Security
In this page
Our Approach to Security
Culture Amp's core mission is centered around empowering organizations to create a better world of work through the power of data-driven insights. This is why trust is at the center of what we do and why security is our top priority. We're transparent with our security practices so you are informed and feel safe using our platform.
Like culture is central to any organizations practices and success, culture is key to our approach to security. Culture Amp has a program of security, a number of controls to manage the condition of security, and a focus on protecting our customers data. We consider security across several domains, including securing our own workplace technologies and services, and how we ensure our products as secure as possible for our customers and users.
Our security philosophy
Our approach to security is based around a couple of core themes:
- Creating a culture within our company culture where security of data and services is everyone’s responsibility
- Meet (and aim to exceed) customer expectations for data security in the cloud
- Without putting your data or our platform at risk, being open and transparent about our security programs, controls, and monitoring.
All Campers (Culture Amp employees) are users of Culture Amp platform and when it comes to innovation and R&D we are “Customer Zero” and we’re invested in securing our products not only because we are custodians of important customer data, but also because we hold our people data in those same products ourselves.
Our security team & practice
We have an amazing security team, with a wide range of complementary skills and experiences, who are customer focused, and driven to deliver the best security capability possible. Our Security Team is led by our Melbourne based Chief Security and Risk Officer, and the team are global across our Melbourne, Sydney, Perth, Europe, and North American offices, with some remote team members in other Asia-Pacific locations. We have multiple security focus areas, including:
- Security architecture – responsible for defining the security strategy with the CSO and for defining the security requirements of our products and platform
- Application security – responsible for the security of our products and platform
- Corporate security – responsible for our internal security, the security of our ecosystem, and workplace technologies
- Cyber Defense - responsible for responsible for detecting and responding to security incidents and exercising Security Intelligence
- Trust - responsible for tracking and responding to customer expectations, and providing transparency into our processes and practices
- Development and SRE – responsible for building and running tooling for the security team
- Security Governance - responsible for 3rd party security reviews, establishing security policies & standards, and conducting awareness and training to ensure our employees and partners know how to work securely
While our global security team is accountable for ensuring our security practices are effective, everyone at Culture Amp is part of our mission to achieve better security and this is evidenced in our commitment to educating and training our campers throughout their time with us. Security is a shared responsibility at Culture Amp. We have a goal to lead our peers in security culture, meet all customer requirements for data security, and exceed industry security standards and certifications. We are proud to publish details about how we protect customer data.
Continually improving security
We are intent on ensuring our security program remains aligned to expectations of industry and best practice. We continually evaluate our current approach to security and identify opportunities for improvement.
With support from independent security consulting companies, we regularly undertake assessments of our security capability and our program(s). We take the outputs from these processes, including key recommendations, and use them to address any gaps and opportunities for improvement and to define programs for areas of security such as Application Security and Security Intelligence.
Through a defined set of metrics and a security reporting dashboard we monitor and measure success of these programs and of our core security operations. Monthly metrics are reviewed by the Culture Amp Security Steering Committee and used to identify and target areas for improvement across the practice.
More information
More information regarding our security capability and practices is available on our Culture Amp Trust Center.
Securing our internal environment
The foundation of our approach to security is keeping our own internal environments secure.
Building security into our architecture
At Culture Amp, we have a modern, cloud-native architecture which has enabled us to build security into infrastructure and applications from the ground up rather than as an afterthought, as security is an inherent part of the development and deployment process
We have controls that are largely automated and embedded within our cloud environments; for example all privileged access into our cloud platforms is facilitated via a robust Just in Time (JIT) based approval and provisioning workflow allowing timeboxed, legitimate privileged access that is timeboxed and deprovisioned automatically. Our automated controls are implemented using DevOps tools and processes allowing us to take advantage of cloud services and capabilities, and build in secure defaults.
Securing our endpoint devices
At Culture Amp we employ a comprehensive endpoint security approach that integrates several advanced technologies to protect our Campers regardless of their location. Our Endpoint Detection and Response (EDR) system continuously monitors and responds to potential threats and, with 24/7 managed proactive threat hunting, ensures swift detection and mitigation of endpoint security incidents. To safeguard internet usage, Culture Amp employs Secure Web Gateway capabilities to protect against malicious or unauthorised web content.
Continuous monitoring is fundamental to our endpoint security approach, providing real-time insights and alerts on endpoint activities with key indicators centralised in our SIEM for further investigation and correlation against other sources.
Ensuring secure access to our ecosystem
At Culture Amp, securing access to our environment is a top priority. We have adopted a zero trust security model which assumes that threats can originate both outside and within our network boundaries.
User accounts are provisioned and terminated automatically via our HR information system and in accordance with the principles of least privilege. Access to elevated privileges is controlled and provisioned via an automated Just in Time approval and provisioning process with oversight from the Security function.
