WorkBuzz security

With WorkBuzz, you’re in safe hands. We use enterprise grade best practices to provide a secure, reliable and resilient cloud-based platform, which protects our customers.

ISO certified
Penetration testing
GDPR compliant
Cyber essentials

Hundreds of thousands of employees around the globe use the WorkBuzz platform to securely provide feedback and suggestions to their company. Our clients have a wide variety of security and privacy needs, with many coming from the most highly regulated and security-sensitive industries in the world. With this in mind, security is of the utmost importance to our platform and vision.

ISO 27001 certification

ISO 27001 is the de facto international standard for information security management. WorkBuzz has been ISO 27001 certified by the British Assessment Bureau and annually renews the certification through an ongoing auditing process. The most recent certificate can be found here.

Secure and reliable infrastructure

WorkBuzz uses Amazon Web Services (AWS) for the hosting of staging and production environments. AWS data centres are monitored by 24/7 security, biometric scanning, video surveillance and are SOC 1, SOC 2, and SOC 3 certified.

Ongoing commitment to security:

Data encryption

Data is encrypted in-transit using bank-grade TLS 1.2. Data is encrypted at-rest using 256-bit encryption via native AWS capabilities.

Employee training

All employees complete an annual security training programme and employ best practices when handling customer data.

Penetration tests

We work with industry leading security firms to perform regular application layer penetration tests.

Disaster recovery

We have designed a system meant to minimise any service disruptions resulting from natural disasters, hardware failure, or other unforeseen disasters or catastrophes, with all data regularly backed up.

Organisational structure and governance

WorkBuzz security and privacy teams

All WorkBuzz employees are responsible for following all information security protocols and processes as set out by the WorkBuzz Leadership Team; including our Head of Customer Success & Operations and our Chief Technology Officer.

Security training

All employees are trained on WorkBuzz’s information security processes and procedures as part of their onboarding. This is reviewed and redelivered annually to ensure that employees are up to date with the latest security risks.

Our developers have regular security training to stay informed of our common and emerging security risks in the development, as well as the data privacy of our customers’ data.

All employees and contractors agree to comply with defined security policies, which include confidentiality, data privacy, and incident reporting.

Confidentiality and data security

We have put in place measures to prevent your data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those of our people and other third parties who have a business need to know. They will only process your personal data on our instructions and where they have agreed to treat the information confidentially and to keep it secure. We have put in place procedures to deal with any suspected data security breach and will notify you and the ICO of a suspected breach where we are legally required to do so.

Confidentiality terms come standard in all WorkBuzz agreements with our customers. In addition, all employees are required to sign confidentiality agreements with WorkBuzz that protect customer data. WorkBuzz also has confidentiality terms with all vendors that handle personal or confidential information of our customers as part of our vendor review process (see below).

Incident reporting and response

All employees, contractors, and key suppliers are required to report security incidents through a formalised process, and WorkBuzz has a plan to promptly and systematically respond to any security or availability incidents that may happen. This plan is reviewed and updated on a regular basis as part of our ISO 27001 and Cyber Essentials certification.

Vendor reviews

As part of WorkBuzz’s governance and compliance, we have implemented a policy for detailed review of all vendors to WorkBuzz that may have a potential impact on security of the service.

Disaster recovery and redundancy

WorkBuzz has designed a system meant to minimise any service disruptions resulting from natural disasters, hardware failure, or other unforeseen disasters or catastrophes.

Our Disaster Recovery approach includes:

  • Availability. WorkBuzz benefits from the resilience and redundancy built into the AWS cloud hosting platform.

In addition, we employ Multi-Availability Zones (Multi-AZ) within the AWS cloud hosting environment. This ensures that all production data is replicated in a physically distinct data centre in real-time. In the event of total failure of the primary data centre, the WorkBuzz application can be resurrected (without loss of data) using the Multi-AZ facility.

  • Backups. We perform daily backups on all relevant systems, which are stored for up to 3 months and available for restoration based on identified incidents.
  • Disaster Recovery and Business Continuity Planning. Our Business Continuity Plan focuses on technical disasters for the operation of the WorkBuzz platform and includes plans for different scenarios as well as regular training for the recovery team. This is tested annually.
Reduced access

Access to our production systems is reduced to a minimum set of people responsible for maintenance and operations. WorkBuzz reviews access to production systems at least annually by following the least privilege principle.

Infrastructure and hosting

We understand that hosting locations are important. WorkBuzz platforms and websites are hosted by Amazon Web Services (AWS) in London and Dublin. AWS facilities are compliant with ISO27001.

Network security (all hosting locations)

Security

All information systems are cloud-hosted and do not reside within the WorkBuzz internal network.

Architecture

WorkBuzz network architecture is designed to minimise the risk of a security breach by permitting access to the minimal required systems only, while other systems, such as database servers, are only accessible internally.

All traffic to our application servers is routed through our proxies and gateways. All other systems in our data centres never have direct access to the Internet — neither inbound nor outbound.

Logical access separation

We have put in place measures to prevent your data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those of our people and other third parties who have a business need to know. They will only process your personal data on our instructions and where they have agreed to treat the information confidentially and to keep it secure. We have put in place procedures to deal with any suspected data security breach and will notify you and the ICO of a suspected breach where we are legally required to do so.

Confidentiality terms come standard in all WorkBuzz agreements with our customers. In addition, all employees are required to sign confidentiality agreements with WorkBuzz that protect customer data. WorkBuzz also has confidentiality terms with all vendors that handle personal or confidential information of our customers as part of our vendor review process (see below).

Security incident response

In case of a system alert, security incidents are escalated to our Head of Customer Success and Operations. Our employees are trained on our security incident response, including communication channels and escalation paths. Treatment of incidents is done according to a defined process for information security events. This process complies with the ISO 27001 standard.

Encryption

Encryption in transit

Any data requested from Clients is password protected to ensure data is encrypted during transit. Clients using the WorkBuzz platform are able to upload data directly into the system meaning no transfer to/from individuals is required. When client data is processed outside secure WorkBuzz systems, it shall be encrypted in transit. Encryption in transit may include encrypting a file sent via email, encrypting a portable hard disk being used to transfer data or through the use of encrypted transmission protocols such as TLS.

Encryption at rest

We encrypt user passwords by using best practice to minimise the impact of a data breach. Almost all of our services use encryption at the best industry best practice symmetric encryption schemes. All WorkBuzz owned devices have a full disk encryption setup and are enabled by default using Microsoft BitLocker.

Product security

Quality assurance

To ensure a maximum level of QA, we perform a number of automated tests on our code base. We also peer-review code changes that are submitted to the code base by our developers.

Separate environments

WorkBuzz’s testing and staging systems are separated logically from production systems. For testing, WorkBuzz facilitates dedicated test data.

Penetration testing

WorkBuzz contracts with a third-party penetration tester to perform independent penetration tests at least annually. Our security engineers are continuously testing new and existing features regarding vulnerabilities to increase the security level of our application via AWS Inspector.

A summary for the most recent penetration test is available on request under a Non-Disclosure Agreement.

Privacy and data protection

With its roots in the United Kingdom, WorkBuzz has put privacy and data protection at the core of how we have developed our products, services, and our internal governance.

EU General Data Protection Regulation (GDPR)

WorkBuzz complies with the requirements of the EU General Data Protection Regulation and provides a secure communication platform that protects employee and client data equally. The privacy rights of our clients, and their employees, and the security of their personal data are our highest priorities.