A secure experience engineered for growth

BetterUp maintains established policies and procedures designed to standardize employee onboarding and offboarding using automated processes, enabled by using identity and access management (IAM) solutions. Background checks are performed on new employees, contingent workers, and coaches in accordance with BetterUp’s hiring procedures prior to onboarding. Confidentiality agreements and terms of acceptable use are in place for each party respective of their classification.

In order to promote a culture that enables members of BetterUp’s workforce to safeguard data and information in a secure manner, BetterUp maintains a comprehensive Security Awareness Training program to address general and role-based security training.

People security policies are communicated internally and available for reference in a centralized location. Known violations of policies follow an established disciplinary and enforcement process.

BetterUp data is encrypted in transit and storage using industry-standard ciphers and methods. This includes the use of AES-256 and TLS encryption ciphers. Encryption keys are stored securely with limited access. Advanced encryption is applied to various application infrastructure layers, and can include disk, application, and database encryption. Sharing of encryption keys is prohibited and key management procedures are reviewed on a yearly basis.

BetterUp provides a number of mechanisms to help customers keep their data secure and control access. This includes a series of controls that are based on the principle of least privilege. Customers can configure two-factor authentication and we encourage all customers to enable integration into their Federated Identity Provider through SAML. BetterUp’s platform is fully responsive across desktop, laptop, and mobile devices. It supports industry-standard SAML 2.0 for Single Sign-on (SSO) and user authentication. Security event and audit logs are collected and continuously monitored to detect and respond to anomalous behavior.

Multi-factor authentication (MFA) is required for BetterUp Coaches and employees to access BetterUp information systems and resources. Access is controlled through a central directory system, with access limited and granted based on the principle of least privilege.

The BetterUp platform delivers a user-friendly experience for members, Coaches, and program leaders through the implementation of role-based access features.

The BetterUp platform is built on isolated, private networks using security groups and firewalls within virtual private clouds (VPC). All inbound and internal traffic is restricted to specific ports across a limited group of machines. All traffic rates, sources, and types are actively monitored at various points in the network beyond ingress and firewalls. BetterUp logically isolates customer data using application container technology and unique identifiers, which assures that access to customer data is limited to only that customer.

Customer data will be deleted upon written request. Data is retained as needed to satisfy data classification and/or external requirements. Processes are in place for the secure disposal of tangible property containing Customer Data are in place and take into account available technology so that Customer Data cannot practicably be read or reconstructed

BetterUp has a dedicated cross-functional team to drive the Secure Development Lifecycle (SDL) that supports the principles of agile development.

This group is responsible for the coordination, communication, refinement, development of and adherence to security controls in our processes. In order to ship secure, high-quality products at pace, BetterUp leverages automated Security Testing to identify any potential vulnerabilities within source code, dependencies, and underlying infrastructure before releasing to our customers.

BetterUp analyzes the application source code to determine bugs, technical debt, and security vulnerabilities. A strict scoring criterion is adhered to by the Engineering teams to ensure not only the security of code in our products but quality as well. Any code not meeting these criteria is not shipped until resolved.

BetterUp analyzes project dependencies to determine vulnerabilities. Strict scoring criteria prevent the shipment of vulnerable dependencies in a product until it is resolved by Engineering teams.

BetterUp runs automated web application scans against the platform on a frequent basis. This allows for bugs, common exploits, security vulnerabilities, and issues to be discovered early on in the development process. By automating this approach, BetterUp is able to improve the quality and security of our platform for our customers.

BetterUp performs a vulnerability assessment on all container images to detect any vulnerable software running on a given container. Strict scoring criteria prevent the shipment of a vulnerable container until it is resolved by Engineering teams. A passing score is required for deployment.

In alignment with industry best practices, BetterUp has developed a baseline of source code control standards to provide proper hygiene around code repositories supporting our platform. These standards are developed across the company and automation has been deployed to enforce them. Standards automatically being enforced include but are not limited to: role-based access control, least privilege, code & repository ownership, segregation of duties, branch protections, and secrets management.

