Cookie Policy

X

Privacy & Security

We keep your information secure and provide the tools and insights to help you meet your privacy commitments with confidence.

Security & Privacy

Our Commitment to You

Maintaining the privacy and security of our customers’ continuous performance management program data is important to us. We are proud to exceed industry standards for Security, Confidentiality, Integrity, Availability, and Privacy principles.

Betterworks leverages industry recognized technical and organizational measures (TOM) when it comes to protecting our customers and their information. For more specific information concerning privacy safeguards, refer to our Data Protection Addendum (DPA). Please continue reading for an overview of our Information Security Management System (ISMS) program.

Compliance

Betterworks engages reputable third-party companies to conduct security reviews of our ISMS program on a regular basis. Our program maintains compliance with SOC 2 reporting and applicable Privacy Laws (GDPR, CPRA, other state laws). Additionally, Betterworks has active certifications for ISO 27001, the Data Privacy Framework (DPF), and the Texas Risk and Authorization Management Program (TX-RAMP). These attestations, executive summaries, and certifications can be shared externally under a mutual non-disclosure agreement (MNDA).

AICPA SOC for Service Organizations Engagements
Compliance and Certifications

Data Privacy Framework (DPF) Overview

The EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) were developed to facilitate transatlantic commerce by providing U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union / European Economic Area, the United Kingdom (and Gibraltar), and Switzerland that are consistent with EU, UK, and Swiss law.

EU-US DPF

Organizations participating in the EU-U.S. DPF may receive personal data from the European Union / European Economic Area in reliance on the EU-U.S. DPF effective July 10, 2023. July 10, 2023 is the date of entry into force of the European Commission’s adequacy decision for the EU-U.S. DPF and the effective date of the EU-U.S. DPF Principles, including the Supplemental Principles and Annex I of the Principles. The adequacy decision enables the transfer of EU personal data to participating organizations consistent with EU law.

UK Extension to the EU-US DPF

Organizations participating in the UK Extension to the EU-U.S. DPF may receive personal data from the United Kingdom and Gibraltar in reliance on the UK Extension to the EU-U.S. DPF effective October 12, 2023, which is the date of entry into force of the adequacy regulations implementing the data bridge for the UK Extension to the EU-U.S. DPF. The data bridge for the UK Extension to the EU-U.S. DPF enables the transfer of UK and Gibraltar personal data to participating organizations consistent with UK law.

Swiss-US DPF

Organizations participating in the Swiss-U.S. DPF may receive personal data from Switzerland in reliance on the Swiss-U.S. DPF effective September 15, 2024, which is the date of entry into force of Switzerland’s recognition of adequacy for the Swiss-U.S. DPF. While July 17, 2023 was the effective date of the Swiss-U.S. DPF Principles, including the Supplemental Principles and Annex I of the Principles personal data could not have been received from Switzerland in reliance on the Swiss-U.S. DPF until the date of entry into force of Switzerland’s recognition of adequacy for the Swiss-U.S. DPF. The recognition of adequacy enables the transfer of Swiss personal data to participating organizations consistent with Swiss law.

Enforceability

The Data Privacy Framework (DPF) program, which is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, enables eligible U.S.-based organizations to self-certify their compliance pursuant to the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF. To participate in the DPF program, a U.S.-based organization is required to self-certify to the ITA via the Department’s DPF program website (i.e., this website) and publicly commit to comply with the DPF Principles. While the decision by an eligible U.S.-based organization to self-certify its compliance pursuant to and participate in the relevant part(s) of the DPF program is voluntary, effective compliance upon self-certification is compulsory. Once such an organization self-certifies to the ITA and publicly declares its commitment to adhere to the DPF Principles, that commitment is enforceable under U.S. law. 

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros. The GDPR applies in all EU Member states, which makes it easier for both businesses and citizens. At the core of GDPR are seven key principles – they’re laid out in Article 5 of the legislation – which have been designed to guide how people’s data can be handled. They don’t act as hard rules, but instead as an overarching framework that is designed to layout the broad purposes of GDPR. The principles are largely the same as those that existed under previous data protection laws.

