WorkBuzz security

Data is encrypted in-transit using bank-grade TLS 1.2. Data is encrypted at-rest using 256-bit encryption via native AWS capabilities.

All employees complete an annual security training programme and employ best practices when handling customer data.

We work with industry leading security firms to perform regular application layer penetration tests.

We have designed a system meant to minimise any service disruptions resulting from natural disasters, hardware failure, or other unforeseen disasters or catastrophes, with all data regularly backed up.

All WorkBuzz employees are responsible for following all information security protocols and processes as set out by the WorkBuzz Leadership Team; including our Head of Customer Success & Operations and our Chief Technology Officer.

All employees are trained on WorkBuzz’s information security processes and procedures as part of their onboarding. This is reviewed and redelivered annually to ensure that employees are up to date with the latest security risks.

Our developers have regular security training to stay informed of our common and emerging security risks in the development, as well as the data privacy of our customers’ data.

All employees and contractors agree to comply with defined security policies, which include confidentiality, data privacy, and incident reporting.

We have put in place measures to prevent your data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those of our people and other third parties who have a business need to know. They will only process your personal data on our instructions and where they have agreed to treat the information confidentially and to keep it secure. We have put in place procedures to deal with any suspected data security breach and will notify you and the ICO of a suspected breach where we are legally required to do so.

Confidentiality terms come standard in all WorkBuzz agreements with our customers. In addition, all employees are required to sign confidentiality agreements with WorkBuzz that protect customer data. WorkBuzz also has confidentiality terms with all vendors that handle personal or confidential information of our customers as part of our vendor review process (see below).

All employees, contractors, and key suppliers are required to report security incidents through a formalised process, and WorkBuzz has a plan to promptly and systematically respond to any security or availability incidents that may happen. This plan is reviewed and updated on a regular basis as part of our ISO 27001 and Cyber Essentials certification.

As part of WorkBuzz’s governance and compliance, we have implemented a policy for detailed review of all vendors to WorkBuzz that may have a potential impact on security of the service.

WorkBuzz has designed a system meant to minimise any service disruptions resulting from natural disasters, hardware failure, or other unforeseen disasters or catastrophes.

Our Disaster Recovery approach includes:

• Availability. WorkBuzz benefits from the resilience and redundancy built into the AWS cloud hosting platform.

In addition, we employ Multi-Availability Zones (Multi-AZ) within the AWS cloud hosting environment. This ensures that all production data is replicated in a physically distinct data centre in real-time. In the event of total failure of the primary data centre, the WorkBuzz application can be resurrected (without loss of data) using the Multi-AZ facility.

• Backups. We perform daily backups on all relevant systems, which are stored for up to 3 months and available for restoration based on identified incidents.
• Disaster Recovery and Business Continuity Planning. Our Business Continuity Plan focuses on technical disasters for the operation of the WorkBuzz platform and includes plans for different scenarios as well as regular training for the recovery team. This is tested annually.

Access to our production systems is reduced to a minimum set of people responsible for maintenance and operations. WorkBuzz reviews access to production systems at least annually by following the least privilege principle.

All information systems are cloud-hosted and do not reside within the WorkBuzz internal network.

WorkBuzz network architecture is designed to minimise the risk of a security breach by permitting access to the minimal required systems only, while other systems, such as database servers, are only accessible internally.

All traffic to our application servers is routed through our proxies and gateways. All other systems in our data centres never have direct access to the Internet — neither inbound nor outbound.

We have put in place measures to prevent your data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those of our people and other third parties who have a business need to know. They will only process your personal data on our instructions and where they have agreed to treat the information confidentially and to keep it secure. We have put in place procedures to deal with any suspected data security breach and will notify you and the ICO of a suspected breach where we are legally required to do so.

Confidentiality terms come standard in all WorkBuzz agreements with our customers. In addition, all employees are required to sign confidentiality agreements with WorkBuzz that protect customer data. WorkBuzz also has confidentiality terms with all vendors that handle personal or confidential information of our customers as part of our vendor review process (see below).

In case of a system alert, security incidents are escalated to our Head of Customer Success and Operations. Our employees are trained on our security incident response, including communication channels and escalation paths. Treatment of incidents is done according to a defined process for information security events. This process complies with the ISO 27001 standard.

Any data requested from Clients is password protected to ensure data is encrypted during transit. Clients using the WorkBuzz platform are able to upload data directly into the system meaning no transfer to/from individuals is required. When client data is processed outside secure WorkBuzz systems, it shall be encrypted in transit. Encryption in transit may include encrypting a file sent via email, encrypting a portable hard disk being used to transfer data or through the use of encrypted transmission protocols such as TLS.

We encrypt user passwords by using best practice to minimise the impact of a data breach. Almost all of our services use encryption at the best industry best practice symmetric encryption schemes. All WorkBuzz owned devices have a full disk encryption setup and are enabled by default using Microsoft BitLocker.

To ensure a maximum level of QA, we perform a number of automated tests on our code base. We also peer-review code changes that are submitted to the code base by our developers.

WorkBuzz’s testing and staging systems are separated logically from production systems. For testing, WorkBuzz facilitates dedicated test data.

WorkBuzz contracts with a third-party penetration tester to perform independent penetration tests at least annually. Our security engineers are continuously testing new and existing features regarding vulnerabilities to increase the security level of our application via AWS Inspector.

A summary for the most recent penetration test is available on request under a Non-Disclosure Agreement.

With its roots in the United Kingdom, WorkBuzz has put privacy and data protection at the core of how we have developed our products, services, and our internal governance.

EU General Data Protection Regulation (GDPR)

WorkBuzz complies with the requirements of the EU General Data Protection Regulation and provides a secure communication platform that protects employee and client data equally. The privacy rights of our clients, and their employees, and the security of their personal data are our highest priorities.