Data security

Our data security policies, processes, and practices are airtight—with all systems and solutions crafted and selected with security and privacy in mind. We use internal and external audits to validate the security of our controls, processes, practices, policies, and tools of our multi-tenant SaaS mode (delivered via web and mobile applications). And to protect our customer data, industry-leading software and hardware-based DMZ infrastructure with firewalls are used on both internet-facing and internal systems-facing infrastructure. No sensitive information is stored on web servers, ever.  

Verified enterprise-level protections

We routinely undergo third party quarterly vulnerability and annual penetration testing, as well as numerous on-site audits by some of the world’s largest defense contractors and global financial services organizations and have been deemed to be compliant with their standards as well as other industry regulations. Culture Cloud follows NIST CSF and NIST SP-800-53A guidelines, which we use to do a cross-mapping to the ISO controls though reciprocity. Controls are validated through our SOC 2, Type II reports and are in compliance with PCI DSS v3.2.

System uptime and delivery of data

The system can be scaled horizontally (by adding servers or app instances) with no downtime—typically done behind a load balancer. We can do the same to scale vertically onto more powerful hardware and have already optimized our processing power based on historical peak loads. For the services directly related to our Employee Recognition solutions, we operate from a private cloud with system performance monitoring and ongoing maintenance. The front-end systems that support our SaaS solution leverage industry standard cloud providers.

Secure access and safeguards

O.C. Tanner allows for single sign-on using SAML 2.0 or federated login, configurable based on client needs. If the client uses federated SSO, our rules will adhere to your rules. This allows access to O.C. Tanner’s system from a company’s tech stack without an additional login. Our rest APIs are JSON Format for data parameters and Auth2 is used for authentication. Our SaaS operates as a three-tiered web environment, with firewalls in front of the web servers and between the web servers and application servers. IDS/IPS monitors traffic at all internet borders. All customer facing web applications must use TLSv1.2 or higher encryption for all pages where sensitive information may be displayed or entered. All production data and backup data is encrypted at rest using 256-bit AES. Where practical, encryption is hardware based. These data transmission and encryption standards apply to systems hosted in O.C. Tanner’s data centers, as well as by contracted cloud providers.

Data privacy and controls

Our corporate governance program monitors international regulatory requirements that are relevant to our business functions. O.C. Tanner is cognitive of the evolving landscape of data security and privacy laws, proving to be adaptable to related legislation and best practices. A third-party validates and certifies all of our policies, practices, and tools. We are SOC 2, Type II certified.

Global compliance

We follow all applicable laws and industry regulations. O.C. Tanner has an established framework to track and respond to individual rights of disclosure and deletion provided to individuals under applicable regional, state, federal, and international privacy regulations. We identify data that relates to individuals across diverse systems and platforms and provide such data in a machine-readable format. We have considered the application of these privacy regulation requirements within our information technology systems that handle personal information. Our security procedures and practices are continuously reviewed and updated to be appropriate to the nature of the protected information.