Security
Enterprise-grade security built into everything we do
Protecting your data with certified controls, global compliance, and proven operational safeguards.
Security you can rely on—without compromise
O.C. Tanner takes a rigorous, defence-in-depth approach to security, privacy, and confidentiality. Our technology, processes, and controls are designed to protect customer data at every layer so you can focus on building workplace culture with confidence.
Independent verification. Enterprise assurance.
- ISO/IEC 27001: 2022 certification
- SOC 2 Type II Report
- SOC 3 Public-use Assurance Report
- PCI DSS compliance
- Alignment with NIST CSF and NIST SP 800-53A frameworks
Controls are validated through ongoing internal and third-party audits.
Why it matters
Security that earns trust at enterprise scale
Our security posture is validated through:
- Recurring third-party vulnerability testing
- Recurring penetration testing
- On-site audits, by global financial services firms
Strong protections for your most sensitive data
Our data security policies, processes, and practices are designed with confidentiality, integrity, and availability at their core.
Key Safeguards Include:
- Secure multi-tenant SaaS architecture delivered via web and mobile
- Industry-leading firewall-protected DMZ infrastructure
- No sensitive data stored on web servers
- Continuous internal and external security audits.
All systems and tools are selected, designed, and maintained with security-first principles.
Secure access, authentication, and encryption standards
O.C. Tanner employs modern security protocols to safeguard access and data transmission.
Key Safeguards Include:
- Single sign-on via OIDC, SAML 2.0, or federated login
- OAuth 2.0 authentication for REST APIs
- Client-configurable access rules
Encryption
- TLS 1.2 or higher encryption for data in transit
- 256-bit AES encryption for data at rest
- Hardware-based encryption where practical
Reliable, scalable, and resilient systems
Culture Cloud is designed for enterprise-scale performance and availability
- Horizontal and vertically scalable architecture
- Load-balanced deployments with no downtime during scaling
- Private cloud infrastructure for core recognition services
- Industry-standard cloud providers for front-end Saas delivery
- Continuous system performance monitoring and maintenance
Robust Data Protection and Security Controls.
Our Information Security leadership team certifies that O.C. Tanner’s systems and services meet applicable trust service criteria for privacy, security, and confidentiality.
- Soc 2 Type II security, privacy and confidentiality controls
- ISO/IEC 27001:2022 information security management system controls
- Clearly defined data access and handling policies
- Machine-readable data exports for individual data request
Built for global regulatory compliance
O.C. Tanner follows all applicable regional, national, and international privacy and security regulations.
Compliance framework includes:
- Process for data access, disclosure, and deletion requests
- Support for regional, state, federal, and international privacy laws
- Continuous review and updates to security and privacy practices
- Cross-system identification of personal data
Data Security
Strong protections for your most sensitive data
Our data security policies, processes, and practices are designed with confidentiality, integrity, andavailability at their core. Key Safeguards Include:
- Secure multi-tenant SaaS architecture delivered via web and mobile
- Industry-leading firewall-protected DMZ infrastructure
- No sensitive data stored on web servers
- Continuous internal and external security audits
All systems and tools are selected, designed, andmaintainedwith security-first principles.
Secure access, authentication, and encryption standards
O.C. Tanner employs modern security protocols to safeguard access and data transmission.Access & Authentication
- Single sign-on via SAML 2.0 or federated login
- OAuth 2.0 authentication for REST APIs
- Client-configurable access rules
Encryption
- TLS 1.2 or higher encryption for data in transit
- 256-bit AES encryption for data at rest
- Hardware-based encryption where practical
Reliable, scalable, and resilient systems
Culture Cloud is designed for enterprise-scale performance and availability
- Horizontal and vertically scalable architecture
- Load-balanced deployments with no downtime during scaling
- Private cloud infrastructure for core recognition services
- Industry-standard cloud providers for front-end Saas delivery
- Continuous system performance monitoring and maintenance
Privacy & Data Controls
Robust data protection and security controls
Our Information Security leadership team certifies that O.C. Tanner’s systems and services meet applicable trust service criteria for privacy, security, and confidentiality.
- Soc 2 Type II security, privacy and confidentiality controls
- ISO/IEC 27001:2022 information security management system controls
- Clearly defined data access and handling policies
- Machine-readable data exports for individual data request
Global Compliance
Built for global regulatory compliance
O.C. Tanner follows all applicable regional, national, and international privacy and security regulations.Compliance framework includes:
- Process for data access, disclosure, and deletion requests
- Support for regional, state, federal, and international privacy laws
- Continuous review and updates to security and privacy practices
- Cross-system identification of personal data
