A secure experience engineered for growth

BetterUp is an invite-only platform and an invitation link is sent to specific individuals that are manually added. This member can access the BetterUp Platform and upload the CSV file to invite the remaining participant.

BetterUp needs members to provide first name, last name, and email address for accessing the platform. The members who choose to use our Mobile app will be required to provide their mobile numbers. Many of our customers also provide us information such as title, department, and location. This is only a representative sample and not a comprehensive list.

BetterUp supports three options for data upload:

1. An authorized individual could upload and attach the data required.
2. An authorized individual could manually send/forward this file to the assigned Deployment Manager or open a Helpdesk ticket.
3. BetterUp can help set up a secure file transfer such as S-FTP on a case-by-case basis.
4. BetterUp supports custom integrations with HRIS systems such as Workday.

BetterUp data is encrypted in transit and storage using industry-standard ciphers and methods. This includes the use of AES-256 and TLS encryption ciphers. Encryption keys are stored securely with limited access using Key Management Services (KMS) that is fully managed by AWS.

BetterUp is a multi-tenant system and does not support Bring-Your-Own-Key (BYOK) for customers. Advanced encryption is applied to various application infrastructure layers, and can include disk, application, and database encryption.

BetterUp has a Data Deletion and Media Sanitization Policy, Standards, and Guidelines in place. The existence of these policies and the related controls have been validated by an Independent Auditor as part of the SOC 2 Type II report. BetterUp, upon customer’s written request of data erasure, shall remove the customer’s data from all BetterUp storage media, including cloud provider’s storage services within thirty (30) days of the request. Unless otherwise instructed or pursuant to applicable law, BetterUp will retain the data for seven (7) years. Upon request, BetterUp will provide the customer with a log or copy of the data that was deleted.

Cloud-Based (AWS) Media: When AWS determines that media has reached the end of its useful life, or it experiences a hardware fault, AWS follows the techniques detailed in Department of Defense (DoD) 5220.22-M (“National Industrial Security Program Operating Manual”) or NIST SP 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. Please refer to the AWS website for more information: https://aws.amazon.com/compliance/data-center/controls/

The BetterUp platform uses third-party vendors and services such as AWS, Heroku, and TokBox. Please refer to the SOC 2 Type II report section III C and H for more information. Unless otherwise instructed or pursuant to applicable law, BetterUp will retain the data for seven (7) years.

Customer data is hosted in the United States. Upon request, customers may have data hosted in Frankfurt, Germany.

BetterUp is a multi-tenant platform and the customer data is logically segregated using Application Code, Role Based Access Control and various other technologies. BetterUp's Production environment is hosted in Heroku's Private Space (aka micro-segment).

Yes. BetterUp has several customers that use ADFS, Azure, or Okta for Single Sign-On (SSO) integration.

BetterUp supports standard SAML 2.0 integration for authentication. For customers that do not use SAML, the passwords are encrypted using secure algorithms such as BCrypt.

No. BetterUp supports the RBAC model and the fine-grained permissions are built within the application. Customers are required to submit a ticket to request any role changes.

Customers can submit an account termination request by e-mailing the BetterUp support team at support@betterup.co

BetterUp has automated off-boarding for our internal employees and contractors.

BetterUp uses the principles of least privilege to limit the access on a need-to-know basis. The access to customer data is limited to a specific group of individuals based on job responsibilities such as the Customer Care Agents, Deployment Managers, and Production Support Engineers. The BetterUp platform leverages Role-Based Access Control (RBAC) model and the fine-grained permissions are built within the application to enable the RBAC model.

BetterUp performs a quarterly review of access to the Betterup platforms and managed resources to help ensure that employee access is appropriate. Any issues identified as a result of the review are communicated and resolved.

Yes. Betterup leverages NIST 800-63b guidelines to authenticate employees and Coaches that have direct access to BetterUp owned and managed resources. Employees and Coaches are required to use Multi-Factor Authentication (MFA) for key application and privileged access.

Yes! BetterUp has a next generation SIEM solution in place.

Yes. BetterUp has a next generation DLP solution.

