It's live! See which companies made the 2020 World's Best Workplaces™
MENU

Great Place to Work® Institute, Inc. (GPTW)

External Security Policy

This Policy is intended to help communicate externally to Companies the Security Policy used by GPTW as well as the Network Affiliates and Partners of GPTW and is incorporated by reference into their respective Agreements

1. General Business Information

GPTW provides products and services assessing workplace culture, performance, certification, and accreditation to assist companies and organizations in evaluating and improving their workplaces. GPTW was incorporated in the State of California on June 30, 1998 and is a privately-held company. It is headquartered in Oakland CA at 1999 Harrison Street, Suite 2070.

The FEIN for GPTW is 91-1917672 and its DUNS number is 05 1812683. There have been no material claims or judgments against GPTW in the last 5 years and has never suffered a data loss or security breach. To the best of our knowledge, our Cloud provider Microsoft Azure has never suffered a data loss or security breach within the last 3 years.

2. Policy to Safeguard Company Data

Data security is of paramount importance to GPTW. GPTW has robust policies in place to manage and secure Company data.

Risk Management

GPTW has a documented Risk Management Policy. Risk assessments are performed quarterly.The company has formally documented information security, data privacy, and confidentiality policies, standards and procedures that are approved by senior management, communicated to staff, reviewed at least annually, and published appropriately as to be available for reference and application.

Human Resource Security

GPTW’s Human Resources takes several steps to help protect Company data. GPTW performs background verification checks on all candidates for employment and our employees must sign the terms and conditions of employment. Furthermore, GPTW conducts mandatory semi-annual privacy and security awareness training for all staff. GPTW will notify Company if a GPTW employee who had access to Company data has been terminated or changed roles within GPTW that warrants an “Appropriateness of access review.”

Data Collection

GPTW only collects data needed for its intended purposes like Great Workplace Certification, Best Workplaces Lists, Advisory and High Trust Culture Consulting engagements, Accelerated Leadership Performance, etc.

Data Access

Access to Company data is only granted to those with a legitimate need. Company data is only accessed by GPTW employees that are authorized based on job role. Survey access is controlled so that survey respondents cannot see another’s responses. Data is partitioned and seperated so that Company users cannot see another company’s data.

Access Control

GPTW has a documented Access Control Policy which includes a formal user registration and de-registration process to enable assignment of access rights, unique IDs for all users, a periodic review of access rights with owners of the information systems or services, restrictions and control of privileged access rights by management, an authorization process to allocate and control privileged access rights, monthly review of privileged access, a formal Password Policy, a policy that forces users to change their password at first log-on, password requirements (such as minimum length, complexity, periodicity to change, password history), and encrypted passwords in store and transmit. GPTW will notify Company within 72 hours from GPTW becoming aware of any confirmed or suspected leak of Company data. Enforcement mechanisms are applied to GPTW employees who violate privacy policies or confidentiality requirements.

