security

At Culture Amp, we are committed to our customers’ data privacy and information security. We’ve aligned our security programs with ISO 27001, followed secure development practices, provided ongoing training for employees, and more. Recently, we’ve also reviewed our policies and procedures to make sure we are compliant with The General Data Protection Regulation (GDPR).

The GDPR is the new EU data protection regulation, that aims to give EU citizens more control over how organizations collect and process their data, and standardize data protection policies across the EU. This regulation is applicable starting May 25, 2018.

Who does the GDPR affect?

Any company holding or processing information of EU citizens is impacted by GDPR regardless of its location, and is required to comply with the new regulation. 

Changes within Culture Amp for GDPR compliance

Our teams have reviewed our data privacy policies and updated our security procedures. We’ve also worked with internationally recognized privacy experts to build a global privacy framework to comply with the GDPR and other regulations. Here are the main updates we’ve made:

Platform and procedures

To ensure Culture Amp is compliant with the latest regulations, we’ve:

• reviewed our internal security procedures and updated our internal policies for Data Protection, Cryptography, Secure Development, and Secure Engineering.
• extended our internal security training to include an even broader scope of privacy and security materials to meet the GDPR Privacy by Design obligations. 
• reviewed our third party data sub processors to ensure end-to-end compliance.
• reviewed and amended our data retention policies to meet the new individual rights under GDPR, including Right to be Forgotten and Right to Access obligations, and updated the relevant processes.
• reviewed and improved our user experience to make it even easier for individuals using the platform to understand how their data is collected and used. 

Legal documentation

The Culture Amp legal team has been working to ensure our documentations are updated to reflect the GDPR requirements and ensure Culture Amp’s compliance: 

• Our Privacy Policy has been updated to meet the requirements of GDPR and make it easier for individuals to understand how their data will be collected and used.  
• Our Data Protection Agreement (DPA) has also been updated to comply with GDPR obligations, and to provide adequate protections for international data transfers outside the EU. Contact us to get the updated version of Culture Amp’s DPA 

International data transfers

To ensure GDPR compliance for international data transfers, Culture Amp will continue to use mechanisms such as the Standard Contractual Clauses in our DPA and the EU-U.S. Privacy Shield. These mechanisms allow companies around the world to comply with EU data protection requirements when transferring personal data from and to the EU.