This Policy is intended to help communicate externally to Companies the Security Policy used by GPTW as well as the Network Affiliates and Partners of GPTW and is incorporated by reference into their respective Agreements

1. General Business Information

GPTW provides products and services assessing workplace culture, performance, certification, and accreditation to assist companies and organizations in evaluating and improving their workplaces. GPTW was incorporated in the State of California on June 30, 1998 and is a privately-held company. It is headquartered in Oakland CA at 1999 Harrison Street, Suite 2070.

The FEIN for GPTW is 91-1917672 and its DUNS number is 05 1812683. There have been no material claims or judgments against GPTW in the last 5 years and has never suffered a data loss or security breach. To the best of our knowledge, our Cloud provider Microsoft Azure has never suffered a data loss or security breach within the last 3 years.

2. Policy to Safeguard Company Data

Data security is of paramount importance to GPTW. GPTW has robust policies in place to manage and secure Company data.

Risk Management

GPTW has a documented Risk Management Policy. Risk assessments are performed quarterly.The company has formally documented information security, data privacy, and confidentiality policies, standards and procedures that are approved by senior management, communicated to staff, reviewed at least annually, and published appropriately as to be available for reference and application.

Human Resource Security

GPTW’s Human Resources takes several steps to help protect Company data. GPTW performs background verification checks on all candidates for employment and our employees must sign the terms and conditions of employment. Furthermore, GPTW conducts mandatory semi-annual privacy and security awareness training for all staff. GPTW will notify Company if a GPTW employee who had access to Company data has been terminated or changed roles within GPTW that warrants an “Appropriateness of access review.”

Data Collection

GPTW only collects data needed for its intended purposes like Great Workplace Certification, Best Workplaces Lists, Advisory and High Trust Culture Consulting engagements, Accelerated Leadership Performance, etc.

Data Access

Access to Company data is only granted to those with a legitimate need. Company data is only accessed by GPTW employees that are authorized based on job role. Survey access is controlled so that survey respondents cannot see another’s responses. Data is partitioned and seperated so that Company users cannot see another company’s data.

Access Control

GPTW has a documented Access Control Policy which includes a formal user registration and de-registration process to enable assignment of access rights, unique IDs for all users, a periodic review of access rights with owners of the information systems or services, restrictions and control of privileged access rights by management, an authorization process to allocate and control privileged access rights, monthly review of privileged access, a formal Password Policy, a policy that forces users to change their password at first log-on, password requirements (such as minimum length, complexity, periodicity to change, password history), and encrypted passwords in store and transmit. GPTW will notify Company within 72 hours from GPTW becoming aware of any confirmed or suspected leak of Company data. Enforcement mechanisms are applied to GPTW employees who violate privacy policies or confidentiality requirements.