Computer and Network Hardware

On premises servers are in a locked, climate-controlled server room with access limited to authorized personnel. Company data is encrypted in transit and in storage using a commercially available dual key AES 256 bit encryption software.Laptops, workstations, and servers are configured so that they will not auto-run content from USB tokens (i.e., thumb drives), USB hard drives, CDs/DVDs, Firewire devices, external serial advanced technology attachment devices, mounted network shares, or other removable media. These devices are disabled if they are not required for business use. Systems with active removable media devices are configured so that they conduct an automated anti-malware scan of removable media when it is inserted. All email attachments entering GPTW's email gateway are scanned, and email is blocked if it contains malicious code or file types commonly known to be associated with malicious software. This scanning is done before the email is placed in the user's inbox and includes filtering of the email content as well as embedded links within the email content. Access to external email systems, instant messaging services, and other social media tools are blocked. GPTW has never experienced a security incident (such as a data breach, loss of customer data, or network intrusion). A holistic disaster recovery plan has been documented and implemented. Disaster recovery plans address the recovery of all relevant aspects of the business function/service, including applications, databases, utilities, and network infrastructure. The plans give appropriate consideration to dependencies on physical security and roles and responsibilities of personnel. Business continuity plans are tested at least annually and results are documented. A security awareness program is in place that focuses on the methods commonly used in intrusions that can be blocked through individual action. The training is updated at least annually and is mandated for completion by all employees at least annually. Security awareness of personnel is improved through periodic training and tests. Training results are documented and maintained. Hard disks or storage memory of all laptops are encrypted. GPTW supports e-mail encryption (SMTP/TLS, or a similar mechanism). GPTW has established a multi-tier data classification scheme (e.g., a four-tier scheme with data classified into categories based on the impact of exposure of the data). A process is established and followed to revoke user access upon termination of employment or contractual relationship. Data validation vulnerabilities (e.g., cross site scripting, cross site flashing, SQL/LDAP/XML/SMTP/code injection, OS commanding, buffer overflow, HTTP splitting, etc.) are mitigated through user data input validation controls. In addition to an inventory of hardware, there is an inventory of information assets that identifies the related hardware assets (e.g., servers) where the asset is located. Network access control (e.g., via 802.1x or a similar mechanism) is deployed to restrict devices that can be connected to the network. Network access control monitors authorized systems so that if attacks occur, the impact can be remediated by moving the untrusted system to a virtual local area network that has minimal access. Separate virtual local area networks (VLANs) are created for BYOD systems or other untrusted devices. Client certificates are utilized to validate and authenticate systems prior to connecting to the network. Application whitelisting technology is deployed that allows systems to run software only if it is included on the whitelist, and prevents execution of all other software on the system. A list of authorized software has been developed for each type of system, including servers, workstations, and laptops. Authorized software is monitored by file integrity monitoring tools to validate that the software has not been modified. Regular scanning is performed for unauthorized software and alerts are generated when it is discovered on a system. Critical vulnerabilities are patched in an expeditious manner consistent with an established patch management process. Administrative privileges are limited to users who have both the knowledge necessary and a business need to perform administrative activities. An automated configuration monitoring system is implemented to measure and monitor secure configuration elements through remote testing. The system uses features compliant with Security Content Automation Protocol (SCAP) to gather configuration vulnerability information. System-specific configuration management tools are deployed (such as Active Directory Group Policy for Microsoft Windows environments) that automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals. Automated tools are deployed to continuously monitor workstations, servers, and mobile devices for active, up-to-date anti-malware protection. This protection includes appropriate use of anti-virus, anti-spyware, personal firewalls, and host-based IPS functionality. All malware detection events are sent to enterprise anti-malware administration tools and event log servers. Endpoint security solutions also include zero-day protection (such as network behavioral heuristics) where appropriate. Antivirus scanning is applied at GPTW's web proxy gateway. Network-based anti-malware tools are utilized to analyze all inbound traffic and filter out malicious content before it arrives at endpoint devices. Proxy technology is applied to all communication between internal networks and the Internet. Web applications are protected by deploying web application firewalls (WAFs) that inspect all traffic flowing to the web application for common web application attacks. These attacks include cross-site scripting, SQL injection, command injection, and directory traversal attacks. For applications that are not web-based, specific application firewalls are deployed if such tools are available for the given application type. If the network traffic is encrypted, the device either sits behind the encryption or is capable of decrypting the traffic prior to analysis. A host-based web application firewall is deployed if neither of these options is appropriate. In-house-developed and third-party-procured web applications are tested for common security weaknesses using automated remote web application scanners prior to deployment, whenever updates are made to the application, and on a regular recurring basis. Testing includes behavior under denial of service or resource exhaustion attacks. Each wireless device connected to the network matches an authorized configuration and security profile, with a documented owner of the connection and a defined business need. Network vulnerability scanning tools are used to detect and deactivate unauthorized wireless access points connected to the wired network. Wireless intrusion detection systems (WIDS) are used to identify rogue wireless devices and detect attack attempts and successful compromises. In addition to WIDS, all wireless traffic is monitored by WIDS as traffic passes into the wired network. For devices that do not have an essential wireless business purpose, wireless access is disabled in the hardware configuration (basic input/output system or extensible firmware interface) and includes password protections to reduce the possibility that an unauthorized user will override such configurations. All wireless traffic leverages at least Advanced Encryption Standard (AES) encryption used with at least Wi-Fi Protected Access 2 (WPA2) protection. Wireless