Embracing change: How to create an agile organization Register now Register now

A secure experience engineered for growth

Your data security and privacy are a top priority for BetterUp and we value the trust that you place in our platform offerings.

Enterprise-Grade security

Security and Privacy are at the center of how we continue to enhance customer trust, and BetterUp invests heavily to protect the confidentiality, integrity, availability, security, and privacy of customer data. BetterUp continuously assesses and implements additional measures to help improve our security program and address the ever-changing threat landscape.

  • Best in Class Tone at the Top

    BetterUp has an active Information Security Committee ISC in place. The Executive leadership and the BetterUp Board is provided with periodic updates on the overall security threats, hygiene, and maturity of the Information Security Program.

  • Best in Class Security Certification

    BetterUp is SOC 2 Type II certified and we continue our pursuit to improve and achieve robust industry accreditations/ certifications.

  • Robust Shared Security Model

    BetterUp uses the AWS US regions with multiple availability zones (Multi-Az) model. The production environment is managed by Heroku, a Salesforce company. Heroku’s managed PaaS includes a Web Application Firewall (WAF) in a private space (aka micro-segment). AWS and Heroku's have several security and privacy certifications including SOC 2 Type II and ISO 27001.

Certifications, standards & regulations

Protecting your company and employee data is our top priority. We earn your trust every day by complying with international privacy, security, and confidentiality protocols, regulations, and requirements.

  • SOC 2 Type II

  • GDPR

  • CCPA

  • Risk Intelligent Program

    The risk-driven Information Security Program includes administrative, technical, and physical safeguards to align with applicable requirements, standards, and best practices.

  • Suite of Security Safeguards

    BetterUp maintains a comprehensive suite of information security policies that is regularly reviewed, updated, and approved on a predefined schedule.

  • Dedicated Team

    BetterUp has a dedicated Information Security team to ensure BetterUp products and customer data are protected.

RISK MANAGEMENT:
 THE FOUNDATION OF BETTERUP’S SECURITY

Risk management serves as the foundation of BetterUp’s Information Security Program. BetterUp conducts industry-standard security risk assessments periodically to identify, analyze, monitor, and respond to risk.

Our multi-faceted approach also includes using multiple sources of input such as vulnerability assessments, penetration testing, and other forms of security review to capture the holistic state of our security posture.

Risk treatments are strategically planned and prioritized with key stakeholders to ensure alignment with security and business objectives. Cross-functional collaboration with the ISC is integral in the review and management of information security risk.

Program governance

BetterUp’s Information Security Committee (ISC) is a governing body consisting of cross-functional management representatives at BetterUp. The ISC meets on a regular basis to advise, prioritize, and enable the Information Security Program.

People Security

Personnel Security Management Open Close
BetterUp maintains established policies and procedures designed to standardize employee onboarding and offboarding using automated processes, enabled by using identity and access management (IAM) solutions. Background checks are performed on new employees, contingent workers, and coaches in accordance with BetterUp’s hiring procedures prior to onboarding. Confidentiality agreements and terms of acceptable use are in place for each party respective of their classification.
Security Awareness Training Open Close
In order to promote a culture that enables members of BetterUp’s workforce to safeguard data and information in a secure manner, BetterUp maintains a comprehensive Security Awareness Training program to address general and role-based security training.
Policy Communication & Enforcement Open Close
People security policies are communicated internally and available for reference in a centralized location. Known violations of policies follow an established disciplinary and enforcement process.

Data Security

Encryption Open Close
BetterUp data is encrypted in transit and storage using industry-standard ciphers and methods. This includes the use of AES-256 and TLS encryption ciphers. Encryption keys are stored securely with limited access. Advanced encryption is applied to various application infrastructure layers, and can include disk, application, and database encryption. Sharing of encryption keys is prohibited and key management procedures are reviewed on a yearly basis.
Product Access Controls Open Close
BetterUp provides a number of mechanisms to help customers keep their data secure and control access. This includes a series of controls that are based on the principle of least privilege. Customers can configure two-factor authentication and we encourage all customers to enable integration into their Federated Identity Provider through SAML. BetterUp’s platform is fully responsive across desktop, laptop, and mobile devices. It supports industry-standard SAML 2.0 for Single Sign-on (SSO) and user authentication. Security event and audit logs are collected and continuously monitored to detect and respond to anomalous behavior.