Computer and Network Hardware

On premises servers are in a locked, climate-controlled server room with access limited to authorized personnel. Company data is encrypted in transit and in storage using a commercially available dual key AES 256 bit encryption software.Laptops, workstations, and servers are configured so that they will not auto-run content from USB tokens (i.e., thumb drives), USB hard drives, CDs/DVDs, Firewire devices, external serial advanced technology attachment devices, mounted network shares, or other removable media. These devices are disabled if they are not required for business use. Systems with active removable media devices are configured so that they conduct an automated anti-malware scan of removable media when it is inserted. All email attachments entering GPTW’s email gateway are scanned, and email is blocked if it contains malicious code or file types commonly known to be associated with malicious software. This scanning is done before the email is placed in the user’s inbox and includes filtering of the email content as well as embedded links within the email content. Access to external email systems, instant messaging services, and other social media tools are blocked. GPTW has never experienced a security incident (such as a data breach, loss of customer data, or network intrusion). A holistic disaster recovery plan has been documented and implemented. Disaster recovery plans address the recovery of all relevant aspects of the business function/service, including applications, databases, utilities, and network infrastructure. The plans give appropriate consideration to dependencies on physical security and roles and responsibilities of personnel. Business continuity plans are tested at least annually and results are documented. A security awareness program is in place that focuses on the methods commonly used in intrusions that can be blocked through individual action. The training is updated at least annually and is mandated for completion by all employees at least annually. Security awareness of personnel is improved through periodic training and tests. Training results are documented and maintained. Hard disks or storage memory of all laptops are encrypted. GPTW supports e-mail encryption (SMTP/TLS, or a similar mechanism). GPTW has established a multi-tier data classification scheme (e.g., a four-tier scheme with data classified into categories based on the impact of exposure of the data). A process is established and followed to revoke user access upon termination of employment or contractual relationship. Data validation vulnerabilities (e.g., cross site scripting, cross site flashing, SQL/LDAP/XML/SMTP/code injection, OS commanding, buffer overflow, HTTP splitting, etc.) are mitigated through user data input validation controls. In addition to an inventory of hardware, there is an inventory of information assets that identifies the related hardware assets (e.g., servers) where the asset is located. Network access control (e.g., via 802.1x or a similar mechanism) is deployed to restrict devices that can be connected to the network. Network access control monitors authorized systems so that if attacks occur, the impact can be remediated by moving the untrusted system to a virtual local area network that has minimal access. Separate virtual local area networks (VLANs) are created for BYOD systems or other untrusted devices. Client certificates are utilized to validate and authenticate systems prior to connecting to the network. Application whitelisting technology is deployed that allows systems to run software only if it is included on the whitelist, and prevents execution of all other software on the system. A list of authorized software has been developed for each type of system, including servers, workstations, and laptops. Authorized software is monitored by file integrity monitoring tools to validate that the software has not been modified. Regular scanning is performed for unauthorized software and alerts are generated when it is discovered on a system. Critical vulnerabilities are patched in an expeditious manner consistent with an established patch management process. Administrative privileges are limited to users who have both the knowledge necessary and a business need to perform administrative activities. An automated configuration monitoring system is implemented to measure and monitor secure configuration elements through remote testing. The system uses features compliant with Security Content Automation Protocol (SCAP) to gather configuration vulnerability information. System-specific configuration management tools are deployed (such as Active Directory Group Policy for Microsoft Windows environments) that automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals. Automated tools are deployed to continuously monitor workstations, servers, and mobile devices for active, up-to-date anti-malware protection. This protection includes appropriate use of anti-virus, anti-spyware, personal firewalls, and host-based IPS functionality. All malware detection events are sent to enterprise anti-malware administration tools and event log servers. Endpoint security solutions also include zero-day protection (such as network behavioral heuristics) where appropriate. Antivirus scanning is applied at GPTW’s web proxy gateway. Network-based anti-malware tools are utilized to analyze all inbound traffic and filter out malicious content before it arrives at endpoint devices. Proxy technology is applied to all communication between internal networks and the Internet. Web applications are protected by deploying web application firewalls (WAFs) that inspect all traffic flowing to