networks use authentication protocols such as Extensible Authentication Protocol-Transport Layer Security (EAP/TLS). Peer-to-peer wireless network capabilities on wireless clients are disabled, unless such functionality is required to fulfill a documented business need. Wireless peripheral access of devices (e.g., Bluetooth) are disabled, unless such access is required to fulfill a documented business need. Wireless access points are either placed behind a firewall so that all traffic can be examined and appropriately filtered. All mobile devices, including personally-owned devices, are registered prior to connecting to a wireless network that is logically separate from the enterprise network. All registered devices must be scanned and follow corporate policies for host hardening and configuration management. All wireless clients used to access private networks or handle GPTW data are configured in such a way that they cannot be used to connect to public wireless networks or any other networks beyond those specifically allowed by GPTW. Data on backup media is tested on a regular basis by performing a data restoration process to ensure that the backup procedure is working properly. Key personnel are trained on both backup and restoration processes. Alternate personnel are also trained in case primary personnel are not available. Backups are properly protected via physical security or encryption when they are stored, as well as when they are transmitted across the network. This includes network-based backups and use of cloud-based services. End-of-life backup media is securely erased/destroyed. Network devices (e.g., firewalls, routers, switches, etc.) are built using standard secure configurations defined for each type of network device in use in GPTW. The standard secure configurations are documented, approved, and regularly reviewed. Any deviations from the standard configuration or updates to the standard configuration are documented and approved by authorized personnel. At network interconnection points (e.g., Internet gateways, third party network connections, internal network segments with different security controls etc.), ingress and egress filtering are implemented to allow only those ports and protocols with an explicit and documented business need. All other ports and protocols are blocked. Any exceptions are documented, approved, time-bound, and regularly reviewed. Network devices are managed using two-factor authentication. Network devices are managed using encrypted sessions. Host-based firewalls are applied on endpoint systems and include a default-deny rule that drops all traffic except those services and ports that are explicitly allowed. Automated port scans are performed on a regular basis and compared to a known effective baseline. If a change that is not listed on the approved baseline is discovered, an alert is generated and reviewed. Unless required to be visible to the Internet or an untrusted network for business purposes, all systems are placed on an internal VLAN and given a private address. Network services required for business use on the internal network are reviewed on a regular basis to reconfirm the business need. Services that are enabled for projects or limited engagements are disabled when they are no longer required and properly documented. Critical services (e.g., DNS, DHCP) operate on separate physical or logical host machines. Application firewalls are placed in front of critical servers to monitor and validate the traffic to and from the server. Unauthorized traffic is blocked and an alert is generated. Administrative accounts on devices are routinely inventoried, and such access is reviewed to ensure that it has been approved by authorized personnel. Default passwords (including those for applications, databases, operating systems, routers, firewalls, wireless access points, and other infrastructure) are changed prior to deployment. Administrative accounts are used only for system administration activities, and not for general business activities such as reading email, composing documents, or Internet access. Passwords cannot be reused for a defined period of time, consistent with the GPTW's password policy. Systems log any changes related to access control (e.g., adding or removing user accounts or privileges associated with a user). All system accounts are periodically reviewed. Any account that cannot be associated with a business process and owner is disabled. All user accounts have an expiration date associated with the account. All users are automatically logged off after a standard period of inactivity. User accounts are locked out for a defined period of time following a defined number of unsuccessful logon attempts. On a periodic basis (such as quarterly or at least annually), managers perform an access review of the access privileges assigned to their employees. Managers attest that access remains required for business purposes, and privileges no longer required are promptly removed. Attempts to access deactivated accounts are monitored through audit logging. Multi-factor authentication is used for all administrative access. Direct administrative interactive access to systems (either remotely or locally) is blocked. Instead, administrators access systems initially using a non-administrative account. Communications are blocked to known malicious IP addresses (i.e., blacklists). Monitoring systems are configured on DMZ networks (e.g., via IDS sensors or as a separate technology) to record packet header information at a minimum (and full packet header and payloads of the traffic destined for or passing through the network border). This traffic is sent to a configured Security Event Information Management (SEIM) so that events can be correlated across devices on the network. Sender Policy Framework (SPF) is implemented by deploying SPF records in DNS and enabling receiver-side verification in mail servers to prevent email spam by detecting email spoofing. Network-based IDS sensors are deployed on Internet and extranet DMZ systems and networks that monitor for unusual activity and detect compromise of these systems. Network-based IPS devices are deployed to complement intrusion detection systems by blocking known bad signatures. Network perimeters are designed and implemented so that all outgoing traffic to the Internet must pass through at least one proxy on a DMZ network. The proxy supports logging individual TCP sessions; blocking specific URLs, domain names, and IP addresses (i.e., blacklist); and applying whitelists of allowed sites. All remote access (including VPN, dial-up, and other forms of access that allow login to internal systems) is required to use multi-factor authentication. All devices remotely logging into the internal network are managed by the enterprise, which includes remote control of the device configuration, installed software, and patch levels. Periodically, scans are conducted for back-channel connections to the Internet that bypass the DMZ, including unauthorized VPN connections and dual-homed hosts connected to the enterprise network and to other networks via wireless, dial-up modems, or other mechanisms. An internal network segmentation scheme has been implemented to limit traffic to only those services needed for business use across GPTW's internal network. Synchronized time sources are used (e.g., Network Time Protocol: NTP) from which all servers and network equipment retrieve authoritative time information on a regular basis to ensure that timestamps in logs are consistent. Security personnel or system