Data retention policy
Culture Amp shall retain data as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it shall be securely disposed of. Data owners, in consultation with legal counsel, may determine retention periods for their data.
Data archiving and removal policy
By default, a customer’s data is stored for the duration of his or her contract with Culture Amp. The data may be deleted within one month after the contract ends, at the latest, with the exception of data that is required to establish proof of a right or a contract, which will be stored for the duration provided by enforceable law. Once deleted, a user’s data cannot be restored. Culture Amp may provide the option for customers to delete data after their subscription ends. This request must be made by the customer, and Culture Amp may require additional ID verification. Culture Amp should hard delete all information from currently-running production systems within one month of the deletion request.
Data storage policy
All data is encrypted at rest using full disk encryption AES 256, and in transit using TLS 1.2 and above.
Data is classified with all sensitive data labeled as restricted or confidential.
As such, all access to the production environment is given on a need-to-know basis. Access is via encrypted VPN with strong MFA. All access is monitored and logged with active alerting where required.
Data center location(s)
United States, Ireland
Data hosting details
App/service has sub-processors
Guidelines for sub-processors