the web application for common web application attacks. These attacks include cross-site scripting, SQL injection, command injection, and directory traversal attacks. For applications that are not web-based, specific application firewalls are deployed if such tools are available for the given application type. If the network traffic is encrypted, the device either sits behind the encryption or is capable of decrypting the traffic prior to analysis. A host-based web application firewall is deployed if neither of these options is appropriate. In-house-developed and third-party-procured web applications are tested for common security weaknesses using automated remote web application scanners prior to deployment, whenever updates are made to the application, and on a regular recurring basis. Testing includes behavior under denial of service or resource exhaustion attacks. Each wireless device connected to the network matches an authorized configuration and security profile, with a documented owner of the connection and a defined business need. Network vulnerability scanning tools are used to detect and deactivate unauthorized wireless access points connected to the wired network. Wireless intrusion detection systems (WIDS) are used to identify rogue wireless devices and detect attack attempts and successful compromises. In addition to WIDS, all wireless traffic is monitored by WIDS as traffic passes into the wired network. For devices that do not have an essential wireless business purpose, wireless access is disabled in the hardware configuration (basic input/output system or extensible firmware interface) and includes password protections to reduce the possibility that an unauthorized user will override such configurations. All wireless traffic leverages at least Advanced Encryption Standard (AES) encryption used with at least Wi-Fi Protected Access 2 (WPA2) protection. Wireless networks use authentication protocols such as Extensible Authentication Protocol-Transport Layer Security (EAP/TLS). Peer-to-peer wireless network capabilities on wireless clients are disabled, unless such functionality is required to fulfill a documented business need. Wireless peripheral access of devices (e.g., Bluetooth) are disabled, unless such access is required to fulfill a documented business need. Wireless access points are either placed behind a firewall so that all traffic can be examined and appropriately filtered. All mobile devices, including personally-owned devices, are registered prior to connecting to a wireless network that is logically separate from the enterprise network. All registered devices must be scanned and follow corporate policies for host hardening and configuration management. All wireless clients used to access private networks or handle GPTW data are configured in such a way that they cannot be used to connect to public wireless networks or any other networks beyond those specifically allowed by GPTW. Data on backup media is tested on a regular basis by performing a data restoration process to ensure that the backup procedure is working properly. Key personnel are trained on both backup and restoration processes. Alternate personnel are also trained in case primary personnel are not available. Backups are properly protected via physical security or encryption when they are stored, as well as when they are transmitted across the network. This includes network-based backups and use of cloud-based services. End-of-life backup media is securely erased/destroyed. Network devices (e.g., firewalls, routers, switches, etc.) are built using standard secure configurations defined for each type of network device in use in GPTW. The standard secure configurations are documented, approved, and regularly reviewed. Any deviations from the standard configuration or updates to the standard configuration are documented and approved by authorized personnel. At network interconnection points (e.g., Internet gateways, third party network connections, internal network segments with different security controls etc.), ingress and egress filtering are implemented to allow only those ports and protocols with an explicit and documented business need. All other ports and protocols are blocked. Any exceptions are documented, approved, time-bound, and regularly reviewed. Network devices are managed using two-factor authentication. Network devices are managed using encrypted sessions. Host-based firewalls are applied on endpoint systems and include a default-deny rule that drops all traffic except those services and ports that are explicitly allowed. Automated port scans are performed on a regular basis and compared to a known effective baseline. If a change that is not listed on the approved baseline is discovered, an alert is generated and reviewed. Unless required to be visible to the Internet or an untrusted network for business purposes, all systems are placed on an internal VLAN and given a private address. Network services required for business use on the internal network are reviewed on a regular basis to reconfirm the business need. Services that are enabled for projects or limited engagements are disabled when they are no longer required and properly documented. Critical services (e.g., DNS, DHCP) operate on separate physical or logical host machines. Application firewalls are placed in front of critical servers to monitor and validate the traffic to and from the server. Unauthorized traffic is blocked and an alert is generated. Administrative accounts on devices are routinely inventoried, and such access is reviewed to ensure that it has been approved by authorized personnel. Default passwords (including those for