administrators review identified anomalies in logs and escalate matters requiring additional analysis or review. Network boundary devices (including firewalls, network-based IPS, and inbound and outbound proxies) are configured to verbosely log all traffic (both allowed and blocked) arriving at the device. For all servers, logs are written to write-only devices or to dedicated logging servers running on separate machines from hosts generating the event logs, reducing the chance that an attacker can manipulate logs stored locally on compromised machines. Host-based data loss prevention (DLP) is used to enforce access control lists (ACLs) even when data is copied off a device. Access to unauthorized file transfer, online storage, and email websites is blocked. GPTW has established and follows procedures for secure data destruction. GPTW has established a written incident response plan that includes definition of roles and responsibilities for incident management. The plan also defines procedures for incident management. Senior management is appropriately represented (with input and decision-making authority) in the incident management process. The incident response plan includes procedures for the analysis of events and the criteria for determining if the event should be escalated to an incident. Procedures include roles and responsibilities for personnel and requirements for internal (e.g., Compliance, Communications, Legal, Executive Team) and external (e.g., Law Enforcement, Customer) notifications. GPTW publicly maintains contact information on its website that enables third party members of the public to report an information security incident. Procedures have been developed and disseminated to GPTW personnel related to the mechanisms for identifying and reporting an information security incident. This information is included as part of routine security awareness training. Periodic tabletop incident scenario sessions are conducted with personnel associated with the incident handling team to ensure that they understand current threats and risks, as well as their responsibilities in supporting the incident handling team. The network is designed using appropriate use of network segmentation. Any system accessible from the Internet is within a DMZ, and DMZ systems never contain sensitive data. Any system with sensitive data resides on the private network and is never directly accessible from the Internet. DMZ systems communicate with private network systems through firewalls and proxy servers, as deemed appropriate. The enterprise network is segmented into multiple, separate trust zones to provide more granular control of system access and additional network boundary defenses. Vulnerability assessments are periodically performed for applications and infrastructure with connectivity to the Internet. Vulnerabilities identified as high severity or high risk are remediated in an expedited manner following their identification. Periodic external and internal penetration tests are conducted to identify vulnerabilities and attack vectors that can be used to exploit GPTW's systems. Penetration testing occurs from outside the network perimeter (i.e., the Internet or wireless frequencies around GPTW) as well as from within its boundaries (i.e., on the internal network) to simulate both outsider and insider attacks. Findings identified in vulnerability assessments, penetration tests and red team exercises are documented, prioritized and remediated. Automated processes are used to measure how well GPTW has reduced the significant enablers for attackers, and may include items such as: Clear text e-mails and documents with passwords in the filename or body; Network diagrams stored online; Configuration files stored online; Vulnerability assessment, penetration test reports, and red team finding documents stored online; Other sensitive information identified by management personnel as critical to the operation of GPTW during the scoping of a penetration test or red team exercise. Social engineering is included within penetration tests. Penetration testing includes realistic advanced persistent threat (APT) style attacks to offer a realistic assessment of security posture commensurate with the risk to critical assets. At least two different telecommunication providers are used to supply network communications to the data center. Redundant data center locations are at least 30 miles apart. Natural hazards that may negatively impact the data center (e.g., proximity to bodies of water, proximity to fault lines) have been identified. Entry and exit points to office facilities and data centers are covered by video surveillance. A change management process and procedure is implemented to manage and control changes to production applications and infrastructure. A change management process and procedure is implemented to manage and control changes to production applications and infrastructure. Management approves all changes prior to implementation. Application changes are tested by staff other than developers prior to implementation. Standard secure operating system configurations are established and used. Patch management processes are implemented that ensure security patches are installed within a timely manner following their release. Patching processes encompass the entirety of the IT operating environment including applications, databases, operating systems, utilities and network infrastructure. All remote administration activities are performed over secure channels that incorporate use of appropriate levels of encryption and multi-factor authentication. An established process and associated configuration management infrastructure is deployed for configuration control of mobile devices. The process includes secure remote wiping of lost or stolen devices, approval of corporate applications, and denial of unapproved applications. Anti-malware software and signature auto-update features allow administrators to manually deploy updates to all machines when required. Separate environments are maintained for production and non-production systems. Developers do not have unmonitored access to production environments. Audit log settings are validated for each device that maintains log information. Validation ensures that logs include relevant information for the device including a timestamp, source addresses, destination addresses, and various other useful elements of the packet and/or transaction. Devices record logs in a standardized format (such as syslog entries or those outlined by the Common Event Expression initiative). If devices cannot generate logs in a standardized format, log normalization tools are deployed to convert logs into such a format. All systems that store logs have adequate storage space for the logs generated on a regular basis (so that log files will not fill up between log rotation intervals). The logs are archived and digitally signed on a periodic basis. A log retention policy has been developed to ensure that the logs are retained for a sufficient period of time consistent with GPTW's record retention policies. All remote access to the network (e.g., VPN, dial-up, or other mechanism) is verbosely logged. Devices are configured to log access control events associated with a user attempting to access a resource (e.g., a file or directory) without the appropriate permissions. Failed logon attempts are also logged. GPTW uses a secure wipe (multi-pass overwrite) solution to securely delete SLM NPI, PII or proprietary data on hard drives or other media when data retention is no longer required.