Multi-factor authentication (MFA) is required for BetterUp Coaches and employees to access BetterUp information systems and resources. Access is controlled through a central directory system, with access limited and granted based on the principle of least privilege.

The BetterUp platform delivers a user-friendly experience for members, Coaches, and program leaders through the implementation of role-based access features.
Network Controls Open Close
The BetterUp platform is built on isolated, private networks using security groups and firewalls within virtual private clouds (VPC). All inbound and internal traffic is restricted to specific ports across a limited group of machines. All traffic rates, sources, and types are actively monitored at various points in the network beyond ingress and firewalls. BetterUp logically isolates customer data using application container technology and unique identifiers, which assures that access to customer data is limited to only that customer.
Data Retention & Disposal Open Close
Customer data will be deleted upon written request. Data is retained as needed to satisfy data classification and/or external requirements. Processes are in place for the secure disposal of tangible property containing Customer Data are in place and take into account available technology so that Customer Data cannot practicably be read or reconstructed

Secure Development Lifecycle (SDL)

Agile Development Open Close
BetterUp has a dedicated cross-functional team to drive the Secure Development Lifecycle (SDL) that supports the principles of agile development.

This group is responsible for the coordination, communication, refinement, development of and adherence to security controls in our processes. In order to ship secure, high-quality products at pace, BetterUp leverages automated Security Testing to identify any potential vulnerabilities within source code, dependencies, and underlying infrastructure before releasing to our customers.
Static Application Security Testing (SAST) Open Close
BetterUp analyzes the application source code to determine bugs, technical debt, and security vulnerabilities. A strict scoring criterion is adhered to by the Engineering teams to ensure not only the security of code in our products but quality as well. Any code not meeting these criteria is not shipped until resolved.
Dependency and 3rd Party Library Scanning Open Close
BetterUp analyzes project dependencies to determine vulnerabilities. Strict scoring criteria prevent the shipment of vulnerable dependencies in a product until it is resolved by Engineering teams.
Dynamic Application Security Testing (DAST) Open Close
BetterUp runs automated web application scans against the platform on a frequent basis. This allows for bugs, common exploits, security vulnerabilities, and issues to be discovered early on in the development process. By automating this approach, BetterUp is able to improve the quality and security of our platform for our customers.
Container Security Open Close
BetterUp performs a vulnerability assessment on all container images to detect any vulnerable software running on a given container. Strict scoring criteria prevent the shipment of a vulnerable container until it is resolved by Engineering teams. A passing score is required for deployment.
Code Standards and Role-Based Access Control Open Close
In alignment with industry best practices, BetterUp has developed a baseline of source code control standards to provide proper hygiene around code repositories supporting our platform. These standards are developed across the company and automation has been deployed to enforce them. Standards automatically being enforced include but are not limited to: role-based access control, least privilege, code & repository ownership, segregation of duties, branch protections, and secrets management.

Security Monitoring & Response

Logging & Monitoring Open Close
BetterUp’s security logs are collected, aggregated, and correlated using a centralized security information and event management (SIEM) solution. Industry-standard log protection mechanisms are in place to ensure the integrity of the logs generated. BetterUp engages a managed security service provider (MSSP) for monitoring and response services.
Incident Response Open Close
BetterUp has security incident response procedures in place to be followed in the event of any security breach. These procedures include areas that cover roles and responsibilities, investigation, communication, event logging, and remediative actions to be taken.
Contingency Planning Open Close
Availability of data is protected through the use of data replication and backup services provided by AWS and Heroku. Data backups are captured on a periodic basis according to a defined schedule. Backups are stored across multiple high availability zones. BetterUp leverages automated scaling to centrally deploy backup policies to configure, manage, and govern backup activity across BetterUp’s AWS resources.

