Orgvue and data security

“We don’t deserve your trust if we can’t protect your people data.”

Tim Ross, General Counsel, Orgvue

Data security is a primary and growing concern for most organizations today, forming an essential part of business strategy. Organizations hold enormous amounts of different types of data: customer data; financial data; sales data and product data, to name a few. At Orgvue we provide a Software as a Service (SaaS) solution which puts you in the know about your workforce. To do this, we host your people data, and we understand that this requires governance at the highest levels.

In just the same way that people data is your lifeblood, it is ours too, so nothing is more important to us than how we manage and protect it. This data is one of the most valuable and critical assets a company owns, and it matters to us that our clients are satisfied that it is safe when in our hands. This article is intended to provide insight and assurance about how we think about data security at Orgvue, including how your data is accessed, who has access to it, and how we protect it.

Why is data security important?

The problems surrounding data security are highlighted regularly in the press, as one high-profile data breach is reported after another, be that through user error, device theft, or inadequate password protection. Hackers are also finding increasingly sophisticated and innovative methods to compromise systems and gain illegal access to data. At Orgvue we recognize the need to stay alert to the ever-changing risks and ensure that best-practice controls are always in place.

Paul Coleman, Orgvue’s Head of Information Security and Data Protection Officer, acknowledges just how important data security is to our clients: “we are under no illusion about the critical importance of our client data. The type of data our clients entrust us with is among their crown jewels – it is some of the most sensitive that they own. We fully appreciate the reputational damage and financial losses that could result from a data breach, and we take the trust placed in us extremely seriously”.

Paul also ensures that Orgvue fosters a culture in which information security awareness is taken seriously “we can put the most advanced systems and technical tools in place, but if we haven’t also built up an awareness of data security within our organization, these may not be enough. For this reason, we ask everyone at Orgvue to take InfoSec training on their first day of employment, and we emphasize the importance of data security in everything we do, down to an awareness of the information we send over email. We can’t expect clients to trust us with their data if we don’t permeate that view throughout every aspect of our business”.

How do we control access to your data?

We have implemented numerous access management strategies to put our clients in control of their data, ensuring that only the right people have access to it, and only when required:

1. Throughout the build process we work according to the principle of ‘least privilege’. This means that our employees only have access to the portion of code necessary for them to do their job, and that nobody has access to the entire code. Determining access on a need-to-know basis and segmenting it in this way minimizes, to the greatest extent possible, the chance that confidential information could get into the wrong hands.
2. By default, Orgvue employees do not have access to client data, and our clients are exclusively responsible for managing access control to their Orgvue environments once built and handed over to them. Our clients can choose to grant us access during the implementation phase or for on-site advisory services, but the responsibility for managing that access lies with them.
3. It is not only tech vendors that are vulnerable to security breaches, but also their partners who form their supply chain. To mitigate this risk as far as possible, we have reduced our attack surface (the combined points where unauthorized access could be gained) by hosting Orgvue on Amazon Web Services (AWS) architecture. Not only does this mean that Orgvue can be delivered by engaging only one third party, but it also means that we are using the most advanced and secure tech available today. AWS has no access to Orgvue client data.

How do we protect your data?

At the heart of our data protection strategy is an advanced encryption key management system that encrypts both data in transit (when it is moving from one location to another, for example over the internet or from a cloud storage device to a local one) or at rest (when it is inactive, for example, on a laptop or hard drive). Encrypted data can only be accessed (or decrypted) by an authorized user within the application. While it is standard practice for data in transit to be encrypted, it is less common for the same to be true for data at rest. Using best-of-breed encryption technology, AWS provides the opportunity to do both. The encryption key is also protected and secured via AWS’s Key Management Service (KWS). We are confident that the methods used by AWS give unrivaled protection against data breaches.

How do we maintain our high standards?

One of the many ways that we uphold our standards is by maintaining recognized certification. We currently hold two ISO Certifications alongside CSA STAR Certification in relation to cloud security. We are also embarking on a program of work to achieve a SOC 2 Type 2 audit report which will provide detailed information about our information security practices. While many see SOC 2 as the gold standard in terms of security assurance, thereby negating the need to maintain any other certifications, we see them as complementary. We therefore intend to maintain our ISO and CSA STAR certifications in addition to the SOC 2 Type 2 audit report to provide the broadest scope of assurance possible around our product and our business.

Summary

At Orgvue, we put data security at the center of everything we do. Our goal is to provide transparency around how we build and manage our product and run our business, and the peace of mind of our clients is our top priority. For further information and assurance on our key security controls, visit our Trust Center.

Visit the Orgvue trust center

Find out all about our security and compliance standards.