applications, databases, operating systems, routers, firewalls, wireless access points, and other infrastructure) are changed prior to deployment. Administrative accounts are used only for system administration activities, and not for general business activities such as reading email, composing documents, or Internet access. Passwords cannot be reused for a defined period of time, consistent with the GPTW’s password policy. Systems log any changes related to access control (e.g., adding or removing user accounts or privileges associated with a user). All system accounts are periodically reviewed. Any account that cannot be associated with a business process and owner is disabled. All user accounts have an expiration date associated with the account. All users are automatically logged off after a standard period of inactivity. User accounts are locked out for a defined period of time following a defined number of unsuccessful logon attempts. On a periodic basis (such as quarterly or at least annually), managers perform an access review of the access privileges assigned to their employees. Managers attest that access remains required for business purposes, and privileges no longer required are promptly removed. Attempts to access deactivated accounts are monitored through audit logging. Multi-factor authentication is used for all administrative access. Direct administrative interactive access to systems (either remotely or locally) is blocked. Instead, administrators access systems initially using a non-administrative account. Communications are blocked to known malicious IP addresses (i.e., blacklists). Monitoring systems are configured on DMZ networks (e.g., via IDS sensors or as a separate technology) to record packet header information at a minimum (and full packet header and payloads of the traffic destined for or passing through the network border). This traffic is sent to a configured Security Event Information Management (SEIM) so that events can be correlated across devices on the network. Sender Policy Framework (SPF) is implemented by deploying SPF records in DNS and enabling receiver-side verification in mail servers to prevent email spam by detecting email spoofing. Network-based IDS sensors are deployed on Internet and extranet DMZ systems and networks that monitor for unusual activity and detect compromise of these systems. Network-based IPS devices are deployed to complement intrusion detection systems by blocking known bad signatures. Network perimeters are designed and implemented so that all outgoing traffic to the Internet must pass through at least one proxy on a DMZ network. The proxy supports logging individual TCP sessions; blocking specific URLs, domain names, and IP addresses (i.e., blacklist); and applying whitelists of allowed sites. All remote access (including VPN, dial-up, and other forms of access that allow login to internal systems) is required to use multi-factor authentication. All devices remotely logging into the internal network are managed by the enterprise, which includes remote control of the device configuration, installed software, and patch levels. Periodically, scans are conducted for back-channel connections to the Internet that bypass the DMZ, including unauthorized VPN connections and dual-homed hosts connected to the enterprise network and to other networks via wireless, dial-up modems, or other mechanisms. An internal network segmentation scheme has been implemented to limit traffic to only those services needed for business use across GPTW’s internal network. Synchronized time sources are used (e.g., Network Time Protocol: NTP) from which all servers and network equipment retrieve authoritative time information on a regular basis to ensure that timestamps in logs are consistent. Security personnel or system administrators review identified anomalies in logs and escalate matters requiring additional analysis or review. Network boundary devices (including firewalls, network-based IPS, and inbound and outbound proxies) are configured to verbosely log all traffic (both allowed and blocked) arriving at the device. For all servers, logs are written to write-only devices or to dedicated logging servers running on separate machines from hosts generating the event logs, reducing the chance that an attacker can manipulate logs stored locally on compromised machines. Host-based data loss prevention (DLP) is used to enforce access control lists (ACLs) even when data is copied off a device. Access to unauthorized file transfer, online storage, and email websites is blocked. GPTW has established and follows procedures for secure data destruction. GPTW has established a written incident response plan that includes definition of roles and responsibilities for incident management. The plan also defines procedures for incident management. Senior management is appropriately represented (with input and decision-making authority) in the incident management process. The incident response plan includes procedures for the analysis of events and the criteria for determining if the event should be escalated to an incident. Procedures include roles and responsibilities for personnel and requirements for internal (e.g., Compliance, Communications, Legal, Executive Team) and external (e.g., Law Enforcement, Customer) notifications. GPTW publicly maintains contact information on its website that enables third party members of the public to report an information security incident. Procedures have been developed and disseminated to GPTW personnel related to the mechanisms for identifying and reporting an information security incident. This information is included as part of routine security awareness training. Periodic