Business continuity and disaster recovery plans and processes are maintained for responding to an emergency or adverse event that could damage Customer Data or production systems that contain Customer Data. Data restore testing exercises are completed semi-annually employing methodologies based on best practices and various scenarios. Test results enable BetterUp to verify the integrity of backup data and assurance in achieving recovery point and time objectives (RPO/RTO).

Penetration Testing

Penetration Testing Open Close
BetterUp leverages third parties for independent penetration tests of our applications, services and businesses as a whole. These have resulted in continuous updates to our products and processes for improving security and reliability. These assessments are part of ongoing compliance and security requirements to keep BetterUp as a trusted provider of services.

A customer-facing redacted executive summary is made available to customers under mutual non-disclosure agreement.

FAQs

INITIAL ONBOARDING & DATA LOAD
Q: How do you perform the initial onboarding of members? Open Close
BetterUp is an invite-only platform and an invitation link is sent to specific individuals that are manually added. This member can access the BetterUp Platform and upload the CSV file to invite the remaining participant.
Q: What data is needed? Open Close
BetterUp needs members to provide first name, last name, and email address for accessing the platform. The members who choose to use our Mobile app will be required to provide their mobile numbers. Many of our customers also provide us information such as title, department, and location. This is only a representative sample and not a comprehensive list.
Q: How is data loaded into BetterUp? Open Close
BetterUp supports three options for data upload:
  1. An authorized individual could upload and attach the data required.
  2. An authorized individual could manually send/forward this file to the assigned Deployment Manager or open a Helpdesk ticket.
  3. BetterUp can help set up a secure file transfer such as S-FTP on a case-by-case basis.
  4. BetterUp supports custom integrations with HRIS systems such as Workday.
DATA PROTECTION
Q: How is customer data-at-rest and data-in-transit protected? Open Close
BetterUp data is encrypted in transit and storage using industry-standard ciphers and methods. This includes the use of AES-256 and TLS encryption ciphers. Encryption keys are stored securely with limited access using Key Management Services (KMS) that is fully managed by AWS.

BetterUp is a multi-tenant system and does not support Bring-Your-Own-Key (BYOK) for customers. Advanced encryption is applied to various application infrastructure layers, and can include disk, application, and database encryption.
Q: Do you support secure deletion (e.g., degaussing/cryptographic wiping) of archived and backed-up data as determined by the tenant? Open Close
BetterUp has a Data Deletion and Media Sanitization Policy, Standards, and Guidelines in place. The existence of these policies and the related controls have been validated by an Independent Auditor as part of the SOC 2 Type II report. BetterUp, upon customer’s written request of data erasure, shall remove the customer’s data from all BetterUp storage media, including cloud provider’s storage services within thirty (30) days of the request. Unless otherwise instructed or pursuant to applicable law, BetterUp will retain the data for seven (7) years. Upon request, BetterUp will provide the customer with a log or copy of the data that was deleted.

Cloud-Based (AWS) Media: When AWS determines that media has reached the end of its useful life, or it experiences a hardware fault, AWS follows the techniques detailed in Department of Defense (DoD) 5220.22-M (“National Industrial Security Program Operating Manual”) or NIST SP 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. Please refer to the AWS website for more information: https://aws.amazon.com/compliance/data-center/controls/
Q: What are your data sharing and retention policies and practices? Open Close
The BetterUp platform uses third-party vendors and services such as AWS, Heroku, and TokBox. Please refer to the SOC 2 Type II report section III C and H for more information. Unless otherwise instructed or pursuant to applicable law, BetterUp will retain the data for seven (7) years.
Q: Where is the Customer Data Hosted? Open Close
Customer data is hosted in the United States.
Q: How is the Customer Data Separated/ Segment? Open Close
BetterUp is a multi-tenant platform and the customer data is logically segregated using Application Code, Role Based Access Control and various other technologies. BetterUp's Production environment is hosted in Heroku's Private Space (aka micro-segment).
ACCESS CONTROLS
Q: Is integration with Identity Providers (IdP) such as Active Directory, Azure, or Okta supported? Open Close
Yes. BetterUp has several customers that use ADFS, Azure, or Okta for Single Sign-On (SSO) integration.
Q: How are the passwords encrypted at rest? Open Close
BetterUp supports standard SAML 2.0 integration for authentication. For customers that do not use SAML, the passwords are encrypted using secure algorithms such as BCrypt.
Q: Do you provide user administration roles/ permissions to customers? Open Close
No. BetterUp supports the RBAC model and the fine-grained permissions are built within the application. Customers are required to submit a ticket to request any role changes.
Q: Describe your termination and access removal process? Open Close
Customers can submit an account termination request by e-mailing the BetterUp support team at support@betterup.co