Policy Reviews

Data privacy & security policies are reviewed monthly.

3. Policy to Safeguard Company Employee Data

Data Collection

The GPTW Emprising™ survey and analytics software platform operates by uploading to Emprising an Employee Data File (EDF) containing an email address list for the Company’s Employees taking the survey and, optionally, other information such as pre-coded demographics etc. of the Company’s Employees. The EDF can be uploaded to Emprising either GPTW or directly by the Company. The EDF is stored encrypted in a separately partitioned area from the Company Employee Data which contains the Survey Responses from the Company’s Employees. When the Company Survey starts running, the email list from the EDF is used to generate a Personalized Invite to each Company Employee which is a log-in identifier unique to each Company Employee. When the Company Survey closes, the link is broken between the EDF and the Company Employee Data containing the Survey Responses of the Company Employees which disassociates and physically separates the EDF from the Company Employee Data. After the survey closes, the Company Employee Data does not contain the Company name, nor the name or email address of the Company Employee, nor any Personal Information that can be used to identify the Company Employee. As a result, the Company Employee Data is immediately de-identified and made anonymous when the survey closes. Within five business days after closing the Company Survey, the functionality of the survey is confirmed by GPTW and the EDF is deleted.

The types and categories of Company Personal Data to be processed are found in the demographic section and Trust Index questions of the survey. If the Company chooses to include demographic data in the survey responses, that demographic data is made part of the EDF which then populates the Survey Responses when the Company Employee uses their unique log-in identifier to take their survey. After the Company Survey closes, any demographic data remains a part of both the EDF and the Company Employee Data. To protect the confidentiality of the Company Employee Data, GPTW uses a suppression algorithm. GPTW will not report on Assessment results in which fewer than five (5) people in a Company demographic group have responded. The Personalized Invite explains that the results of this survey will be used to determine if the Company can be Great Place to Work-Certified, qualify to be on one of the GPTW Best Workplaces lists and to potentially publish an unbiased review of your workplace on our Great Place to Work Reviews website. The Company Employee is assured that their participation is completely confidential and voluntary. The Survey Responses come directly to GPTW. Besides responding to statements, there are two open-ended questions soliciting an essay style response. The Company has the option to add additional open-ended questions. The Company Employee is advised that should they choose to use their name or the names of others in the essay style responses to the open-ended questions, they will appear verbatim and the Company may read them. Comments you supply may also be quoted in GPTW articles or reviews, but they will never be associated with your name or other personally identifying information.

The nature and purpose as well as the subject matter and duration of the Processing of the Company Personal Data is to collect Company employee survey data for processing and archiving scientific and historical research purposes and statistical purposes assessing workplace culture, performance, and accreditation to assist organizations in evaluating and improving their workplaces. This exact language is found in Article 89 of the GDPR.

The GPTW analytical survey platform named Emprising is hosted by the cloud provider Microsoft Azure. GPTW contracts with Azure to maintain the highest level of Data Security and Data Privacy global compliance at all times. This legal protection is passed along to all GPTW clients though the warranties in the Products and Services Agreement for the entire term of our engagement as detailed below. The Azure audit reports and other resource documentation as well as the Azure Compliance Manager Tool used by GPTW to comply with the GDPR and other privacy laws are found at the following URLs: https://servicetrust.microsoft.com/ and other compliance offerings: https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings. A general article about Azure compliance is here: https://www.communicationsquare.com/news/everything-about-gdpr-compliance-in-microsoft-cloud/ and a blog here: https://azure.microsoft.com/en-us/blog/protecting-privacy-in-microsoft-azure-gdpr-azure-policy-updates/ There are some country specific compliance resources as well. For example, compliance in Germany is addressed at the following URL: https://servicetrust.microsoft.com/ViewPage/GermanComplianceResourcesV3. GPTW provides the highest standard of legal protection by warranting to our clients that during the entire term of the engagement, GPTW will comply with the following industry standards: Service Organization Controls (SOC) Report 1 and 2 under the Statement on Standards for Attestation Engagements (SSAE) 18 standard as well as with the International Organization for Standardization (ISO) 27001:2013 and ISO 9001:2015 standards and the National Institute of Standards and Technology (NIST 2015) cybersecurity framework. If applicable, GPTW also complies with the Payment Card Industry Data Security Standard (PCI DSS). This warranty is stated in Section 7 (Data Security) of the GPTW Products and Services Agreement which governs the terms of the engagement with GPTW clients and which has the following link on the bottom of the GPTW homepage: https://www.greatplacetowork.com/products-services-agreement.