The creation, storage, and use of access keys is tightly controlled and monitored with integrated detection and response processes in place to identify malicious use or compromised credentials.
Security in our day-to-day operations
Integrating cybersecurity seamlessly into our daily operations is a key priority for the Culture Amp team. In a dynamic environment like Culture Amp’s, it is necessary to embrace embedding security measures early in the development lifecycle and automating the deployment and enforcement of key controls. We enforce robust requirements for the identification and classification of assets, services, and data, and automate the hardening of services to ensure that they are consistent and comply with our security policies. This standardised configuration helps to prevent misconfigurations that could lead to security breaches.
Culture Amp has established a common architecture for log shipping which allows for the rapid ingestion of relevant logs in our centralised Security Information and Event Management (SIEM) system. These security signals enable intelligence-driven detections, highlight potential indicators of compromise, and allow for continuous real-time monitoring and the rapid identification of anomalies and trends. This centralised logging and monitoring framework enhances our ability to respond to incidents promptly, ensuring the security and integrity of our operations and data.
Security operations
It’s a day-to-day activity monitoring security and responding to threats and incidents.
Incident response
A security incident is an event which results in, or could result in, loss or damage to the confidentiality, availability, integrity, or privacy of Culture Amp data, systems or networks. We maintain a structured incident response framework which leverages industry frameworks, such as NIST 800-61, Mitre Att&ck, and Re&ct, to ensure that security incidents are managed in a consistent, effective, and efficient manner. Culture Amp have defined playbooks for investigating and responding to security incidents consisting of detailed response actions which document the necessary steps at each stage of the incident lifecycle. These playbooks and the incident response plan provide interfaces to key support processes including our Crisis Management Process and notifications processes for communicating with team members and customers.
Our team members operate Testing, Training, and Exercise (TTX) and Post Incident Review (PIR) programs which seek to ensure that responders are familiar with the processes, tooling, and practices involved in responding to a security incident and that opportunities to improve processes and documentation are proactively identified following a real or simulated event.
Security detection program
Culture Amp operates a security detections program that aims to ensure that we are able to effectively detect anomalous activity across the environment. The detections program is driven by an understanding of the external threat landscape and our internal threat models. We leverage commercial and open source threat intelligence sources to gain an understanding of the adversaries targeting our environment and the tactics and techniques that commonly use and use this knowledge to prioritise the development of new use cases, detections, and response actions and the lifecycle management of existing detections.
Detections roll-up into our broader use case management framework which allows for the consistent development and coordination of detections, playbooks and response actions, log sources and events, and automations, and ensure that these are aligned to available threat intelligence, business content and risk, and allows for continuous improvement in the detection lifecycle.
Threat Hunting
At Culture Amp, our threat hunting practices are designed to proactively identify and mitigate potential security threats before they can impact our operations. We employ the TaHiTI framework as the foundation for our threat hunting methodology, leveraging its structured approach to ensure thorough and effective threat detection using available threat intelligence to form hypothesis-driven hunts.
Our approach combines both managed threat hunting services from a security partner and internal threat hunting initiatives. This dual strategy allows us to benefit from the latest industry expertise and broad range of intelligence sources while utilizing our internal team's deep understanding of our unique environment.
To maintain a high level of preparedness, we operate a rigorous testing, training, and exercise program. This includes regular adversary emulation testing and drills, simulating real-world attack scenarios to identify potential attack paths for future threat hunting activities. These preparations are supported by frequent formal training in threat hunting process and methodologies, and involvement in security operations development opportunities such as Splunk’s Boss of the SOC and other capture the flag and simulated incident events.
Security testing
Culture Amp employs a combination of internal and external security testing to ensure that vulnerabilities in our environment and our platform are rapidly detected and remediated. External security testing is driven by multiple factors including compliance testing, major platform changes and events, testing training and exercising requirements, or for verification of the efficacy of vulnerability remediation practices. Culture Amp leverages a panel of specialised security firms employing appropriately skilled and qualified individuals to assist with this testing, and rotate between the panel members to reduce bias and skill gaps in our testing program.
External testing is supported by internal security testing practices embedded throughout the development lifecycle including threat modelling, security reviews, secure code reviews, and application security testing activities.
Culture Amp welcomes verified reports from external security researchers and is currently exploring a public bug bounty program to ensure that we can reward researchers for the time and effort they invest in contributing to our platform security posture.
Vulnerability management
Culture Amp operates a comprehensive vulnerability management program which serves as the framework for the systematic identification, assessment, prioritization, and mitigation of vulnerabilities within the environment. Our program encompasses a broad range of technologies, addressing vulnerabilities across end-user compute devices, containers, codebases, and open-source dependencies which can be identified from a variety of sources including tools, penetration tests, security and peer reviews, and vendor notifications.