BetterUp’s security logs are collected, aggregated, and correlated using a centralized security information and event management (SIEM) solution. Industry-standard log protection mechanisms are in place to ensure the integrity of the logs generated. BetterUp engages a managed security service provider (MSSP) for monitoring and response services.

BetterUp has security incident response procedures in place to be followed in the event of any security breach. These procedures include areas that cover roles and responsibilities, investigation, communication, event logging, and remediative actions to be taken.

Availability of data is protected through the use of data replication and backup services provided by AWS and Heroku. Data backups are captured on a periodic basis according to a defined schedule. Backups are stored across multiple high availability zones. BetterUp leverages automated scaling to centrally deploy backup policies to configure, manage, and govern backup activity across BetterUp’s AWS resources.

Business continuity and disaster recovery plans and processes are maintained for responding to an emergency or adverse event that could damage Customer Data or production systems that contain Customer Data. Data restore testing exercises are completed semi-annually employing methodologies based on best practices and various scenarios. Test results enable BetterUp to verify the integrity of backup data and assurance in achieving recovery point and time objectives (RPO/RTO).

BetterUp leverages third parties for independent penetration tests of our applications, services and businesses as a whole. These have resulted in continuous updates to our products and processes for improving security and reliability. These assessments are part of ongoing compliance and security requirements to keep BetterUp as a trusted provider of services.

A customer-facing redacted executive summary is made available to customers under mutual non-disclosure agreement.

Introduction

BetterUp is committed to ensuring the security of our systems. We hope to partner with the security community and we recognize that the work the community does is important in continuing to ensure safety and security of our users. If you believe you have discovered a suspected vulnerability, privacy concern, exposed data, or other security issues in any of our assets, we want to hear from you.

Scope

This policy applies to any digital assets owned by BetterUp.

Assets or other equipment not owned by parties participating in this policy are out of scope for vulnerability reporting. Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority.

• In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:
• Physical testing such as office access (e.g. open doors, tailgating)
• Social engineering (e.g. phishing, vishing)
• UI and UX bugs and spelling mistakes
• Network level Denial of Service (DoS/DDoS) vulnerabilities or other tests that impair access to or damage an asset

Additionally, please do not send us:

• Personally identifiable information (PII)
• Credit card holder data

Safe Harbor

When conducting vulnerability research according to this policy, we consider research conducted under this policy to be:

• Permitted–in that BetterUp will not initiate or support legal action against researchers as long as they adhere to this policy.

Researchers are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against a researcher and the researcher has made a good faith effort to comply with this policy,

BetterUp will take steps to make it known that researchers’ actions were conducted in compliance with this policy. At any time, if a researcher has concerns or is uncertain whether security research is consistent with this policy, please submit a report to security@betterup.co before going any further.

Note that the Safe Harbor applies only to legal claims under the control of BetterUp, and does not bind independent third parties.

Our Commitments

• When working with us, according to this policy, security researchers can expect us to:
• Respond to reports promptly, and work directly with researchers to understand and validate reports;
• Strive to keep researchers informed about the progress of a vulnerability as it is processed;
• Work to remediate discovered vulnerabilities in a timely manner, within BetterUp’s operational constraints; and
• Extend Safe Harbor for vulnerability research that conforms to this policy.

Our Expectations

In participating in BetterUp’s vulnerability disclosure program in good faith, we ask that you:

• Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;
• Report any vulnerability you’ve discovered promptly;
• Avoid violating the privacy of others, disrupting our systems, destroying or manipulating data, and/or harming or degrading user experience;
• Use only the security@betterup.co email address to discuss vulnerability information with us;
• Provide us a reasonable amount of time (according to a mutually-agreed-upon timeline) to resolve the issue before you disclose it publicly;
• Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
• Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
• If a vulnerability provides unintended access to data:
  • Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and
  • Cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), credit card data, or proprietary information;
  • Only interact with test accounts you own or with explicit permission from the account holder; and
  • Do not engage in extortion.

How to Submit a Vulnerability

To submit a vulnerability report to BetterUp’s Security Team, please send an email to security@betterup.co. The more details you provide, the easier it will be for us to triage and fix the issue.