GPTW uses commercially reasonable efforts consistent with industry standards to collect, transmit, store, protect and maintain the Data and Company Data obtained through the Services. GPTW represents and warrants that during processing or the term of the client’s engagement that it complies with the European Union (EU) 2016 General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 AB 375 (CCPA), and the Data Protection Laws of all other country, state, or regulating bodies. This warranty is stated in Section 8 (Data Privacy) of the GPTW Products and Services Agreement which governs the terms of the engagement with GPTW clients and which has the following link on the bottom of the GPTW homepage: https://www.greatplacetowork.com/products-services-agreement In an abundance of caution, GPTW also provides the same warranties and representations for the GPTW Network even though it does not support Emprising. Any communication between Emprising hosted on Azure and the GPTW Network is strictly limited to an end-to-end secure VPN connection using IPSec protocol. Accordingly, GPTW considers the third-party security/financial audits of the GPTW Network to be confidential and does not release them to any company. There are several reasons for this policy. First, the audits are static in time and may not cover the entire term of the company’s engagement. Second, the audits provide no legal protection to a company. Third, a company having possession of these audits places itself at serious risk for no benefit, e.g. should there be a GPTW security breach, any company in possession of these audits would be a primary litigation target and would have to prove that company’s possession of the audits did not cause the GPTW breach. Instead, GPTW provides the highest standard of legal protection by warranting to all GPTW clients that during the entire term of the engagement GPTW will comply with the following industry standards: Service Organization Controls (SOC) Report 1 and 2 under the Statement on Standards for Attestation Engagements (SSAE) 18 standard as well as with the International Organization for Standardization (ISO) 27001:2013 and ISO 9001:2015 standards and the National Institute of Standards and Technology (NIST 2015) cybersecurity framework. If applicable, GPTW also complies with the Payment Card Industry Data Security Standard (PCI DSS). This warranty is found on the GPTW website in Section 7 (Data Security) of the of the GPTW Products and Services Agreement (PSA).

As advised in the GDPR, GPTW maintains a full-time Chief Data Protection Officer (CDPO) and staff to ensure compliance with all Data Protection Laws. The CDPO reports directly to the CEO of GPTW. GPTW also employs full-time Certified Information Privacy Practitioner (CIPP) and staff who is certified under the NIST standard as administered by the International Association of Privacy Professionals at www.iapp.org.

Data Access

Access to Company data is only granted to those with a legitimate need. Company data is only accessed by GPTW employees that are authorized based on job role. Survey access is controlled so that survey respondents cannot see another’s responses. Data is seperated and partitioned so that Company users cannot see another company’s data.

Access Control

GPTW has a documented Access Control Policy which includes a formal user registration and de-registration process to enable assignment of access rights, unique IDs for all users, a periodic review of access rights with owners of the information systems or services, restrictions and control of privileged access rights by management, an authorization process to allocate and control privileged access rights, monthly review of privileged access, a formal Password Policy, a policy that forces users to change their password at first log-on, password requirements (such as minimum length, complexity, periodicity to change, password history), and encrypted passwords in store and transmit. GPTW will notify Company within 72 hours from GPTW becoming aware of any confirmed or suspected leak of Company data. Enforcement mechanisms are applied to GPTW employees who violate privacy policies or confidentiality requirements.

Servers

The Emprising platform is hosted by Cloud providers Microsoft Azure and Amazon Web Services. Their security documentation is available on their respective websites. The Cloud providers GPTW uses Azure servers having have physical locations in at least California and Virginia. All data is backed upped between Azure servers the Cloud providers daily at these fully redundant hot-sites. Contractual language is included to ensure that Azure properly controls access in a manner consistent with GPTW's own internal policies. Data is encrypted in transit and in storage using a commercially available dual key AES 256 bit encryption software.

Policy Reviews

Data privacy & security policies are reviewed monthly.

4. Data Flow Diagrams

Data Flow Diagram For the GPTW Emprising analytical survey platform:

DataFlowDiagram

Data Flow Diagram For the GPTW Certification Process:

DataFlow2
5. Data Protection.

GPTW will use commercially reasonable efforts consistent with industry standards to collect, transmit, store, protect and maintain the Data and Company Data obtained through the Services. GPTW complies with Service Organization Controls (SOC) Report 1 and 2 under the Statement on Standards for Attestation Engagements (SSAE) 18 standard as well as with the International Organization for Standardization (ISO) 27001:2013 and ISO 9001:2015 standards and the National Institute of Standards and Technology (NIST 2015) cybersecurity framework. If applicable, GPTW also complies with the Payment Card Industry Data Security Standard (PCI DSS). GPTW considers the above-identified third party reports confidential and does not release them to any company. GPTW has thousands of clients and a few have asked for the same information as your Company. There are several reasons for this policy. First, the reports are static in time and may not cover the entire term of the company’s engagement. Second, the reports provide no legal protection. Third, a company having possession of these reports places itself at serious risk for no benefit, e.g. should there be a GPTW security breach, any company in possession of these reports would be an immediate litigation target and would have to prove that their possession of the reports did not cause the GPTW breach. Instead, GPTW provides the highest standard of legal protection by warranting to the company that during the entire term of the engagement GPTW will comply with the above industry standards.

