A secure experience engineered for growth
Your data security and privacy are a top priority for BetterUp and we value the trust that you place in our platform offerings.
Security and Privacy are at the center of how we continue to enhance customer trust, and BetterUp invests heavily to protect the confidentiality, integrity, availability, security, and privacy of customer data. BetterUp continuously assesses and implements additional measures to help improve our security program and address the ever-changing threat landscape.
Best in Class Tone at the Top
BetterUp has an active Information Security Committee ISC in place. The Executive leadership and the BetterUp Board is provided with periodic updates on the overall security threats, hygiene, and maturity of the Information Security Program.
Best in Class Security Certification
BetterUp is SOC 2 Type II certified and we continue our pursuit to improve and achieve robust industry accreditations/ certifications.
Robust Shared Security Model
BetterUp uses the AWS US regions with multiple availability zones (Multi-Az) model. The production environment is managed by Heroku, a Salesforce company. Heroku’s managed PaaS includes a Web Application Firewall (WAF) in a private space (aka micro-segment). AWS and Heroku's have several security and privacy certifications including SOC 2 Type II and ISO 27001.
Certifications, standards & regulations
Protecting your company and employee data is our top priority. We earn your trust every day by complying with international privacy, security, and confidentiality protocols, regulations, and requirements.
SOC 2 Type II
RISK MANAGEMENT: THE FOUNDATION OF BETTERUP’S SECURITY
Risk management serves as the foundation of BetterUp’s Information Security Program. BetterUp conducts industry-standard security risk assessments periodically to identify, analyze, monitor, and respond to risk.
Our multi-faceted approach also includes using multiple sources of input such as vulnerability assessments, penetration testing, and other forms of security review to capture the holistic state of our security posture.
Risk treatments are strategically planned and prioritized with key stakeholders to ensure alignment with security and business objectives. Cross-functional collaboration with the ISC is integral in the review and management of information security risk.
99.9% Uptime guaranteed
BetterUp’s Information Security Committee (ISC) is a governing body consisting of cross-functional management representatives at BetterUp. The ISC meets on a regular basis to advise, prioritize, and enable the Information Security Program.
Processes and policies are in place to ensure the security of our personnel throughout their BetterUp journey.
Keeping your data secure and private is a top priority at BetterUp. We follow global security and privacy principles in the design of our products that safeguard your data.
BetterUp uses secure coding standards and practices that supports the principles of agile development.
Monitoring & Response
Monitoring mechanisms and response procedures are managed to enable awareness and resilience in the face of security threats.
Independent penetration testing and automated testing in our secure development practices are conducted to enable the identification and mitigation of vulnerabilities.
Explore our Frequently Asked Questions section for answers and details to some of our customers' common inquiries.
Multi-factor authentication (MFA) is required for BetterUp Coaches and employees to access BetterUp information systems and resources. Access is controlled through a central directory system, with access limited and granted based on the principle of least privilege.
The BetterUp platform delivers a user-friendly experience for members, Coaches, and program leaders through the implementation of role-based access features.
Secure Development Lifecycle (SDL)
This group is responsible for the coordination, communication, refinement, development of and adherence to security controls in our processes. In order to ship secure, high-quality products at pace, BetterUp leverages automated Security Testing to identify any potential vulnerabilities within source code, dependencies, and underlying infrastructure before releasing to our customers.
Security Monitoring & Response
Business continuity and disaster recovery plans and processes are maintained for responding to an emergency or adverse event that could damage Customer Data or production systems that contain Customer Data. Data restore testing exercises are completed semi-annually employing methodologies based on best practices and various scenarios. Test results enable BetterUp to verify the integrity of backup data and assurance in achieving recovery point and time objectives (RPO/RTO).
A customer-facing redacted executive summary is made available to customers under mutual non-disclosure agreement.
- An authorized individual could upload and attach the data required.
- An authorized individual could manually send/forward this file to the assigned Deployment Manager or open a Helpdesk ticket.
- BetterUp can help set up a secure file transfer such as S-FTP on a case-by-case basis.
- BetterUp supports custom integrations with HRIS systems such as Workday.
BetterUp is a multi-tenant system and does not support Bring-Your-Own-Key (BYOK) for customers. Advanced encryption is applied to various application infrastructure layers, and can include disk, application, and database encryption.
Cloud-Based (AWS) Media: When AWS determines that media has reached the end of its useful life, or it experiences a hardware fault, AWS follows the techniques detailed in Department of Defense (DoD) 5220.22-M (“National Industrial Security Program Operating Manual”) or NIST SP 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. Please refer to the AWS website for more information: https://aws.amazon.com/compliance/data-center/controls/
BetterUp has automated off-boarding for our internal employees and contractors.
- An identity check
- A criminal record check
- Verification of education qualifications or other skills claimed
- A debarment check, where required
- Verification of entitlement to employment through the use of work permits or similar documents
- Previous employment reference check
- Verification of dates of employment claimed for the previous five (5) years
BetterUp has a mandatory security awareness and training program for all members of BetterUp’s workforce (including management), which includes:
- Training on how to implement and comply with its Information Security Program;
- Promoting a culture of security awareness through periodic communications from senior management with employees.