Data Protection

Compliance certifications

[bring in certifications info from https://www.cultureamp.com/data-privacy]

(also please link to the table in Risk & Resilience>Policy and compliance. Or maybe just put that table how with the relevant images from the certifications linked above)

Secure Software Development

All Culture Amp employees share the responsibility for the security and privacy of our customers' data. The security practice provides an expert advisory service that shares relevant and actionable intelligence and education. Unlike conventional security silos, our practice partners across teams to facilitate security awareness and to improve the world of work.

Culture Amp ensures secure development of software by enabling our engineers through education and training, while maintaining technical controls via gates through the CI/CD pipeline.

Culture Amp engineers are trained on the OWASP top ten, and have access to continued training and IDE integrated assistance in detecting insecure coding patterns as development occurs.

To further consolidate this approach, Culture Amp enforces peer reviews and automated code scanning to detect vulnerabilities before code is integrated into our codebase.

Culture Amp incorporates threat modelling and risk storming into major changes to identify potential threats and mitigate vulnerabilities at the earliest stages of the development lifecycle.

In addition, we conduct secure code reviews. This involves a thorough examination of the codebase by experienced developers who are well-versed in security practices and industry standards. These reviews are crucial for identifying and addressing vulnerabilities, and ensuring that our code adheres to our security standards. Beyond secure code reviews, we conduct peer reviews for all code changes. These peer reviews have established guidelines for security components and foster a collaborative environment where multiple perspectives are considered, enhancing both the quality and security of the platform.

Data Protection

Our Transfer Impact White Paper describes Culture Amp’s data transfer and applicability to legal frameworks. It is available at our Security Trust Centre www.security.cultureamp.com

A list of our subprocessors is provided in the White Paper and is also available at https://www.cultureamp.com/sub-processors

Privacy

This Privacy Policy explains how Culture Amp collects and handles your personal information, and applies to all of our Services CTA and accompanying copy that goes to privacy page https://www.cultureamp.com/privacy-policy

Security Advisories

Our Security Advisories provide official notifications about vulnerabilities, threats or incidents. (link to Security Advisories page). They are also released via our Security Trust Centre. www.security.cultureamp.com goes to