BetterUp has automated off-boarding for our internal employees and contractors.
Q: Which of your employees have access to customer data and why? Open Close
BetterUp uses the principles of least privilege to limit the access on a need-to-know basis. The access to customer data is limited to a specific group of individuals based on job responsibilities such as the Customer Care Agents, Deployment Managers, and Production Support Engineers. The BetterUp platform leverages Role-Based Access Control (RBAC) model and the fine-grained permissions are built within the application to enable the RBAC model.
Q: Do you periodically perform member access reviews? Open Close
BetterUp performs a quarterly review of access to the Betterup platforms and managed resources to help ensure that employee access is appropriate. Any issues identified as a result of the review are communicated and resolved.
Q: Do you use multi-factor authentication (MFA)? Open Close
Yes. Betterup leverages NIST 800-63b guidelines to authenticate employees and Coaches that have direct access to BetterUp owned and managed resources. Employees and Coaches are required to use Multi-Factor Authentication (MFA) for key application and privileged access.
SECURITY LOGGING & MONITORING
Q: Do you have a Security Information and Event Management (SIEM) solution? Open Close
Yes! BetterUp has a next generation SIEM solution in place.
Q: Do you have a Data Leak Prevention (DLP) solution? Open Close
Yes. BetterUp has a next generation DLP solution.
Q: What auditing process is used to log and review the actions performed by your employees? Open Close
BetterUp collects access and audit logs of access to critical information systems. BetterUp reviews this access on a quarterly basis.
Q: Do you provide security logs to customers? Open Close
No. BetterUp is a multi-tenant system and logs are not made available to any customer.
PEOPLE SECURITY
Q: Do you perform background checks for all your employees and Coaches? Open Close
Yes. BetterUp has contracted an external agency to perform a background check for all its employees. These vendor and reports are managed by Human Resources function and includes the following:
  1. An identity check
  2. A criminal record check
  3. Verification of education qualifications or other skills claimed
  4. A debarment check, where required
  5. Verification of entitlement to employment through the use of work permits or similar documents
  6. Previous employment reference check
  7. Verification of dates of employment claimed for the previous five (5) years
Third parties are required to perform background checks for their employees as part of the service contracts.
Q: Do you require employees and Coaches to sign-off/acknowledge any acceptable use policy? Open Close
Yes. BetterUp requires all employees, Coaches, and internal contractors to acknowledge an Acceptable Use Policy (AUP).
Q: Have disciplinary actions been defined and communicated for organization policies? Open Close
Yes. The violations, enforcement and potential disciplinary actions are defined in all Information Security Policies, including the AUP. These policies are easily accessible to all employees on the internal Confluence page.
Q: How are information security responsibilities communicated to employees who work with customer data? How frequently? Open Close
BetterUp Information Security policies, standards and guidelines are published on a confluence page, that is accessible to all employees. All employees, Coaches, and internal contractors with logical access to BetterUp systems are required to acknowledge an Acceptable Use Policy (AUP) when hired and annually thereafter.