 

GDPR’s seven principles are:

  • lawfulness, fairness, and transparency
  • purpose limitation
  • data minimization
  • accuracy
  • storage limitation
  • integrity and confidentiality (security)
  • accountability

The full GDPR rights for individuals are:

  • the right to be informed
  • the right of access
  • the right to rectification
  • the right to erasure
  • the right to restrict processing
  • the right to data portability
  • the right to object
  • and also rights around automated decision making and profiling

    International Organization for Standardization (ISO) 27001:2022

    ISO 27001:2022 is a globally recognized standard for the establishment and certification of an information security management system (ISMS). The standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organization’s overall business risks. It sets forth a risk-based approach that focuses on adequate and proportionate security controls that protect information assets and give confidence to interested parties.

    Service Organization Control (SOC) 2 Type II

    Developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality and privacy. It is an auditing procedure that ensures service providers securely manage data to protect the interests of the organization and the privacy of its clients. For security-conscious businesses, SOC 2 compliance is a minimal requirement when considering a SaaS provider. 

    There are two types of SOC reports:

    • Type I describes a vendor’s systems and whether their design is suitable to meet relevant trust principles at a specific time.
    • Type II details the operational effectiveness of those systems over a given time period.

    Texas Risk and Authorization Management Program (TX-RAMP)

    The Texas Risk and Authorization Management Program (TX-RAMP) provides a standardized approach for security assessment, certification, and continuous monitoring of cloud computing services that process the data of Texas state agencies. TX-RAMP has two assessment and certification levels:

    • Level 1 for public/non-confidential information or low impact systems.
      • Level 1 Certification is achieved after submitting the assessment responses and meeting the minimum requirements for the Level 1 Assessment Criteria or by submitting evidence of StateRAMP Category 1 authorization or FedRAMP Low authorization.
    • Level 2 for confidential/regulated data in moderate or high impact systems.
      • Level 2 Certification is achieved after submitting the assessment responses and meeting the minimum requirements for the Level 2 Assessment Criteria or by submitting evidence of StateRAMP Category 2 authorization or FedRAMP Moderate authorization.

    Betterworks holds a level 2 certification for TX-RAMP.

    Information Security Controls

    Access Management

    Betterworks has an established a process for provisioning and de-provisioning access to internal systems and applications. The provisioning of accounts is based on the Principle of Least Privilege. Applications are enrolled in an SSO solution and configured with MFA. Users are automatically assigned permissions using pre-defined roles. When a user is off-boarded they are automatically removed from all applications managed by the SSO solution.

      Asset Management

      Betterworks is committed to ensuring the security of its information, applications, information systems, and network resources by establishing and maintaining effective asset management measures. Such measures include:

      • Maintaining a comprehensive asset inventory that is updated and reviewed annually.
      • Protecting sensitive information from unauthorized access, ensuring that only individuals who have a legitimate need to access specific data or resources can do so.
      • Preventing unauthorized modification, alteration, or deletion of data, ensuring that data remains accurate, reliable, and trustworthy.
      • Ensuring that authorized users can access data and resources when needed. 
      • Ensuring that assets are appropriately identified and tracked throughout the asset management lifecycle.
      • Ensuring that assets are appropriately classified based on their criticality and sensitivity to the Betterworks organization. 
      • Ensuring that assets are assigned an owner with the responsibility for managing, protecting, and maintaining those assets.
      • Ensuring that assets are properly maintained and undergo repair and replacement when assets malfunction or become obsolete. 
      • Ensuring that assets are managed in accordance with contractual obligations, regulatory and legal requirements, and industry standards. 
      • Ensuring that assets are returned or disposed of when no longer required or become obsolete according to secure disposal measures.

        Business Continuity (BC) & Disaster Recovery (DR)

        The Betterworks platform is a SaaS-based service shared by many customers. For this reason, the production environment must have support for high availability and redundancy. Betterworks host its production environment within AWS which addresses both requirements. Recovery must be immediate; therefore, both the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) is less than one (1) hour. The production environment is configured for automated failover through multiple availability zones (az). Because the database is configured to be highly available, a full standby database exists in a separate az. A read-only replica has also been provisioned that can be promoted to primary in the event automatic failover is not successful. Additionally, full snapshots of the database are taken nightly and archived on a thirty (30) day rolling window. These backups can be used to create a new database should the need arise.

