Protecting your organisation's data
Culture Shift's platform is designed to protect sensitive disclosures, investigation information and the people who use our system. We take a risk-based approach to information security, combining secure technology, controlled access, independent assurance and clear operating procedures to protect the confidentiality, integrity and availability of customer data.
Compliance & Certifications
We maintain an Information Security Management System to support the secure operation of our platform and services.
ISO/IEC 27001:2022 Certified: Our Information Security Management System is independently audited and certified to ISO/IEC 27001, the internationally recognised standard for information security management systems.
Cyber Essentials: We are Cyber Essentials certified, demonstrating that core technical controls are in place to help protect against common cyber threats.
GDPR & UK Data Protection: We maintain policies, processes and controls to support our obligations under UK GDPR, the Data Protection Act 2018 and PECR.
.png)
%20(1).png)
Authentication & Encryption
Our platform includes security controls designed to protect sensitive disclosures and administrative access.
Encryption in Transit: Public-facing services use HTTPS with modern TLS configuration. Communications between platform components are protected using appropriate cloud security controls.
Encryption at Rest: Platform data is encrypted at rest using industry-standard encryption provided by our cloud infrastructure.
Authentication: User access is authenticated and access controls are enforced based on role and permission level. We support two-factor authentication using TOTP apps and encourage customers to enable it where appropriate.
Single Sign-On (SSO): Customers can integrate their own Single Sign-On provider to centralise access management and support their internal access control processes.
Security testing and vulnerability management
We regularly assess the security of our platform and supporting infrastructure.
Penetration Testing: Our platform is independently penetration tested at least annually and following significant architectural changes where appropriate.Executive summaries of our most recent reports are available to customers and partners under appropriate confidentiality arrangements.
Vulnerability Management: We maintain vulnerability management activities covering infrastructure, platform components, dependencies and application-level findings, with remediation prioritised based on risk.
.png)
Infrastructure & Hosting
Culture Shift uses Amazon Web Services to host and operate the platform. Our cloud infrastructure is designed to support secure, resilient and scalable service delivery, using managed cloud services, network controls, encrypted communications and monitored infrastructure. AWS provides strong physical and environmental security controls for its data centres, including independent certifications such as ISO 27001, SOC 1 and SOC 2.
Data Storage & Retention
We only retain customer data for as long as it is needed to provide our services, meet contractual commitments or satisfy legal and regulatory requirements. Access to report data is controlled through role-based permissions and enforced at application and API level. Customer data is retained in accordance with agreed retention schedules and is securely deleted or anonymised when no longer required.
Sub Processors
We use carefully selected sub processors to deliver our services and support the secure operation of the platform. Amazon Web Services (AWS) is our primary cloud infrastructure provider, supporting hosting, storage, database, authentication and content delivery services. We review supplier and subprocessor arrangements based on the nature of the service provided and the sensitivity of the data involved.
Vulnerability Disclosure
We welcome responsible disclosure from the security community. If you believe you have discovered a security or privacy issue affecting Culture Shift or our platform, please contact us at DPO@culture-shift.co.uk. We do not operate a public bug bounty or paid vulnerability disclosure programme. Any request for payment must not be a condition of disclosure and should not delay the reporting of a genuine security concern. We will review reported issues and work to resolve valid concerns in a timely and transparent manner.