Enterprise-grade security, privacy, and compliance
Certifications, documented controls, and supporting evidence for security review and due diligence.
Last updated: March 2026
Assurance Snapshot
27001
ISO/IEC certification
GDPR
Privacy compliance
AWS
Certified infrastructure
2011
Platform launch year
Overview
Trust Center Overview
The Peopleware Trust Center covers compliance, product and infrastructure security, reliability, governance, privacy, and access to supporting documentation.
Compliance
Security
Reliability
Governance
Compliance
Core compliance assurances
Key certifications, regulatory commitments, and contractual assurances are available for review.
| Area | Status |
|---|---|
| ISO/IEC 27001 | Certified ISO/IEC 27001:2022 certified for the provision, operation, maintenance, and management of the Peopleware platform. The certification is audited annually by an accredited external certification body. View certificate → |
| GDPR | Compliant EU and UK GDPR obligations are supported through a Data Processing Agreement. A dedicated Data Protection Officer is appointed and reachable at privacy@peopleware.com. Data subject rights and deletion on demand are supported. DPA available in EN / DE / FR. Annual compliance reviews are conducted and independent audits are part of the compliance programme. privacy@peopleware.com |
| AWS Infrastructure | Certified hosting environment Hosted on AWS data centres certified for ISO 27001, PCI DSS Service Provider Level 1, and SOC 2, with built-in redundancy and physical security controls. |
| Subprocessors | Controlled and disclosed A controlled set of third-party processors supports platform operations. All suppliers are subject to defined security obligations, confidentiality agreements, and regular review under the Supplier Security Policy. The full subprocessor list is published. View subprocessors → |
| Technical and Organisational Measures | Documented Technical and Organisational Measures document the safeguards Peopleware applies to protect customer data, derived from its ISO 27001:2022-certified information security management system. All 93 ISO 27001:2022 controls have been assessed and the applicable ones implemented. TOMs are published in Annex 2 of the Data Processing Agreement. View TOMs → |
| Cyber Insurance | Available on request Liability insurance includes cyber claim coverage. Certificate provided via the security documentation request process. |
Security
Core security controls
Peopleware applies documented product, platform, and operational security controls to protect customer data.
Identity and access management
Access to all systems and information is forbidden unless expressly permitted. Role-based access control applies defined user profiles to govern system access. SSO is the preferred authentication method; 2FA or passkeys are required where SSO is unavailable.
Cryptography
All customer data is encrypted at rest and in transit. AWS KMS manages all symmetric encryption keys for AWS services that store data. Data in transit is protected with TLS/SSL. Backups are encrypted where possible.
Secure development lifecycle
A Secure Product Development Lifecycle governs security across the software development process. Production changes require multi-step approval; no single person can make a production change without review. Automated Static Application Security Testing (SAST), Software Composition Analysis (SCA), and Dynamic Application Security Testing (DAST) are applied. Pull request code review is mandatory. Annual third-party penetration tests are conducted.
Monitoring and incident response
Customers are notified of personal data breaches in accordance with GDPR obligations.
Backups and resilience
Backups are created at defined intervals, stored in multiple locations, and encrypted where possible. Restoration is tested annually for the Peopleware application. The Business Continuity Management policy defines the broader framework for emergency preparedness, covering scenarios including cloud provider unavailability, cyber security incidents, and human error.
Vulnerability management
CVE databases and security advisories are monitored regularly for newly disclosed vulnerabilities affecting systems within the ISMS scope. At least one internal system audit is conducted per year. Privileged account access is reviewed annually as part of the audit programme. Identified vulnerabilities are prioritised by severity and tracked through the corrective action process to resolution.
Information classification
All information assets are classified into one of four levels: Public, Internal, Restricted, or Confidential. Classification determines permitted handling, storage, sharing, and disposal procedures. Secure erasure is applied before disposal of equipment or media holding Restricted or Confidential data, and disposal records are maintained.
People security
All employment agreements include confidentiality and data protection clauses. Candidate screening includes personal ID verification, reference and certificate checks, and qualification assessments; background checks are conducted for hires in applicable regions. New employees receive role-based system access before their first day and must sign an ISMS Statement of Acceptance within their first two working weeks.
Penetration Testing
Annual third-party penetration tests examine Peopleware systems and applications for vulnerabilities. Results are available to qualified prospects and customers on request.
Reliability
Service reliability and continuity
Availability commitments, backup posture, recovery planning, and service status visibility support operational resilience.
