Trust Center · Security & compliance

Security & trust, by design.

We measure some of the most sensitive data an organisation holds. Protecting it is a first-class part of the product — certified, regionally hosted, and built so no individual response is ever exposed.

Request documentation → View certifications
01 · Compliance & frameworks

Where we stand.

We are building Thrive at Work to meet the standards enterprise security teams expect. Our privacy obligations are met today, two leading security attestations are actively in progress with independent auditors, and we run to those control sets now — ahead of the formal report dates.

SOC 2
In progress
SOC 2 Type II

Independent audit of our security, availability and confidentiality controls across a continuous monitoring window. Engagement underway with our auditor.

Report expected 2026
ISO 27001
In progress
ISO/IEC 27001

Certification of our information security management system (ISMS) — governance, risk treatment and controls. Implementation complete; audit scheduled.

Certification 2026
GDPR
Compliant
GDPR

Full compliance with the EU General Data Protection Regulation across collection, processing, residency and data-subject rights. EU entity as controller.

In effect now
UK GDPR
Compliant
UK GDPR & DPA 2018

Aligned with the UK General Data Protection Regulation and Data Protection Act for our UK customers, including UK data residency.

In effect now
CCPA
Compliant
CCPA / CPRA

California Consumer Privacy Act and CPRA obligations honoured for US customers, with US data residency and consumer rights support.

For US customers
ISO 27701
Planned
ISO/IEC 27701

Privacy Information Management extension to ISO 27001 — on our roadmap once the 27001 certification is in place.

On roadmap

Working to a framework not listed here? Contact [email protected] — see Documentation & reports.

02 · GDPR compliance

GDPR, end to end.

Thrive at Work s.r.o. is an EU company, registered in Prague, and the platform is built around GDPR from the data model up. When we provide the Thrive Index to an organisation, that organisation is the data controller for its employees' responses and Thrive at Work acts as the data processor under a Data Processing Agreement.

  • Standard Data Processing Agreement (DPA) available to every client
  • Lawful basis documented for every category of data we process
  • Full data-subject rights — access, rectification, erasure, portability, objection
  • Data hosted in your own region by default — EU, US or UK
  • Records of processing activity maintained under Article 30
  • 72-hour breach notification to authorities and affected users

Our full Privacy Policy sets out what we collect, why, and how long we keep it, in plain language.

03 · Security controls

How we protect data.

Security is layered across our infrastructure, application and people. The controls below are the same ones our SOC 2 and ISO 27001 programmes are built on.

Encryption everywhere

Data encrypted in transit (TLS 1.2+) and at rest (AES-256), including backups.

Least-privilege access

Role-based access control, enforced MFA, and access reviewed on a regular cadence.

Continuous monitoring

Logging, alerting and audit trails across systems, with anomaly detection.

Independent testing

Third-party penetration testing and vulnerability scanning before each release.

Vendor due diligence

Every sub-processor is assessed and contractually bound to equivalent standards.

Secure development

Code review, dependency scanning and segregated environments across the pipeline.

04 · Privacy by design

Anonymity is architectural.

The single most important protection is structural: our pipeline is designed so that no individual's survey response is ever exposed to their employer — or to anyone at Thrive at Work — as an identifiable record.

  • Results are released only in aggregate, with a minimum cohort of seven before any team view is shown
  • Segment filters require a minimum of ten responses
  • Employees authenticate with a magic link — we store no passwords
  • Benchmark contributions are anonymised and stripped of organisational identifiers
  • Aggregation happens before any human at Thrive at Work can read the data
05 · Data residency

Where your data lives.

Your data is hosted in your own region by default — we do not move it across borders unnecessarily. Where a cross-border transfer is genuinely required, it is protected by Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.

Customer regionData hosted in
European UnionEuropean Union
United StatesUnited States
United KingdomUnited Kingdom (or EU where applicable)
06 · Sub-processors

Who we work with.

We use a small, carefully chosen set of sub-processors to run the service. Each is bound by a data processing agreement and held to security and privacy standards equivalent to our own. We notify clients in advance of any material change to this list.

Amazon Web Services
Cloud hosting & data storage · EU · US · UK
Cloudflare
CDN, DNS & DDoS protection · Global edge
Formbricks
Survey experience & response capture
Merge
HRIS integrations (unified API)
WorkOS
Authentication & single sign-on
HeyGen
Video generation for learning content
OpenAI
AI processing for insights & content

To receive change notifications for this list, email [email protected].

07 · Incident response

If something goes wrong.

We maintain a documented incident response plan with defined severity levels, on-call ownership and post-incident review. If a personal-data breach ever occurs, we will notify the relevant supervisory authority and affected users within 72 hours, as required by GDPR.

To report a security concern or suspected vulnerability, email [email protected]. We welcome responsible disclosure and will acknowledge reports promptly.

08 · Implementation & onboarding

How you go live.

Most organisations are live within two to six weeks, depending on localisation and your security review. You choose how employee data reaches us — a direct integration, single sign-on, or a secure upload — and the rest of the cycle is handled by the platform.

HRIS integration

Direct connectors (Workday, BambooHR and more) sync employee data automatically and keep segments current cycle to cycle.

Single sign-on

SSO with Google and Microsoft so people reach the platform with existing credentials — no new passwords to manage.

Secure upload

Prefer not to integrate? A secure employee-data upload with our Screener Wizard gets you live in minutes, no IT project required.

Guided rollout

The research team co-designs your first cycle — question localisation, comms templates, and benchmark selection for your sector.

09 · Roadmap

What's next.

We're candid about what's live today and what's coming. Nothing here gates a deployment — it's how the platform deepens over the next few cycles.

AreaTodayNext
CertificationsGDPR compliant; run to SOC 2 & ISO 27001 controlsSOC 2 Type II & ISO 27001 reports, 2026
LanguagesSurvey localised across major business languagesFurther management-platform interface languages
IntegrationsWorkday, BambooHR, SSO (Google, Microsoft)Expanding the connector library by demand
PrivacyISO 27001 ISMS implementedISO 27701 privacy extension
10 · Documentation & reports

For your security review.

Evaluating Thrive at Work for your organisation? We're happy to support your security and procurement teams with the documentation they need:

  • Data Processing Agreement (DPA) and Standard Contractual Clauses
  • Security white paper and control summary
  • SOC 2 and ISO 27001 status letters and, on completion, the reports
  • Current sub-processor list
  • Completed security questionnaires (e.g. SIG, CAIQ)

Reach our security team at [email protected] or start a conversation through Contact.