tabletop incident scenario sessions are conducted with personnel associated with the incident handling team to ensure that they understand current threats and risks, as well as their responsibilities in supporting the incident handling team. The network is designed using appropriate use of network segmentation. Any system accessible from the Internet is within a DMZ, and DMZ systems never contain sensitive data. Any system with sensitive data resides on the private network and is never directly accessible from the Internet. DMZ systems communicate with private network systems through firewalls and proxy servers, as deemed appropriate. The enterprise network is segmented into multiple, separate trust zones to provide more granular control of system access and additional network boundary defenses. Vulnerability assessments are periodically performed for applications and infrastructure with connectivity to the Internet. Vulnerabilities identified as high severity or high risk are remediated in an expedited manner following their identification. Periodic external and internal penetration tests are conducted to identify vulnerabilities and attack vectors that can be used to exploit GPTW’s systems. Penetration testing occurs from outside the network perimeter (i.e., the Internet or wireless frequencies around GPTW) as well as from within its boundaries (i.e., on the internal network) to simulate both outsider and insider attacks. Findings identified in vulnerability assessments, penetration tests and red team exercises are documented, prioritized and remediated. Automated processes are used to measure how well GPTW has reduced the significant enablers for attackers, and may include items such as: Clear text e-mails and documents with passwords in the filename or body; Network diagrams stored online; Configuration files stored online; Vulnerability assessment, penetration test reports, and red team finding documents stored online; Other sensitive information identified by management personnel as critical to the operation of GPTW during the scoping of a penetration test or red team exercise. Social engineering is included within penetration tests. Penetration testing includes realistic advanced persistent threat (APT) style attacks to offer a realistic assessment of security posture commensurate with the risk to critical assets. At least two different telecommunication providers are used to supply network communications to the data center. Redundant data center locations are at least 30 miles apart. Natural hazards that may negatively impact the data center (e.g., proximity to bodies of water, proximity to fault lines) have been identified. Entry and exit points to office facilities and data centers are covered by video surveillance. A change management process and procedure is implemented to manage and control changes to production applications and infrastructure. A change management process and procedure is implemented to manage and control changes to production applications and infrastructure. Management approves all changes prior to implementation. Application changes are tested by staff other than developers prior to implementation. Standard secure operating system configurations are established and used. Patch management processes are implemented that ensure security patches are installed within a timely manner following their release. Patching processes encompass the entirety of the IT operating environment including applications, databases, operating systems, utilities and network infrastructure. All remote administration activities are performed over secure channels that incorporate use of appropriate levels of encryption and multi-factor authentication. An established process and associated configuration management infrastructure is deployed for configuration control of mobile devices. The process includes secure remote wiping of lost or stolen devices, approval of corporate applications, and denial of unapproved applications. Anti-malware software and signature auto-update features allow administrators to manually deploy updates to all machines when required. Separate environments are maintained for production and non-production systems. Developers do not have unmonitored access to production environments. Audit log settings are validated for each device that maintains log information. Validation ensures that logs include relevant information for the device including a timestamp, source addresses, destination addresses, and various other useful elements of the packet and/or transaction. Devices record logs in a standardized format (such as syslog entries or those outlined by the Common Event Expression initiative). If devices cannot generate logs in a standardized format, log normalization tools are deployed to convert logs into such a format. All systems that store logs have adequate storage space for the logs generated on a regular basis (so that log files will not fill up between log rotation intervals). The logs are archived and digitally signed on a periodic basis. A log retention policy has been developed to ensure that the logs are retained for a sufficient period of time consistent with GPTW’s record retention policies. All remote access to the network (e.g., VPN, dial-up, or other mechanism) is verbosely logged. Devices are configured to log access control events associated with a user attempting to access a resource (e.g., a file or directory) without the appropriate permissions. Failed logon attempts are also logged. GPTW uses a secure wipe (multi-pass overwrite) solution to securely delete SLM NPI, PII or proprietary data on hard drives or other media when data retention is no longer required.

