Compliance certifications, standards, and regulations
SOC2 Type II
The SOC2 Type II report provides assurance to our customers and partners that Culture Amp uses secure systems and processes to safeguard their data.
ISO/IEC 27001:2022
Culture Amp is certified as compliant with ISO/IEC 27001:2022 which is globally recognized as the premier information security management system (ISMS) standard.
General Data Protection Regulation (GDPR)
Culture Amp is GDPR compliant, handling all personal data in compliance with the latest EU laws.
California Consumer Privacy Act (CCPA)
Culture Amp is compliant with the California Consumer Privacy Act (CCPA).
Brazilian General Data Protection Law (LGPD)
Culture Amp is compliant with the Brazilian General Data Protection Law (LGPD).
Security at Culture Amp
To earn and maintain the trust of the world’s most innovative and culture-focused companies, Culture Amp takes all reasonable precautions to protect the confidentiality, integrity, and availability of all systems and data entrusted to us by our customers and their employees.
Frequently asked questions
Where is data stored?
All production systems are hosted in Amazon’s AWS cloud platform. Data is stored in AWS US (Oregon) and backed up in AWS US (Virginia). For customers located in Europe, data is stored in AWS EU (Ireland) and backed up in AWS EU (Frankfurt) and for customers located in Australia, data is stored in AWS AP (Sydney) and backed up in AWS AP (Melbourne).
What private information do you require to provide to your service?
Culture Amp requests a full name and email address for basic functionality.
Customers often choose to include demographics within the platform such as job title, department, gender, and tenure.
Do you use third parties to deliver your product?
Yes, please see our list of sub-processors here.
We are committed to ensuring the security of our information, systems, and services
If you believe you have found a vulnerability, please share your findings with our security team. For the protection of our customers, we ask that you do not publicly disclose, discuss or confirm the details of any suspected security issues.