For end-user compute devices and static workloads we employ continuous endpoint scanning tools to detect and notify remediation teams of potential vulnerabilities. Our container security strategy includes rigorous scanning and integration with our CI/CD pipelines to ensure that our containerized applications remain secure. In our software development lifecycle, we integrate static code analysis tools to identify and fix code vulnerabilities early in the development process before they are deployed to production.
We also closely monitor open-source and third-party dependencies, using specialized tools to continuously identify and manage vulnerabilities in these libraries. This proactive approach ensures that any vulnerabilities are promptly addressed, reducing the risk to our systems and our customers.
Security Advisories
Please see the latest updates here
Keeping data secure
Data centers
At Culture Amp, we leverage the robust infrastructure of AWS, complemented by key services on Google Cloud Platform (GCP). This multi-cloud strategy enables us to deliver high availability, scalability, and resilience for our applications and services, while also allowing us to select from a range of specialized services from each provider.
In both AWS and GCP environments, we prioritize the security of our data through comprehensive encryption practices. Data is encrypted both at rest and in transit using industry-standard encryption algorithms. This ensures that our sensitive information remains protected from unauthorized access at all times.
Our key management practices are designed to maintain stringent control over encryption keys. We use AWS Key Management Service (KMS) and Google Cloud Key Management to generate, store, and manage encryption keys securely. These services provide automated key rotation, detailed auditing, and granular access controls, ensuring that only authorized personnel can manage and use these keys.
Sharing the responsibility for managing customer data
The Culture Amp platform is designed to empower administrators to self-manage access to data and features through the delegation of roles to users in their tenancy. Customer administrators have the ability to assign common roles which control access to view or export specific data sets directly through the Culture Amp administration interface.
In most instances, customers are able to control the data ingested into the Culture Amp platform via the integration with their HRIS provider. Customers are responsible for only sending the data needed for the integration and to drive the functionality and insights they require.
Our platform seamlessly integrates with a wide variety of customer identity providers, enabling Single Sign-On (SSO) for enhanced security, and user convenience. This integration ensures a streamlined authentication process, reduces the need for multiple logins, allows customer identity and access management teams to centrally control authentication, and enhances the overall user experience.
Controlling access to customer data
Safeguarding customer data is a critical part of our commitment. We utilise a multi-faceted approach, including privacy enhancing techniques like tokenisation, masking and encryption, as well as the principle of “least privilege” to ensure users and services can only access the data necessary to perform their functions.
Our platform enforces fine grained permissions that restrict access to data based on the authenticated user’s context. This is further enhanced by auditing and logging, recording what data was accessed by whom and when.
All data is encrypted by default with robust key life cycle management in place. Data sharing is facilitated via secure interfaces.
Retention and deletion of data
Our privacy policy provides information on retention and deletion of data. If you want to review, correct (if necessary) or delete the information that we have collected and hold about you, please contact our Privacy Officer at privacy@cultureamp.com.
Culture Amp prioritises the protection of customer data by implementing a robust backup strategy. We ensure that all critical data is regularly backed up to secure locations. These backups are designed to safeguard against data loss, providing a reliable means of data recovery in the event of an incident. Customer data is retained in our backups for 90 days, offering an appropriate window for restoration if needed. After this period, data automatically rolls-over, ensuring that our backup storage remains efficient and up-to-date and removing the need for manual data deletion from our backup sets.
Securing our people
Security awareness training
Security awareness is not a one-time event but an ongoing process and the Culture Amp security training programs are designed to foster a proactive security mindset and ensure that security principles are integrated into daily activities and decision-making processes of all of our campers. From 2025, we offer a hybrid delivery approach to ensure that cybersecurity awareness training is proportional and relevant to all Campers. This approach also suits different learning styles and schedules.
Training is provided via multiple delivery methods including online and in-person refresher sessions, slack posts, videos, competitions, events and Security team appearances at existing regular forums. Content is developed in-house and tailored for some cohorts of Campers to suit their different roles. Content is also continuously improved through feedback and to reflect changes in the Culture Amp context and the threat environment. Annual refreshers are targeted to Campers in the quarter of their Camperversary. Where applicable formal certification based security training is also offered to Campers.
Background checks
Culture Amp takes the security of our customers' data seriously and uses background checks and vetting to minimise the risks associated with data breaches, fraud, and other internal security threats. Culture Amp uses a specialist, accredited external provider to facilitate these checks across all international regions. All employees undergo a criminal history and sanctions check, and further role-dependent checks including validation of education and certification history, credit checks, or professional license/credential validation. Vetting is performed prior to an employee's start date, at fixed intervals in their employment, and when promoted to senior leadership roles.