Data privacy and information security at Culture Amp

At Culture Amp, we are committed to our customers’ data privacy and information security. We’ve aligned our security programs with ISO 27001, followed secure development practices, provided ongoing training for employees, and more. Recently, we’ve also reviewed our policies and procedures to make sure we are compliant with The General Data Protection Regulation (GDPR).

The GDPR is the new EU data protection regulation, that aims to give EU citizens more control over how organizations collect and process their data, and standardize data protection policies across the EU. This regulation is applicable starting May 25, 2018.


Who does the GDPR affect?

Any company holding or processing information of EU citizens is impacted by the GDPR regardless of its location, and is required to comply with the new regulation.


Changes within Culture Amp for GDPR compliance

Our teams have reviewed our data privacy policies and updated our security procedures. We’ve also worked with internationally recognized privacy experts to build a global privacy framework to comply with the GDPR and other regulations. Here are the main updates we’ve made:

Platform and procedures

To ensure Culture Amp is compliant with the latest regulations, we've:

  • reviewed our internal security procedures and updated our internal policies for Data Protection, Cryptography, Secure Development, and Secure Engineering.
  • extended our internal security training to include an even broader scope of privacy and security materials to meet the GDPR Privacy by Design obligations.
  • reviewed our third party data sub processors to ensure end-to-end compliance.
  • reviewed and amended our data retention policies to meet the individual rights under GDPR, including Right to be Forgotten and Right to Access obligations, and updated the relevant processes.
  • reviewed and improved our user experience to make it even easier for individuals using the platform to understand how their data is collected and used.

Legal documentation

The Culture Amp legal team has been working to ensure our documentations are updated to reflect the GDPR requirements and ensure Culture Amp’s compliance:

  • Our Privacy Policy has been updated to meet the requirements of GDPR and make it easier for individuals to understand how their data will be collected and used.
  • Our Data Protection Agreement (DPA) has also been updated to comply with GDPR obligations, and to provide adequate protections for international data transfers outside the EU. Contact us to get the updated version of Culture Amp’s DPA.

International data transfers

To ensure GDPR compliance for international data transfers, Culture Amp will continue to use mechanisms such as the Standard Contractual Clauses in our DPA and the EU-U.S. Privacy Shield. These mechanisms allow companies around the world to comply with EU data protection requirements when transferring personal data from and to the EU.

Culture Amp’s continuous commitment to information security

To learn faster through feedback, we know customers and their employees must trust us with their data, which is why we take information security and data privacy very seriously.

Here’s a look at what Culture Amp’s security experts have been working on:

ISO 27001

We’ve aligned our security program with ISO 27001 and expect to be certified in 2018.

Vulnerability Management

Daily vulnerability scanning is performed on all Culture Amp production systems.

GDPR Compliance

We have been working with internationally recognized external privacy consultants in preparation for GDPR compliance.

External Security Audit

Culture Amp regularly undergoes penetration tests and code reviews by expert security consultants.

Organizational Security

Dedicated staff is responsible for risk management and information security. We also conduct background checks on all our employees.

Data Protection

Full disk encryption is enabled for all systems containing customer data, backups are encrypted using AES256 symmetric encryption algorithm.

Application Security

Access to the Culture Amp platform is authenticated using customer's SAML compliant federated identity provider, Google integration or passwords which are hashed with bcrypt algorithm.

Network Security

Our production environment is fully segregated from corporate, development and test environments. We use Next Gen WAF and RASP technology to protect the Culture Amp Platform.

Secure Development Practices

We follow secure development practices including OWSAP Top 10, and provide ongoing training for employees.