Disco

Description Features Permissions Security & Compliance

Disco is a culture platform for remote teams
Celebrate values-driven work, foster team appreciation, and measure engagement around company culture.Recognize
Celebrate values-driven work and foster daily employee recognition.
• Kudos & values tagging
• Appreciation dashboard
• Broadcast to TVs & Slack channels
• Raffle off custom prizesNominate
Streamline and crowdsource company nominations to uncover next-level culture achievements.
• Values-based nominations
• Automated employee reminders
• Results dashboardEngage
Measure and act on culture in real-time across 10 key employee engagement drivers.
• Weekly pulse survey
• Pulse survey dashboard
• Configurable questions
• Compliment cardsAll features are included in your free trial
Disco accounts are created automatically upon installing

Permissions

Disco will be able to view:

Disco will be able to do:

Review the details to better understand this app’s security practices. To learn more about assessing apps for your workspace visit our Help Center.

General

Privacy & data governance

Data retention policy

a. Information Retention i. Retention is defined as the maintenance of information in a production or live environment which can be accessed by an authorized user in the ordinary course of business. ii. Information used in the development, staging, and testing of systems shall not be retained beyond their active use period nor copied into production or live environments. iii. By default, the retention period of information shall be an active use period of exactly two years from its creation unless an exception is obtained permitting a longer or shorter retention period. The business unit responsible for the information must request the exception. iv. After the active use period of information is over in accordance with this policy and approved exceptions, information must be archived for a defined period. Once the defined archive period is over, the information must be destroyed. v. Each business unit is responsible for the information it creates, uses, stores, processes and destroys, according to the requirements of this policy. The responsible business unit is considered to be the information owner. vi. The organization’s legal counsel may issue a litigation hold to request that information relating to potential or actual litigation, arbitration or other claims, demands, disputes or regulatory action be retained in accordance with instructions from the legal counsel. vii. Each employee and contractor affiliated with the organization must return information in their possession or control to the organization upon separation and/or retirement. viii. Information owners must enforce the retention, archiving and destruction of information, and communicate these periods to relevant parties. Visit link for more info: https://justdisco.securilycomply.com/JustDisco-RP.pdf

Data archiving and removal policy

b. Information Archiving i. Archiving is defined as secured storage of information such that the information is rendered inaccessible by authorized users in the ordinary course of business but can be retrieved by an administrator designated by company management. 1. Physical (e.g., paper) records must be archived in secured storage (onsite or offsite) and clearly labeled in archive boxes naming the information owner. 2. Electronic records must be archived with strict access controls set by the information owner and appropriate to secure the confidentiality, integrity and accessibility of the information. ii. The default archiving period of information shall be 7 years unless an approved exception permits a longer or shorter period. Exceptions must be requested by the information owner. 1. As a guideline, an archiving period of more than 7 years may be granted for information with a vital historical purpose such as corporate records, contracts, and technical/trade secrets. 2. As a guideline, an archiving period of less than 7 years may be granted for information with a limited business purpose such as email, travel itineraries, pre-trip advisories, or to comply with specific legal, contractual and/or regulatory requirements (e.g., PCI DSS, GDPR, etc.) iii. Information must be destroyed (defined below) at the end of the elapsed archiving period. c. Information Destruction i. Destruction is defined as the physical or technical destruction sufficient to render the information contained in the document irretrievable by ordinary commercially-available means. ii. The organization must maintain and enforce a detailed list of approved destruction methods appropriate for each type of information archived, whether in physical storage media such as CD-ROMs, DVDs, backup tapes, hard drives, mobile devices, portable drives or in database records or backup files. Physical information in paper form must be shredded using an authorized shredding device; waste must be periodically removed by approved personnel. Visit link for more info: https://justdisco.securilycomply.com/JustDisco-RP.pdf

Data storage policy

a. The following locations are classified by the organization as secure areas and are goverened by this policy: i. [list all data center locations and secure areas under the organization’s control] b. Each data center and secure area must have a manager assigned. The manager’s name must be documented in the organization’s records. In the case of any on-prem data centers, the manager’s name must also be posted in and near the secure area. c. Each secure area must be clearly marked. Access to the secure area must be controlled by at least a locked door. A visitor access log must be clearly marked and easily accessible just inside the door. d. Persons who are not employed by the organization are considered to be visitors. Visitors accessing secure areas shall: i. Obtain access to secure areas in accordance with reference a. ii. Only enter and remain in secure areas when escorted by a designated employee. The employee must stay with the visitor during their entire stay inside the secure area. iii. Log the precise time of entry and exit in the visitor access log. e. The following activities are prohibited inside secure areas: i. Photography, or video or audio recordings of any kind. ii. Connection of any electrical device to a power supply, unless specifically authorized by the responsible person. iii. Unauthorized usage of or tampering with any installed equipment. iv. Connection of any device to the network, unless specifically authorized by the responsible person. v. Storage or archival of large amounts of paper materials. vi. Storage of flammable materials or equipment. vii. Use of portable heating devices. viii. Smoking, eating, or drinking. f. Secure areas must be checked for compliance with security and safety requirements on at least a quarterly basis. Visit link for more info: https://justdisco.securilycomply.com/JustDisco-DP.pdf

Data center location(s)

United States

Data hosting details

Our infrastructure spans over multiple availability zones in the AWS us-west-2 region, AWS availability zones (AZ) are one or more discrete data centers with redundant power, networking, and connectivity within an AWS Region.

Data hosting company

AWS

App/service has sub-processors

yes

Guidelines for sub-processors

https://docs.google.com/spreadsheets/d/1gPbJz2HgqGQMwc1znV5rv3FGizaRKjsBqZSQpgowwNw/edit#gid=0

Certifications & compliance

Security