Risk & resilience
In this page
Our Approach to Governance & Risk Management
Effective decision making structures and risk management helps us manage the events that impact our mission because it requires us to consider how our actions impact the customer experience, our reputation, security, finances, regulators and the expectations of our investors.
Culture Amp has a mature approach to governance and risk management, with multiple layers of review for policy and risk management. This consists of the following:
Culture Amp supports the following groups through the Risk Management Framework, which sets out our process and delegation levels for risk decision making, including mitigation, acceptance or transfer. Culture Amp records and monitors both strategic and operational risks, which are consistently re-visited on a periodic basis or when new information comes to light. Risks are managed and reduced in line with Culture Amp’s accepted risk appetite and tolerance, which is set by the governance groups. All campers are expected to manage and report risks throughout the organisation.
Supplier risk management
Culture Amp evaluates the security posture of our suppliers prior to moving forward. Should the suppliers security posture not be to an acceptable level, Culture Amp will not move forward with the supplier and seek alternatives.Should a supplier pass our assessment, an architecture review of the solution may take place (depending on the supplier and how they will be used). We revisit this review to understand if there are any additional risks that have arisen.Culture Amp requires its suppliers to comply with minimum security requirements as part of their engagement with us. These are enforced via inclusion in our supplier contracts. These requirements may include the following security fundamentals:
- SSO
- Encryption for data in transit and at rest using non-deprecated algorithms
- Having sufficient logging mechanisms in place to provide Culture Amp with relevant information regarding potential security incidents
Policy & Compliance
Culture Amp maintains policies to set the instructions and expected behaviours of campers in their respective roles. These policies are kept up-to-date and align with key standards (such as ISO) and help to achieve our compliance obligations.
A key document in our policy framework is the Privacy Policy. The Privacy Policy explains how Culture Amp collects and handles your personal information, and applies to all of our Services.
Culture Amp takes a practical approach to compliance, focusing on complying with standards which make a real difference to security. Here are a few of the key standards that we comply with:
ISO 27001
The basis of ISO 27001 is the development and implementation of an Information Security Management System (ISMS), and then implementing and managing a suite of controls covered under ‘ISO 27001: Annex A’ through that ISMS.
View our ISO 27001 certificate on the Customer Trust Centre
SOC2
SOC 2 helps our customers and their auditors understand the controls established to support operations and compliance at Culture Amp. Culture Amp has achieved SOC2 certification View our SOC2 certification report on the Customer Trust Centre
CSA
The CSA Security, Trust, Assurance, and Risk (STAR) program is the largest cloud assurance program in the world that constitutes an ecosystem of the best practices, standards, technology, and auditing partners.
We are a CSA Star Level 1 member.
At Level 1, organizations evaluate and document the security controls that apply to their organization using the Consensus Assessment Initiative Questionnaire (CAIQ), a framework that helps organizations assess the security capabilities of cloud service providers with a standardized set of questions. Completed CAIQs are submitted to the STAR Registry. This information then becomes publicly available, providing customer visibility into specific provider security practices.
See our listing and our Consensus Assessments Initiative Questionnaire v4.0.3 at this link.
GDPR
We appreciate that our customers have requirements under the Global Data Protection Regulation (GDPR) that are directly impacted by the use of Culture Amp’s platform. Culture Amp has a dedicated Data Privacy Officer (DPO) and has invested significant resources toward ensuring our customers meet their requirements under the GDPR.
To ensure ongoing compliance with the GDPR, Culture Amp undergoes a rigorous annual review process. This review specifically focuses on the organisations adherence to Article 5 of GDPR, which outlines the fundamental principles for lawful processing of personal data. By undergoing this annual review, Culture Amp identifies any areas requiring improvement and demonstrates its commitment to responsible data processing practices. With the focus on Article 5 principles, helps Culture Amp maintain a strong data protection posture and safeguard the privacy of customers data it handles.
Business continuity, disaster recovery management and crisis management
We test and update our BCP/DR processes annually and backups are tested daily. Our standards and processes are compliant with all applicable laws and regulations. Our redacted policies can be viewed at our Security Trust Centre.
Internal and external audit
The internal Audit (IA) function at Culture Amp plays a critical role in helping to ensure organisational efficiency and integrity. Our IA function involves the management and facilitation of annual compliance audits to verify adherence to standards and requirements.
Additionally, IA undertakes audits across a range of business areas in line with the annual internal audit plan. This plan is developed based on business function risk assessments to help identify which audits should be undertaken. These audits evaluate how the business processes controls are designed and how they are operating. Throughout these audits, we provide insights into operational weaknesses and make recommendations to help remediate issues. Overall, the internal audit function not only helps to safeguard against compliance issues but also drives continuous improvement in business operations.