Policy Reviews

Data privacy & security policies are reviewed monthly.

3. Policy to Safeguard Company Employee Data

Data Collection

The GPTW Emprising™ survey and analytics software platform operates by uploading to Emprising an Employee Data File (EDF) containing an email address list for the Company’s Employees taking the survey and, optionally, other information such as pre-coded demographics etc. of the Company’s Employees. The EDF can be uploaded to Emprising either GPTW or directly by the Company. The EDF is stored encrypted in a separately partitioned area from the Company Employee Data which contains the Survey Responses from the Company’s Employees. When the Company Survey starts running, the email list from the EDF is used to generate a Personalized Invite to each Company Employee which is a log-in identifier unique to each Company Employee. When the Company Survey closes, the link is broken between the EDF and the Company Employee Data containing the Survey Responses of the Company Employees which disassociates and physically separates the EDF from the Company Employee Data. After the survey closes, the Company Employee Data does not contain the Company name, nor the name or email address of the Company Employee, nor any Personal Information that can be used to identify the Company Employee. As a result, the Company Employee Data is immediately de-identified and made anonymous when the survey closes. Within five business days after closing the Company Survey, the functionality of the survey is confirmed by GPTW and the EDF is deleted.

The types and categories of Company Personal Data to be processed are found in the demographic section and Trust Index questions of the survey. If the Company chooses to include demographic data in the survey responses, that demographic data is made part of the EDF which then populates the Survey Responses when the Company Employee uses their unique log-in identifier to take their survey. After the Company Survey closes, any demographic data remains a part of both the EDF and the Company Employee Data. To protect the confidentiality of the Company Employee Data, GPTW uses a suppression algorithm. GPTW will not report on Assessment results in which fewer than five (5) people in a Company demographic group have responded. The Personalized Invite explains that the results of this survey will be used to determine if the Company can be Great Place to Work-Certified, qualify to be on one of the GPTW Best Workplaces lists and to potentially publish an unbiased review of your workplace on our Great Place to Work Reviews website. The Company Employee is assured that their participation is completely confidential and voluntary. The Survey Responses come directly to GPTW. Besides responding to statements, there are two open-ended questions soliciting an essay style response. The Company has the option to add additional open-ended questions. The Company Employee is advised that should they choose to use their name or the names of others in the essay style responses to the open-ended questions, they will appear verbatim and the Company may read them. Comments you supply may also be quoted in GPTW articles or reviews, but they will never be associated with your name or other personally identifying information.

The nature and purpose as well as the subject matter and duration of the Processing of the Company Personal Data is to collect Company employee survey data for processing and archiving scientific and historical research purposes and statistical purposes assessing workplace culture, performance, and accreditation to assist organizations in evaluating and improving their workplaces. This exact language is found in Article 89 of the GDPR.

The GPTW analytical survey platform named Emprising is hosted by the cloud provider Microsoft Azure. GPTW contracts with Azure to maintain the highest level of Data Security and Data Privacy global compliance at all times. This legal protection is passed along to all GPTW clients though the warranties in the Products and Services Agreement for the entire term of our engagement as detailed below. The Azure audit reports and other resource documentation as well as the Azure Compliance Manager Tool used by GPTW to comply with the GDPR and other privacy laws are found at the following URLs: https://servicetrust.microsoft.com/ and other compliance offerings: https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings. A general article about Azure compliance is here: https://www.communicationsquare.com/news/everything-about-gdpr-compliance-in-microsoft-cloud/ and a blog here: https://azure.microsoft.com/en-us/blog/protecting-privacy-in-microsoft-azure-gdpr-azure-policy-updates/ There are some country specific compliance resources as well. For example, compliance in Germany is addressed at the following URL: https://servicetrust.microsoft.com/ViewPage/GermanComplianceResourcesV3. GPTW provides the highest standard of legal protection by warranting to our clients that during the entire term of the engagement, GPTW will comply with the following industry standards: Service Organization Controls (SOC) Report 1 and 2 under the Statement on Standards for Attestation Engagements (SSAE) 18 standard as well as with the International Organization for Standardization (ISO) 27001:2013 and ISO 9001:2015 standards and the National Institute of Standards and Technology (NIST 2015) cybersecurity framework. If applicable, GPTW also complies with the Payment Card Industry Data Security Standard (PCI DSS). This warranty is stated in Section 7 (Data Security) of the GPTW Products and Services Agreement which governs the terms of the engagement with GPTW clients and which has the following link on the bottom of the GPTW homepage: https://www.greatplacetowork.com/products-services-agreement.