BetterUp collects access and audit logs of access to critical information systems. BetterUp reviews this access on a quarterly basis.

No. BetterUp is a multi-tenant system and logs are not made available to any customer.

Yes. BetterUp has contracted an external agency to perform a background check for all its employees in accordance with local regulations. The vendor and reports are managed by the Human Resources function and the background check includes the following:

1. An identity check
2. A criminal record check
3. Verification of education qualifications or other skills claimed
4. A debarment check, where required
5. Verification of entitlement to employment through the use of work permits or similar documents
6. Previous employment reference check
7. Verification of dates of employment claimed for the previous five (5) years

Third parties are required to perform background checks for their employees as part of the service contracts.

Yes. BetterUp requires all employees, Coaches, and internal contractors to acknowledge an Acceptable Use Policy (AUP).

Yes. The violations, enforcement and potential disciplinary actions are defined in all Information Security Policies, including the AUP. These policies are easily accessible to all employees on the internal Confluence page.

BetterUp Information Security policies, standards and guidelines are published on a confluence page, that is accessible to all employees. All employees, Coaches, and internal contractors with logical access to BetterUp systems are required to acknowledge an Acceptable Use Policy (AUP) when hired and annually thereafter.

BetterUp has a mandatory security awareness and training program for all members of BetterUp’s workforce (including management), which includes:

1. Training on how to implement and comply with its Information Security Program;
2. Promoting a culture of security awareness through periodic communications from senior management with employees.

Additionally, all BetterUp employees are required to annually complete Privacy, Sexual Harassment, and Ethics awareness trainings.

Yes, external assessments are performed at least annually.

BetterUp is hosted in the AWS US East region and Frankfurt, Germany. The production environment is hosted in a private space (microsegment) managed by Heroku, a Salesforce company. Heroku is responsible for gateway (Firewall, VPC, etc.) and infrastructure (OS, AMI, DB instance, etc.). BetterUp leverages AWS & Heroku services for back-up. AWS and Heroku have SOC 2 and ISO 27001 certifications in place. BetterUp has contracted an Independent Third Party to annually perform application penetration tests and static code analysis using OWASP top ten. An executive summary report with a status of Medium and above rated vulnerabilities can be shared with Customers, on written request under an NDA.

No. BetterUp is a multi-tenant system and the impacted customers will be notified for confirmed security breaches.

No. BetterUp does not provide a separate SLA for security incident response. Please refer to the customer support SLAs for more information.

BetterUp performs daily, weekly, and monthly backup as needed.

Customers can perform on-demand monitoring of our platform at https://status.betterup.co/. Customers can also look up our historical uptime using the same link. BetterUp contracted a reputed Independent Third Party to perform our Business Impact Analysis (BIA) and help us establish recovery point and recovery time objectives (RPO/RTO). The existing of this information has been attested by our Independent Third Party Auditors in the SOC 2 Type II report, as well.

No. BetterUp does not store credentials. BetterUp uses a refresh token to keep the session active.

No. Any member with access to the Apple store and/or Google Play store will be able to download the BetterUp mobile app.

Yes. BetterUp owned and managed laptops are encrypted.

Yes. BetterUp employees, Coaches, and internal contractors are required to acknowledge an Acceptable Use Policy (AUP).

BetterUp uses Falcon as its next-generation AV solution.

Yes. The ability to perform bulk download of the customer data from the front-end is disabled.

Yes. Better owned and managed devices such as laptops are securely wiped seven (7) times or equivalent.

No. BetterUp is a multi-tenant system and BYOK is currently not supported.

BetterUp uses AWS’s Fully Managed KMS.

Yes. BetterUp Platform uses Third party vendors and services such as AWS, Heroku and TokBox. Please refer to the SOC 2 Type II report section III C and H for more information. BetterUp uses Third Party Services solutions to continuously monitor the security posture of our key vendors.

Yes. We provide Service Level Agreements in our contracts/agreements.

BetterUp’s Customer Care team is equipped to empathetically address most concerns and questions, and can triage or escalate issues as needed. This team is available 24x7x365.