Security & Certification
Keeping your employees information safe and secure at all times
Trust & Certificates
We understand that trust and safety is important to you and your employees. Our commitment to our clients, companions and employees are to keep them and their information safe at all times. We seek rigorous external verification of our commitment to the highest standards of information security, and hold the following certifications:
- ISO 27001 certification
- PCI DSS
- Regular Penetration Testing
- Comprehensive Information Security Due Diligence assessments conducted on us by leading financial, legal and insurance organisations
Personal data (PII)
We do not receive any personal data from any employer organisations. Employees provide their personal details directly to companiions (the Data Controller). Our service is delivered under a direct end-user agreement with the employee using the service, where companiions is the Data Controller not the employees organisations. Only data required to deliver the service and to satisfy data protection requirements are collected from employees. Event and data usage analysis are performed on data sets that do not contain personal data.
Security and privacy at the heart of our design
We are a fully remote cloud-based organisation, using Amazon Web Services (AWS) and Google Workspace as the provider of our companiions app and office infrastructure. Both AWS and Google are best-in-class providers, with comprehensive security accreditations including ISO 27001, SOC 1, 2 & 3, FIPS 140-2 Validated and supporting HIPAA compliance. Where we use additional cloud tooling for analytics these are certified to ISO 27001 as a minimum.
In compliance with applicable data privacy and protection regulations, data originating in the UK and EEA is only processed within this geographic area. Our cloud infrastructure is highly resilient ensuring that we are able to offer our service to you reliably and securely. Security and privacy have been fundamental design considerations right from the outset:
- All data is encrypted both in transit and at rest.
- All of our cloud infrastructures are geographically restricted so personal data is only stored and processed within the designated and appropriate geographic areas.=
- Personal data is strictly access-controlled and is segregated from other operational data.
- We make use of SSO where possible, ensuring secure access to the platform and allowing access to be provisioned by your own IT department in a B2B setting.
Personal data is never shared outside of our staff. We only provide aggregated and anonymised data back to employers as part of performance tracking. And we do not outsource any part of delivering the service to any third parties.