GPTW uses commercially reasonable efforts consistent with industry standards to collect, transmit, store, protect and maintain the Data and Company Data obtained through the Services. GPTW represents and warrants that during processing or the term of the client’s engagement that it complies with the European Union (EU) 2016 General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 AB 375 (CCPA), and the Data Protection Laws of all other country, state, or regulating bodies. This warranty is stated in Section 8 (Data Privacy) of the GPTW Products and Services Agreement which governs the terms of the engagement with GPTW clients and which has the following link on the bottom of the GPTW homepage: https://www.greatplacetowork.com/products-services-agreement In an abundance of caution, GPTW also provides the same warranties and representations for the GPTW Network even though it does not support Emprising. Any communication between Emprising hosted on Azure and the GPTW Network is strictly limited to an end-to-end secure VPN connection using IPSec protocol. Accordingly, GPTW considers the third-party security/financial audits of the GPTW Network to be confidential and does not release them to any company. There are several reasons for this policy. First, the audits are static in time and may not cover the entire term of the company’s engagement. Second, the audits provide no legal protection to a company. Third, a company having possession of these audits places itself at serious risk for no benefit, e.g. should there be a GPTW security breach, any company in possession of these audits would be a primary litigation target and would have to prove that company’s possession of the audits did not cause the GPTW breach. Instead, GPTW provides the highest standard of legal protection by warranting to all GPTW clients that during the entire term of the engagement GPTW will comply with the following industry standards: Service Organization Controls (SOC) Report 1 and 2 under the Statement on Standards for Attestation Engagements (SSAE) 18 standard as well as with the International Organization for Standardization (ISO) 27001:2013 and ISO 9001:2015 standards and the National Institute of Standards and Technology (NIST 2015) cybersecurity framework. If applicable, GPTW also complies with the Payment Card Industry Data Security Standard (PCI DSS). This warranty is found on the GPTW website in Section 7 (Data Security) of the of the GPTW Products and Services Agreement (PSA).

As advised in the GDPR, GPTW maintains a full-time Chief Data Protection Officer (CDPO) and staff to ensure compliance with all Data Protection Laws. The CDPO reports directly to the CEO of GPTW. GPTW also employs full-time Certified Information Privacy Practitioner (CIPP) and staff who is certified under the NIST standard as administered by the International Association of Privacy Professionals at www.iapp.org.

Data Access

Access to Company data is only granted to those with a legitimate need. Company data is only accessed by GPTW employees that are authorized based on job role. Survey access is controlled so that survey respondents cannot see another’s responses. Data is seperated and partitioned so that Company users cannot see another company’s data.

Access Control

GPTW has a documented Access Control Policy which includes a formal user registration and de-registration process to enable assignment of access rights, unique IDs for all users, a periodic review of access rights with owners of the information systems or services, restrictions and control of privileged access rights by management, an authorization process to allocate and control privileged access rights, monthly review of privileged access, a formal Password Policy, a policy that forces users to change their password at first log-on, password requirements (such as minimum length, complexity, periodicity to change, password history), and encrypted passwords in store and transmit. GPTW will notify Company within 72 hours from GPTW becoming aware of any confirmed or suspected leak of Company data. Enforcement mechanisms are applied to GPTW employees who violate privacy policies or confidentiality requirements.

Servers

The Emprising platform is hosted by Cloud providers Microsoft Azure and Amazon Web Services. Their security documentation is available on their respective websites. The Cloud providers GPTW uses Azure servers having have physical locations in at least California and Virginia. All data is backed upped between Azure servers the Cloud providers daily at these fully redundant hot-sites. Contractual language is included to ensure that Azure properly controls access in a manner consistent with GPTW’s own internal policies. Data is encrypted in transit and in storage using a commercially available dual key AES 256 bit encryption software.

Policy Reviews

Data privacy & security policies are reviewed monthly.

4. Data Flow Diagrams

Data Flow Diagram For the GPTW Emprising analytical survey platform: