SECURITY, PRIVACY, & confidentiality

Our best-in-class approach to technology security means you can rest easy and focus on building your workplace culture

‍

Data security

Our data security policies, processes, and practices are airtight—with all systems and solutions crafted and selected with security and privacy in mind. We use internal and external audits to validate the security of our controls, processes, practices, policies, and tools of our multi-tenant SaaS mode (delivered via web and mobile applications). And to protect our customer data, industry-leading software and hardware-based DMZ infrastructure with firewalls are used on both internet-facing and internal systems-facing infrastructure. No sensitive information is stored on web servers, ever.  

Verified enterprise-level protections

We routinely undergo third party quarterly vulnerability and annual penetration testing, as well as numerous on-site audits by some of the world’s largest defense contractors and global financial services organizations and have been deemed to be compliant with their standards as well as other industry regulations. Culture Cloud follows NIST CSF and NIST SP-800-53A guidelines, which we use to do a cross-walking to the ISO controls though reciprocity. Controls are validated through our SOC 2, Type III reports and are in compliance with PCI DSS v3.2.

System uptime and delivery of data

The system can be scaled horizontally (by adding servers or app instances) with no downtime—typically done behind a load balancer. We can do the same to scale vertically onto more powerful hardware and have already optimized our processing power based on historical peak loads. For the services directly related to our Employee Recognition solutions, we operate from a private cloud with system performance monitoring and ongoing maintenance. The front-end systems that support our SaaS solution leverage industry standard cloud providers.

Secure access and safeguards

O.C. Tanner allows for single sign-on using SAML 2.0 or federated login, configurable based on client needs. If the client uses federated SSO, our rules will adhere to your rules. This allows access to O.C. Tanner’s system from a company’s tech stack without an additional login. Our rest APIs are JSON Format for data parameters and Auth2 is used for authentication. Our SaaS operates as a three-tiered web environment, with firewalls in front of the web servers and between the web servers and application servers. IDS/IPS monitors traffic at all internet borders. All customer facing web applications must use TLSv1.2 or higher encryption for all pages where sensitive information may be displayed or entered. All production data and backup data is encrypted at rest using 256-bit AES. Where practical, encryption is hardware based. These data transmission and encryption standards apply to systems hosted in O.C. Tanner’s data centers, as well as by contracted cloud providers.

Data privacy and controls

Our Information Security leadership team can attest with assurance that the O.C. Tanner's service commitments and system requires achieved based on the applicable trust service criteria for privacy, security, and confidentiality were met in all material aspects of our product operations. We offer a SOC 2 Type III report for any interested parties.

Global compliance

We follow all applicable laws and industry regulations. O.C. Tanner has an established framework to track and respond to individual rights of disclosure and deletion provided to individuals under applicable regional, state, federal, and international privacy regulations. We identify data that relates to individuals across diverse systems and platforms and provide such data in a machine-readable format. We have considered the application of these privacy regulation requirements within our information technology systems that handle personal information. Our security procedures and practices are continuously reviewed and updated to be appropriate to the nature of the protected information.