BetterUp has a mandatory security awareness and training program for all members of BetterUp’s workforce (including management), which includes:
  1. Training on how to implement and comply with its Information Security Program;
  2. Promoting a culture of security awareness through periodic communications from senior management with employees.
Additionally, all BetterUp employees are required to annually complete Privacy, Sexual Harassment, and Ethics awareness trainings.
VULNERABILITY MANAGEMENT
Q: Do you perform external assessments, and at what frequency? Open Close
Q: How do you know if there are new vulnerabilities in your network, servers, and applications?
Q: How do you know if there are new vulnerabilities in your network, servers, and applications? Open Close
BetterUp is hosted in the AWS US East and West regions. The production environment is hosted in a private space (microsegment) managed by Heroku, a Salesforce company. Heroku is responsible for gateway (Firewall, VPC, etc.) and infrastructure (OS, AMI, DB instance, etc.). BetterUp leverages AWS & Heroku services for back-up. AWS and Heroku have SOC 2 and ISO 27001 certifications in place. BetterUp has contracted an Independent Third Party to annually perform application penetration tests and static code analysis using OWASP top ten. An executive summary report with a status of Medium and above rated vulnerabilities can be shared with Customers, on written request under an NDA.
SECURITY INCIDENT RESPONSE
Q: Can you provide notification for all known and/or suspected security incidents? Open Close
No. BetterUp is a multi-tenant system and the impacted customers will be notified for confirmed security breaches.
Q: Do you provide 24x7x365 support for security incident response? Open Close
No. BetterUp does not provide a separate SLA for security incident response. Please refer to the customer support SLAs for more information.
BUSINESS CONTINUITY MANAGEMENT
Q: How frequently is data backed up? Open Close
BetterUp performs daily, weekly, and monthly backup as needed.
Q: Do you provide your Recovery Point/Time Objectives (RPO/RTO)? Open Close
Customers can perform on-demand monitoring of our platform at https://status.betterup.co/. Customers can also look up our historical uptime using the same link. BetterUp contracted a reputed Independent Third Party to perform our Business Impact Analysis (BIA) and help us establish recovery point and recovery time objectives (RPO/RTO). The existing of this information has been attested by our Independent Third Party Auditors in the SOC 2 Type II report, as well.
MOBILE APP SECURITY
Q: Are passwords/ credentials stored on mobile devices? Open Close
No. BetterUp does not store credentials. BetterUp uses a refresh token to keep the session active.
Q: Is the ability to download the BetterUp mobile app restricted? Open Close
No. Any member with access to the Apple store and/or Google Play store will be able to download the BetterUp mobile app.
ENDPOINT SECURITY
Q: Are the user laptops encrypted? Open Close
Yes. BetterUp owned and managed laptops are encrypted.
Q: Do users have local admin privileges? Open Close
Yes. BetterUp employees, Coaches, and internal contractors are required to acknowledge an Acceptable Use Policy (AUP).
Q: What Malware Protection do you use? Open Close
BetterUp uses Falcon as its next-generation AV solution.
Q: Are USB ports enabled? Open Close
Yes. The ability to perform bulk download of the customer data from the front-end is disabled.
Q: Is Secure deletion / disposal of data performed? Open Close
Yes. Better owned and managed devices such as laptops are securely wiped seven (7) times or equivalent.
ENCRYPTION KEY MANAGEMENT
Q: Do you support “Bring your own key” (BYOK)? Open Close
No. BetterUp is a multi-tenant system and BYOK is currently not supported.
Q: How frequently are the encryption keys rotated? Open Close
BetterUp uses AWS’s Fully Managed KMS.
THIRD-PARTY RISK MANAGEMENT
Q: Do you monitor your Supplier and Vendor Security posture and breaches? Open Close
Yes. BetterUp Platform uses Third party vendors and services such as AWS, Heroku and TokBox. Please refer to the SOC 2 Type II report section III C and H for more information. BetterUp uses Third Party Services solutions to continuously monitor the security posture of our key vendors.
SERVICE LEVEL AGREEMENTS (SLAs)
Q: Do you provide support SLAs? Open Close
Yes. We provide Service Level Agreements in our contracts/agreements.
Q: Do you provide 24/7/365 support? Open Close
BetterUp’s Customer Care team is equipped to empathetically address most concerns and questions, and can triage or escalate issues as needed. This team is available 24x7x365.