Our world class methodology is academically rigorous, developed in collaboration with academics at the University of Plymouth, forming the foundations of our b-Heard survey and helping us in our ambition of achieving our primary purpose, helping make the world a better workplace. We strive to be transparent, happy to share so that others can understand how we do what we do.
Security & Privacy
Data Protection by Design and Default
Best Companies cares about what we do, and who we do it for. In consideration of our services and the amount of personal data we store, ensuring our security posture is appropriate and proportionate is high on our agenda. In addition to the contractual obligations set out in our Terms of Service we also look to demonstrate we are a competent authority, and our measures effective. This will allow you to make a risk-based approach to our processing and allow you the opportunity to verify our approach.
We embrace a ‘data protection by design and by default’ approach, considering data protection throughout the lifecycle of our services and ensuring that it’s integrated into everything we do.
We operate a ‘privacy centric’ approach. This means that we consider risk on an individual basis rather than in the collective sense. This is important in not only protecting the anonymity of individuals who respond negatively of their employer, which potentially could put them at risk of reprisal. We recognise that an individual’s data may be more sensitive by association, due to who their employer is or their job role/ function. Best Companies recognise that not all personal data is equal in terms of risk.
Data Protection is embedded into our culture, maintained through employee awareness and support. Training is provided at induction and at regular intervals throughout the year. We have an in-house Data Protection Officer (who can be contacted via email using firstname.lastname@example.org), and data protection is given top-level support. The Board of Directors has nominated an accountable director for compliance oversight.
We take responsibility for what we do, with appropriate measures and records in place to be able to demonstrate our compliance.
We restrict access. Data is only accessible by authorised personnel and Best Companies employees, who are all contractually subject to confidentiality. Access controls are in place for our employees and our clients. We have installed a unified threat management solution, with high availability and Watchguard Total Security Suite which includes Data Loss Prevention (DLP) and Threat Detection Response (TDR). We use https across all our websites.
We continually monitor our security posture. Internal and external audits are conducted throughout the year. A vulnerability assessment and penetration test is conducted annually, by an external organisation. All Best Companies applications including the code for the survey, servers, and infrastructure networks are covered in the scan. Azure Dev Ops is used for our source code repository; this has full auditing of changes. Peer review is required as part of our secure development lifecycle. We are using an open-source security and license compliance management platform, which automates the entire process of open-source component selection, approval, and management, including detection and remediation of security and compliance issues. Quarterly scanning is conducted as required for PCI DSS and Security Scorecard is continually reviewed and reported to the board fortnightly.
We do what we say we do. We have an established privacy management framework which is reviewed as part of our independent 3rd party assessments. We are proud of achieving certification for the ISO 9001 Quality Standard, ISO 27001 Information Security Standard, Payment Card Industry Data Security Standard (PCI-DSS) and certified as part of the Hellios Financial Services Qualification System (FSQS).
International Transfers of Personal Data
Best Companies is located in the United Kingdom (UK), which means organisations operating outside of the UK will be transferring data to the UK. Our services involve processing of the personal data we receive within the UK and the EEA (European Region). No personal data will be transferred outside of the European Region, unless your organisation operates outside of this jurisdiction.
Our Data Processors
Like most organisations, Best Companies works with other organisations to enable us to provide you with the best possible service. We conduct due diligence on all our suppliers taking a risk-based approach. This means we consider the state of the art, the costs of implementation, the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. This allows us to evaluate whether a supplier’s measures are effective and proportionate in relation to the services being provided. We reassess data processors periodically to ensure they have at a minimum, maintained existing standards / certifications, and consider any new security features they have released that we may be able to make use of.
Compatible Processing and Research
Best Companies conducts statistical research as a separate data controller with the goal of discovering useful information, informing conclusions, and supporting decision-making into a better understanding of employee engagement. We will only process the personal data as a data controller to the extent that it is deemed compatible processing.
The Right to be Informed - Our Privacy Notice
We want to ensure your employees can access our privacy notice in order to understand how we use the data we hold about them. We do this by providing a multi-layered approach, on our website, within our communications and a just-in-time notice at point of survey.