6. Data Privacy.

GPTW maintains a full-time Chief Data Protection Officer (CDPO) and staff to ensure compliance with these policies. The CDPO reports directly to the CEO of GPTW. GPTW also employs full-time a Certified Information Privacy Practitioner (CIPP) who is certified by the International Association of Privacy Professionals at www.iapp.org whose credentials are accredited by the American National Standards Institute (ANSI) under the International Organization for Standardization (ISO) standard 17024:2012. ANSI is an internationally respected accrediting body that assesses and accredits certification programs that meet rigorous standards. ANSI’s personnel certification accreditation program was the first such program in the United States to fulfill the requirements of ISO/IEC 17011, which represents the global benchmark for accreditation body practice.

GPTW complies with the European Union (EU) 2016 General Data Protection Regulation (GDPR) and all data protection or privacy laws of any other country (Data Protection Laws). GPTW is also certified under the US/EU and US/CH Privacy Shield. GPTW collects Data for processing and archiving scientific and historical research purposes and statistical purposes assessing workplace culture, performance, and accreditation to assist organizations in evaluating and improving their workplaces. This exact language is found in Article 89 of the GDPR.

In connection with the Services, GPTW may receive, process and store Personal Data in the United States or other jurisdictions. Personal Data received by GPTW will be protected by GPTW as described in the Section above. In the event that consent of any individual is required to be obtained before transfer of Personal Information to GPTW, Company is responsible for obtaining the consent of any affected individual. Said consent needs to be freely given, specific, informed, unambiguous and given by a statement or clear affirmative action.

Scoped Data

GPTW has a data classification and retention program for Scoped Data that identifies the data types that require additional management and governance. GPTW has a documented response program to address privacy incidents, unauthorized disclosure or breach of Scoped Data. Scoped Data is not disclosed to third parties, within or outside the United States. GPTW has a documented privacy program with administrative, technical, and physical safeguards for the protection of Scoped Data including the use of encryption tools. Mobile devices are not used by GPTW employees to access Scoped Systems and Data. GPTW does not provide cloud applications.

Compliance and Incident Response

GPTW employees are reminded or informed on a monthly basis of our privacy and security policies. Their physical compliance is monitored daily where appropriate or applicable. GPTW maintains an internal compliance and ethics reporting mechanism and GPTW employees are given training in how to report compliance issues. GPTW also maintains an Incident Management program that is reviewed, approved by management and tested annually. All privacy complaints and privacy incidents are directed and responded to by the Director of Legal Affairs. Enforcement mechanisms are applied to GPTW employees who violate privacy or confidentiality policies.

7. Policy Regarding Ownership and Use of Data

Personal Data

GPTW employees are reminded or informed on a monthly basis of our privacy and security policies. Their physical compliance is monitored daily where appropriate or applicable. GPTW maintains an internal compliance and ethics reporting mechanism and GPTW employees are given training in how to report compliance issues. GPTW also maintains an Incident Management program that is reviewed, approved by management and tested annually. All privacy complaints and privacy incidents are directed and responded to by the Director of Legal Affairs. Enforcement mechanisms are applied to GPTW employees who violate privacy or confidentiality policies.

Company Data

Company Data means Company’s proprietary data and information that Company provides to GPTW so that GPTW may, as part of the Services, conduct an Assessment (e.g., demographic and corporate information necessary to distribute the Survey to participants (such as email address, employee ID, and other personally identifying information) and the data provided by Company to GPTW for the Culture Audit). For the avoidance of doubt, Company Data does not include either Aggregate Data or Raw Data as defined below. The Company Data and all Intellectual Property Rights remain the exclusive property of the Company. GPTW will use Company Data solely to perform the Services and in a manner that is compatible with the purposes for which such Company Data is furnished to GPTW or subsequently authorized to be used, and GPTW will ensure that any Personal Data included in Company Data is properly maintained and protected.

Aggregate Data and Raw Data

Aggregate Data means (a) the Company-specific information, data, and content contained in any report(s) delivered by GPTW to Company pursuant to this Agreement; and (b) any other aggregated data that is derived from the Raw Data and that is delivered by GPTW to Company pursuant to this Agreement. For the avoidance of doubt, Aggregate Data does not include any Raw Data or Company Data. Raw Data means the confidential and anonymous responses received by GPTW from Company and Company’s employees in connection with, among other things, the Trust Index Survey(s) and/or Culture Audit(s), Culture Brief(s), focus groups, and one-to-one interviews administered by GPTW pursuant to this Agreement. For the avoidance of doubt, Raw Data does not include any Aggregate Data or Company Data. The Raw Data and the Aggregate Data obtained through the Services provided, and all Intellectual Property Rights are and will remain the exclusive property of GPTW. The Raw Data will not be provided to the Company by GPTW in order to protect the confidentiality of Company respondents. GPTW intends to use the Aggregate Data solely for the internal purposes of GPTW, including without limitation for benchmarking, creation of best practices and other R&D purposes. GPTW will not share non-anonymous, Company-specific information about the Company’s results with any third parties without first receiving prior written permission from Company (i.e., the Data is not intended to be associated with the Company or any individual Company employee). This will not apply in connection with any of the Best Workplaces Lists. Reports provided by GPTW to Company may be distributed internally by Company, but any external distribution requires prior written approval from GPTW which will not be unreasonably withheld. Aggregate Data and Raw Data are collectively referred to as Data herein.

