Great Place To Work® Institute, Inc. External Security Policy
1. General Business Information.
Website External Security Policy
At Great Place To Work we take security and privacy seriously. We have posted this external security policy to help you better understand our commitment to safeguarding the data that you provide to us as you interact with our products and services.
The information in this document specifically relates to the Great Place To Work technology platform accessed by customers to provide us with the information required for Great Place To Work Certification™ including the administration of the Trust Index™ and the collection of the Culture Brief, Culture Audit, and related materials (hereafter, the “Product”).
The Product is hosted in Microsoft Azure. Engineering and development access to the components that comprise the Product is restricted using methods such as SSO, two factor authentication, network segmentation, IP restriction, etc. as appropriate and technically feasible. Access to servers and services inside the primary Product boundary is controlled using centralized accounts, two-factor authentication, and bastion hosts. We employ separation of duties between developers and operations staff to limit access to the Product environment to those with a legitimate business need. The Product is protected by a web application gateway and an outbound firewall with IdP. Data is encrypted in transit and at rest using encryption that meets the current NIST standard.
Access Provisioning and Review
We have a policy and process for creating new accounts, adding and removing permissions from existing accounts, and deprovisioning access upon separation. Required approvals are collected from supervisors and application / group owners to ensure that requests are reviewed for appropriateness by multiple leaders before permissions are granted. In addition, we conduct a quarterly two-phase access review that engages both supervisors and group owners. Great Place To Work employee permissions related to the Product that grant access to customer data are included in this access provisioning and review process. The Product provides customers with real-time information about the user accounts they have created and gives them the ability to change or revoke access at any time.
Our employee endpoints (laptops and mobile devices) are connected to endpoint management software. In order to sign on to any Great Place To Work SSO protected resource (including the Product), an employee must be using a device registered in our endpoint management software that meets our compliance policy. The compliance policy is designed to ensure that a device meets our standards for minimum operating system version, hard drive encryption, secure boot/anti-rooting, firewall enablement, anti-virus, etc. Users and administrators are notified when a device is out of compliance. Non-compliant devices are prohibited from accessing company resources when the compliance grace period expires.
Our employee endpoints (laptops and mobile devices) as well as servers in the Product environment are connected to vulnerability management software. We actively scan for vulnerabilities and have a vulnerability management policy and procedure designed to limit the number of known vulnerabilities and number of exposed devices, according to the severity of the vulnerability. We have periodic vulnerability management meetings to review current remediation status, plan future remediations, manage exceptions and accepted risk, and review aged vulnerabilities as time passes and the technical landscape evolves. On laptops and mobile devices, we automatically update critical software (operating systems, browsers, productivity software). Inside the Product environment, we periodically update minor versions of operating systems, databases, and other critical software through our change management process following validation in pre-production environments.
Backup and Disaster Recovery
The Product environment is periodically backed up. All persistent data is backed up with at least a 24 hour recovery point objective. Data that changes frequently is backed up more frequently (up to and including continuous backup). Backups are persisted to geo-redundant online storage at least every 24 hours to protect against the catastrophic failure of a given data center. The majority of our infrastructure is implemented using infrastructure as code. We have documentation and code allowing us to create a new Product environment from scratch in the event of a major disaster. We test our disaster recovery procedure annually.
Data Classification, Handling, and Labeling
We have a data classification, handling, and labeling policy. Data is classified according to its risk. Employees receive training on the policy and its practical implementation. We have a detailed list of all data artifacts related to or produced by the Product that explains their classification in detail.
As part of providing the Product to you, we engage the following sub-processors:
|Microsoft Azure||https://azure.microsoft.com/||Provides the hosting environment and software development tools for the Product.|
|AWS||https://aws.amazon.com/||Provides the hosting environment for the public Great Place To Work website: https://www.greatplacetowork.com|
|HTC Group||https://htecgroup.com/||Provides software engineering and operational support services for the Product.|
|Palladio Strategy||https://www.palladio.ca/||Used for development and operational support related to the public Great Place To Work website: https://www.greatplacetowork.com/|
|Atlas Mongo||https://www.mongodb.com/atlas||Provides database storage services for the Product.|
|Twilio Sendgrid||https://sendgrid.com/||Used to send operational emails related to the Product / process as well as send Trust Index employee survey emails. Data processing is limited to email address / subject / body.|
|Atlassian||https://www.atlassian.com/||Used for tracking work related to software development and operational product support. Data is typically limited to basic customer information but can include detailed information when a customer is requesting specific or complex support with a particular survey or engagement.|
|Zendesk||https://www.zendesk.com/||Used for tracking and resolving customer support requests. Data is typically limited to basic customer information but can include detailed information when a customer is requesting specific or complex support with a particular survey or engagement.|
Please feel free to contact us at email@example.com if you have any questions.
Last Updated: 2022-01-26