        Change Management

        Changes to information systems are controlled via defined and documented change management procedures. These procedures help to ensure changes to applications and systems do not negatively impact functionality or security. Changes are tracked in the ticket management system and are peer reviewed prior to deployment. Reviewers check for adherence to product specifications, consistency, and usability. Security review ensures that the changes do not introduce any additional risk or vulnerabilities.

        Data Centers & Infrastructure

        Betterworks hosts its infrastructure and applications in Amazon Web Services (AWS). In using this approach, we can provide assurance to our customers that the information they provide to us is adequately safeguarded, ensuring the confidentiality, integrity, and availability of the information. Data centers are located in the US (North Virginia) and EU (Ireland). EU data centers are leveraged for customers who specifically require data to be stored in the EU.

        Data Retention and Disposal

        Betterworks retains data for as long as the contract is active. The data is actually deleted/anonymized within thirty (30) days of contract termination. We don’t want to retain customer data longer than is necessary to fulfill our obligations. We adhere to the principles of data minimization and purpose limitation. Betterworks uses media sanitization methods from NIST 800-88. This includes pulverization, degaussing, and secure erase. In the case of AWS, “when a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals.

        Data Storage & Processing

        The Betterworks platform is hosted within AWS and offers a multi-tenant environment leveraging AWS RDS for database management. Customer data is segregated using referential integrity and unique identifiers for each customer. Data flows externally from the customer over secure communication channels (HTTPS or SSH) depending on the methods selected (Web, SFTP, or API).

        Encryption

        At Rest: Betterworks implements full-disk encryption using native OS capabilities such as BitLocker (Windows) and FileVault (Mac) for endpoints. Customer data is encrypted at rest using AES 256. Encryption keys are managed using AWS KMS. AWS KMS is designed so that no one, including AWS employees, can retrieve the plaintext keys from the service. The service uses hardware security modules (HSMs) that have been validated under FIPS 140-2, or are in the process of being validated, to protect the confidentiality and integrity of the keys. The plaintext keys are never written to disk and only ever used in volatile memory of the HSMs for the time needed to perform the requested cryptographic operation. For more information, please visit: https://aws.amazon.com/kms/features/#Secure.

        In Transit: Betterworks uses industry recognized and approved methods for encryption. Data is encrypted in transit using TLS 1.2+ with security certificates leveraging asymmetric encryption & digital signatures. Betterworks also provides customers with an SFTP for bulk data uploads.

        General Data Protection Regulation (GDPR)

        Betterworks has implemented a privacy program to comply with applicable privacy laws, including GDPR. The approved mechanisms for cross-border data transfer include the use of Standard Contractual Clauses (SCCs) as well as the Data Privacy Framework (DPF), where applicable, in conjunction with our DPA.

        Operational Security

        Betterworks has an established information security program managed by the Director of Information Security, with oversight provided by the ISMS Council. Betterworks information security policies are founded upon the principles and guidance of ISO 27001. Policies are circulated for “internal use” only and will not be shared externally. The review of policies is assessed by external auditors for maintaining compliance with SOC reporting and ISO certification.

        Software Development Life-Cycle (SDLC)

        The SDLC includes the consideration, inclusion, and documentation of information security requirements throughout the entire cycle. Information security requirements are provided based on risk analysis and in alignment with basic security controls defined by policy. Environments are segregated for development, testing, and production. Applications are tested and reviewed against these requirements. Additionally, production applications are scanned for vulnerabilities monthly and penetration tested annually.

        Vulnerability Management

        Betterworks systems and applications are reviewed for vulnerabilities based on industry standards and best practices. Methods of review include automated vulnerability scanning and penetration testing. Vulnerability scanning occurs on a monthly basis, with penetration testing occurring at least annually.

        Vulnerability Disclosure

        Betterworks does not participate in any bug bounty program, nor do we offer any compensation for disclosed vulnerabilities. As a matter of ethical reporting, you can share those concerns directly with security@betterworks.com and our team will work to verify them immediately.

        We request that if you believe you have found a vulnerability, you disclose it to us first and allow us the opportunity to remediate the issue before disclosing it to the public or any other third-party. Please let us know if you have any further questions or concerns. Thank you!