Intellectual Property

The GPTW Intellectual Property, and all Intellectual Property Rights therein will remain the exclusive property of GPTW or its Affiliate Licensees. The Company is not acquiring any rights to any GPTW Intellectual Property because of the Agreement between both parties. Without GPTW’s prior written approval, which may be withheld in GPTW’s sole discretion, the Company will not use or re-use any GPTW Intellectual Property in any manner other than pursuant to its receipt of the Services during the Term (including in any surveying conducted either in-house or with another vendor outside of the scope of the Agreement).

Confidentiality

All information provided by the Company to GPTW or otherwise obtained by GPTW as a receiving Party relating to the business or operations of the Company or its clients or any person, firm, company or organization associated with the Company, will be treated by GPTW as confidential, and GPTW will not disclose the same to third parties without the prior written consent of the Company. The Parties acknowledge and agree that the confidential information of the Company does not include the Raw Data and the Aggregate Data, which are confidential information of GPTW.

9. Business Continuity and Disaster Recovery Plan

GPTW has a confidential, documented policy for business continuity and disaster recovery, including an annual schedule of required tests, annual BC/DR tests, a Pandemic Plan, annual Business Impact Analysis, and insurance coverage for business interruptions or general services interruptions.

Additional paper records off-site location:

Iron Mountain – Union City

29555 Kohoutek Way

Union City, CA 94587

Phone: 800-899-4766

8. Operations Security

GPTW has the following policies in place regarding Operations Security:

  • Documented operating procedures for Information Processing Facility.
  • Documented Change Management process.
  • Process for Capacity Management and Capacity Plan for mission critical systems.
  • Detection, prevention and recovery controls to protect against malware.
  • A formal policy prohibiting the use of unauthorized software by GPTW employees.
  • Installed anti-malware software on all computers and information systems.
  • Regular monthly updates of anti-malware software.
  • An established backup policy to define organizations’ requirements for backup of information, software and systems, including encryption of the backup.
  • An established Log Management standard including the maintenance of event logs recording user activities, exceptions, faults and information security
  • events that are reviewed monthly.
  • An established Vulnerability Management process for all information processing systems.
10. Communications Security

GPTW has the following policies in place regarding Communications Security:

  • Firewall protection for all systems and Internet connectivity.
  • Special controls implemented to protect information passing over public networks and Wireless networks.
  • Maintaining routers and Access Control Lists.
  • Maintaining IDS/IPS Technology.
  • Two-factor authentication to control access from public accessible networks.
11. System acquisition, development and maintenance

As part of GPTW’s information security requirements, we include the information security requirements for new information systems or enhancement of existing information systems, use formal change control process to all changes to systems within the development life cycle, maintain a version control for all software updates and restrict and control modifications to software packages by limiting to necessary changes only.

12. Physical Security

GPTW enforces defined security perimeters to protect Company’s sensitive or critical information and information processing facilities. As part of this enforcement, GPTW has restricted access to its sites and buildings to authorized personnel only and implemented physical barriers where applicable, to prevent unauthorized physical access and environmental contamination. GPTW has also separated our information processing facilities we manage physically from those managed by external parties and implemented physical access controls to protect secured areas to ensure that only authorized personnel are allowed access. Access to areas where confidential information is processed or stored is restricted to authorized individuals only. The use of photography, video, audio and other recording equipment, such as cameras in mobile devices in secure areas is restricted. GPTW has developed and implemented a clear desk and clear screen policy. GPTW has implemented controls to minimize risk from theft, fire, smoke, water, dust, vibration, chemical effects, electrical supply interference, communications interference, electromagnetic radiation, and vandalism.

13. Supplier Relationships.

GPTW has a documented policy for supplier relationships and maintains a list of all suppliers we use.

14. Asset Management.

GPTW has a documented Asset Management Procedure and maintains an asset inventory which is accurate, up to date and aligned with other inventories. In addition, GPTW has a documented Acceptable Use Policy. GPTW’s termination process includes the return of all previously issued physical and electronic assets owned by GPTW.

GPTW has a secure process for Disposal of Media and sensitive information.

15. Compliance.

GPTW maintains a list of applicable legislative, statutory, regulatory and contractual requirements required by the organization. GPTW has an annual independent review of information security and has monthly technical compliance reviews including penetration testing and vulnerability scans.

December 15, 2019