Availability
SLA-backed commitments defined in GTCs
Backups
Created at defined intervals, encrypted, and tested annually
RTO / RPO
Recovery targets are defined in the Business Continuity Management policy
Status Page
Public service visibility at status.peopleware.com
Operational Metrics
Architecture
High-level platform architecture
All data flows are TLS-encrypted. Each customer tenant is logically isolated.
Hosting
The Peopleware platform runs on Amazon Web Services. Data centres are certified for ISO 27001, PCI DSS Service Provider Level 1, and SOC 2, with built-in redundancy and physical security controls.
Data flow and encryption
All data in transit is encrypted via TLS/SSL with strong cipher suites and HSTS. Data at rest, including backups, is encrypted, with encryption keys stored securely in AWS KMS.
Customer separation
Each customer environment is logically isolated in a multi-tenant architecture. A unique identifier is assigned to each tenant, ensuring no cross-customer data access is possible.
Subprocessors
A controlled set of third-party processors supports platform operations. All suppliers holding or processing Peopleware information are subject to defined security obligations and are reviewed regularly under the Supplier Security Policy. The full list is publicly available.
Governance
Security governance and oversight
Security governance is documented through the ISMS, formal policies, recurring reviews, and defined accountability.
ISMS and audits
The Information Security Management System (ISMS) covers the provision, operation, maintenance, and management of the Peopleware platform. The ISMS is certified under ISO/IEC 27001:2022 and audited annually by an accredited external certification body. All ISMS documents follow a defined review and approval process. At least one internal system audit is conducted per year, with privileged account access reviewed annually.
Risk management
Risks are identified, assessed, and treated within the ISMS framework. A nine-step corrective action process ensures that nonconformities are formally tracked, assigned, and resolved. CVE databases are checked regularly for new vulnerabilities, and risk treatment decisions are documented for all applicable ISO 27001:2022 controls. Risk owners are accountable for ensuring treatment plans are implemented and reviewed.
Policies and operational controls
Peopleware maintains a formal policy set covering all major ISMS domains. The framework includes policies for access control, cryptography, secure development, incident management, business continuity, supplier security, information classification, mobile devices, acceptable use, and physical security, among others.
Training and accountability
All Peopleware employees are required to complete security awareness training at least once per year. New joiners must complete the full programme as part of company onboarding. Completion is tracked centrally, 100% completion is required across the organisation, and training records are maintained as part of the ISMS documentation.
Supplier oversight
All third-party suppliers who create, maintain, store, access, process, or transmit Peopleware information are subject to defined security requirements. Suppliers are classified by risk level (High, Medium, Low). All suppliers are reviewed annually; high-risk suppliers are reviewed every six months. Security requirements are embedded in supplier agreements.
Compliance monitoring
Peopleware conducts annual compliance reviews covering its legal, regulatory, and contractual obligations. Independent audits — including third-party penetration tests — are part of the compliance programme. Non-compliance identified through audits or reviews is addressed through the corrective action process.
Continual improvement
Continual improvement is a formal ISMS requirement under ISO/IEC 27001:2022. Inputs include post-incident corrective actions, audit findings, post-emergency reviews, annual policy reviews, and management review outcomes. Emergency plans are revised at least annually and updated after any drill or incident.
Privacy & Data Usage
Your data belongs to you
Data ownership
Customer data is owned entirely by the customer. Peopleware processes it solely to deliver the platform services as defined in the Data Processing Agreement.
No AI or model training
Customer data is never used to train machine learning models or AI systems. Data processing is strictly limited to contracted service delivery purposes.
Retention and deletion
Retention and deletion procedures follow GDPR requirements. Secure erasure is applied before disposal of equipment or media. Annual compliance reviews cover data protection obligations.
Documentation Access
Security documentation and evidence
Supporting documentation is available through a controlled request process. Detailed materials for due diligence are typically fulfilled within one business day.
For existing customers: contact your Customer Success Manager directly. To report a suspected security incident, raise a high-priority support ticket through the normal support process.
ISO 27001 Certificate
Current ISO/IEC 27001:2022 certification document
View certificate →General Terms and Conditions
Contractual commitments and availability target
View GTCs →Penetration Test Summary
Annual third-party penetration test results
Business Continuity Overview
Summary of the Business Continuity Management policy and emergency plans
Cyber Insurance Certificate
Current coverage certificate
Statement of Applicability
Full list of ISO/IEC 27001:2022 controls with implementation status
Information Security Policy
Top-level ISMS policy covering scope, objectives, and leadership commitment
Incident Management Policy
Overview of incident classification, escalation, and notification procedures