Learn about the support you need to give your Black employees today.
MENU

Great Place to Work® Institute, Inc.
Policy Explanation

Will GPTW provide a copy of its SOC 1 and/or SOC 2 audits or other third-party security/financial audits?

Yes. The GPTW analytical survey platform named Emprising is hosted by the cloud provider Microsoft Azure. GPTW contracts with Azure to maintain the highest level of Data Security and Data Privacy global compliance at all times. This legal protection is passed along to all GPTW clients though the warranties in the Products and Services Agreement for the entire term of our engagement as detailed below. The Azure audit reports and other resource documentation as well as the Azure Compliance Manager Tool used by GPTW to comply with the GDPR and other privacy laws are found at the following URLs: https://servicetrust.microsoft.com/ and other compliance offerings: https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings. A general article about Azure compliance is here: https://www.communicationsquare.com/news/everything-about-gdpr-compliance-in-microsoft-cloud/ and a blog here: https://azure.microsoft.com/en-us/blog/protecting-privacy-in-microsoft-azure-gdpr-azure-policy-updates/ There are some country specific compliance resources as well. For example, compliance in Germany is addressed at the following URL: https://servicetrust.microsoft.com/ViewPage/GermanComplianceResourcesV3.

GPTW provides the highest standard of legal protection by warranting to our clients that during the entire term of the engagement, GPTW will comply with the following industry standards: Service Organization Controls (SOC) Report 1 and 2 under the Statement on Standards for Attestation Engagements (SSAE) 18 standard as well as with the International Organization for Standardization (ISO) 27001:2013 and ISO 9001:2015 standards and the National Institute of Standards and Technology (NIST 2015) cybersecurity framework. If applicable, GPTW also complies with the Payment Card Industry Data Security Standard (PCI DSS). This warranty is stated in Section 7 (Data Security) of the GPTW Products and Services Agreement which governs the terms of the engagement with GPTW clients and which has the following link on the bottom of the GPTW homepage: https://www.greatplacetowork.com/products-services-agreement.
GPTW uses commercially reasonable efforts consistent with industry standards to collect, transmit, store, protect and maintain the Data and Company Data obtained through the Services. GPTW represents and warrants that during processing or the term of the client’s engagement that it complies with the European Union (EU) 2016 General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 AB 375 (CCPA), and the Data Protection Laws of all other country, state, or regulating bodies. This warranty is stated in Section 8 (Data Privacy) of the GPTW Products and Services Agreement which governs the terms of the engagement with GPTW clients and which has the following link on the bottom of the GPTW homepage: https://www.greatplacetowork.com/products-services-agreement

In an abundance of caution, GPTW also provides the same warranties and representations for the GPTW Network even though it does not support Emprising. Any communication between Emprising hosted on Azure and the GPTW Network is strictly limited to an end-to-end secure VPN connection using IPSec protocol. Accordingly, GPTW considers the third partythird-party security/financial audits of the GPTW Network to be confidential and does not release them to any company. There are several reasons for this policy. First, the audits are static in time and may not cover the entire term of the company’s engagement. Second, the audits provide no legal protection to a company. Third, a company having possession of these audits places itself at serious risk for no benefit, e.g. should there be a GPTW security breach, any company in possession of these audits would be a primary litigation target and would have to prove that company’s possession of the audits did not cause the GPTW breach. Instead, GPTW provides the highest standard of legal protection by warranting to all GPTW clients the company that during the entire term of the engagement GPTW will comply with the following industry standards:

Service Organization Controls (SOC) Report 1 and 2 under the Statement on Standards for Attestation Engagements (SSAE) 18 standard as well as with the International Organization for Standardization (ISO) 27001:2013 and ISO 9001:2015 standards and the National Institute of Standards and Technology (NIST 2015) cybersecurity framework. If applicable, GPTW also complies with the Payment Card Industry Data Security Standard (PCI DSS) if applicable. This warranty is found on the GPTW website in Section 7 (Data Security) of the of the GPTW Products and Services Agreement (PSA).

GPTW maintains a full-time Chief Data Protection Officer (CDPO) and staff to ensure compliance with these industry standards. The CDPO reports directly to the CEO of GPTW.

Can a Company use its Master Services Agreement?

Yes, but only after payment of a review fee received before any review starts. Why the fee? GPTW has quoted to Company the lowest price for its products and services. This low price quote means accepting the GPTW Order Form and /or SOW and the GPTW Products and Services Agreement found at the website: www.greatplacetowork.com/Products-and-Services-Agreement. The quote does not include what GPTW needs to be compensated for the extra time and personnel required to perform the review and the documentation that must be developed just for your Company. It is important to note that because of the unique products and services being delivered by GPTW, a company’s Master Services Agreement definitely will not properly address Data ownership, Data processing, compliance with global privacy compliance laws, compliance with all Data Protection Laws, compliance with Data security industry standards, etc.

Can a Company change the GPTW Product and Services Agreement?

Yes, but only after payment of a sizeable review fee received before any review starts. Why the fee? GPTW has quoted to Company the lowest price for its products and services. This low price quote means accepting the GPTW Order Form and /or SOW and the GPTW Products and Services Agreement found at the website: www.greatplacetowork.com/Products-and-Services-Agreement. The quote does not include what GPTW needs to be compensated for the extra time and personnel required to perform the review and the documentation that must be developed just for your Company. It is important to note that because of the unique products and services being delivered by GPTW, a company’s Master Services Agreement definitely will not properly address Data ownership, Data processing, compliance with global privacy laws, compliance with all Data Protection Laws, compliance with Data security industry standards, etc.

Will GPTW fill out a Company’s security survey/document?

Yes, but only after payment of a sizeable review fee received before any review starts. All of the answers to any security survey is found on the GPTW website at www.greatplacetowork.com/GPTW-External-Security-Policy. The Company can use the GPTW External Security Policy to fill out its own security survey. Why the fee? GPTW has quoted to Company the lowest price for its products and services. This low-price quote means accepting the answers provided in the above GPTW External Security Policy. Otherwise, GPTW needs to be compensated for the extra time and personnel required to answer the survey. Furthermore, a company’s security survey provides no legal protection. A survey is static in time and may not cover the entire term of the company’s engagement. Instead, GPTW provides the highest standard of legal protection by warranting to the company that during the entire term of the engagement GPTW will comply with the following industry standards:

GPTW represents and warrants that during the Term it complies with Service Organization Controls (SOC) Report 1 and 2 under the Statement on Standards for Attestation Engagements (SSAE) 18 standard as well as with the International Organization for Standardization (ISO) 27001:2013 and ISO 9001:2015 standards and the National Institute of Standards and Technology (NIST 2015) cybersecurity framework. GPTW also complies with the Payment Card Industry Data Security Standard (PCI DSS). This is found on the GPTW website in Section 7 (Data Security) of the GPTW PSA.

Will GPTW provide Certificates of Insurance (COI)?

Yes, but only after psizeable review fee received received before retrieval begins. Why the fee? GPTW has quoted to Company the lowest price for its products and services. This low-price quote means accepting the quote without further involvement of GPTW personnel. Otherwise, GPTW needs to be compensated for the extra time and personnel required to retrieve the COI. Furthermore, a Certificate of Insurance provides no legal protection. A COI is static in time and may not cover the entire term of the company’s engagement. Instead, GPTW provides the highest standard of legal protection by warranting to the company that during the entire term of the engagement GPTW will carry the insurance coverage itemized in Section 12.8 (Insurance) of the GPTW PSA found on the GPTW website.