Trust and security

At GoodHuman, we’re serious about security and privacy. Below, we’ve included a summary of the industry-leading measures we take to ensure that the data entrusted to us remains safe and secure.

Contact sales

Information security

We have certified our security program against the international standard in information technology security, ISO/IEC 27001. Compliance with this certification relates to themes including:

Strict adherence to consumer consent while acquiring personal details.
Software providers are unable to store data indefinitely and must delete this information permanently upon request.
Adequate security, encryption, psuedonymisation, redundancy and intrusion detection mechanisms that ensure consumer data is not compromised in any way.

Current and prospective customers can view this certification upon request.

‍GoodHuman is compliant with the Privacy Act 1988. Read more in our Privacy policy.

Data storage

GoodHuman is hosted in Google Cloud, giving us access to additional security measures including Identity-Aware Proxy, Google Cloud firewalls, disaster recovery plans and more.

Your data is stored locally in Australia data centres. The GoodHuman database and back-ups (performed daily) are encrypted at rest with AES-256. All data in transit is protected with TLS.

Infrastructure

GoodHuman is a 100% cloud-based infrastructure — we have no on-premise infrastructure. GoodHuman operates via a modern, auto-scaling microservices architecture that is managed by code. All API endpoints require authentication to access, which is strictly enforced through integration with Firebase Authentication. Our fully-documented change control process is utilised for any infrastructure changes.

Encryption

Encryption is used throughout the GoodHuman application to protect your data from unauthorised access.

By default, all data passed between GoodHuman users and the GoodHuman web application is encrypted in-transit via TLS.
The GoodHuman database and back-ups (performed daily) are encrypted at rest with TLS.
GoodHuman account passwords are hashed and cannot be viewed by the GoodHuman team.

Third-party sub-processors

At GoodHuman, we use third-party service providers to assist with payments, emails, support, analytics and for hosting our platform. These providers include:

Stripe, payment processing
Google Cloud, Cloud service provider
Google Firebase, hosting, authentication and document storage
MailChimp, email provider
Hubspot, customer relationship management
SendGrid, email provider
PubNub, push notifications
Zendesk, customer support and sales engagement platform
Google Meet, video conference provider
Twilio, communications

User permissions

GoodHuman has implemented a robust user permissions structure, placing the control in the hands of your organisation to determine and refine access to different areas of the platform on a user-by-user basis.

There can only be one primary owner of your organisation’s GoodHuman account. Primary owners have full access to every part of the platform and can transfer primary ownership to another user at any time.
Users with the required permission level can remove team members from GoodHuman at any time. This will remove their access to the GoodHuman workspace and/or app and they will be removed from any shifts they have upcoming. Removed team members can be reactivated at any time.

Access to data

In GoodHuman, your data is yours. You have the right to access your data at any time, though the kind of data that can be accessed can differ from user to user depending on their assigned user permissions.

Our API confirms to OpenAPI specifications and there are no commercial constraints governing our API activity.

GoodHuman’s secure, restricted public API means that you can access and export the specific data you want, when you want it and have peace of mind that it is protected in-transit.
Users can archive their own data as they see fit. Requests for complete and irreversible hard wipes of data can be made by submitting a request to our support team. Data is removed from production immediately; permanently erased after 7 days.
GoodHuman’s access to your data is limited to only those with roles that require access to perform their job duties, an example of this is our customer support team.

End-user security

Internal access points to production instances are strictly managed. System access is centrally managed via password manager and multi-factor authentication is enforced across the organisation.

Incident management

GoodHuman has robust incident management policies and procedures that are tested annually to verify their effectiveness and identify improvements across the complete incident lifecycle. Our documented processes include the management and classification of incidents, how and when incidents are declared, escalation points and customer communication. Processes for post-incident activities including post-mortems, lessons learned and action items are also outlined and tested regularly accordingly.

Disaster recovery

Whilst our data is stored securely in Australia, we use a globally distributed system so that if something goes wrong in one region, the application continues to provide service.

Google Cloud offers several relevant features to disaster recovery planning, including the following:

Google has one of the largest and most advanced computer networks in the world. The Google backbone network uses advanced software-defined networking and edge-caching services to deliver fast, consistent, and scalable performance.

Redundancy

Multiple points of presence (PoPs) across the globe mean strong redundancy. Data is mirrored automatically across storage devices in multiple locations.

Scalability

Google Cloud is designed to scale like other Google products (for example, search and Gmail), even when we experience a huge traffic spike. Managed services such as App Engine, Compute Engine autoscalers, and Datastore give us automatic scaling that enables our application to grow and shrink as needed.

Security

The Google security model is built on over 15 years of experience helping keep customers safe on Google applications like Gmail and Google Workspace. In addition, the site reliability engineering teams at Google help ensure high availability and prevent abuse of platform resources.

Compliance

Google undergoes regular independent third-party audits to verify that Google Cloud aligns with security, privacy, and compliance regulations and best practices. Google Cloud complies with certifications such as ISO 27001, SOC 2/3, and PCI DSS 3.0.

Built to scale and adapt with you

From scaling NDIS teams to leading human services enterprises, GoodHuman is designed to grow.

Privacy

Identity, device and process management means only the right people access information.

Data encryption

Data stored locally in Australia, encrypted in transit and at rest to safeguard your organisation.

Integrations

Bring your HR, payroll or finance tools together with our flexible and open API

Google Partner

Cloud-based SaaS solution for 99.99% uptime and industry leading back up, disaster recovery and data integrity

FAQs

Yes. GoodHuman is hosted locally in Australian data centres.

When data is deleted, is it permanently erased?

Users can archive their own data as they see fit. Requests for complete and irreversible hard wipes of data can be made by submitting a request to our support team. Data is removed from production immediately; permanently erased after 7 days.

Do you have an open API?

GoodHuman has an open API that conforms to OpenAPI specifications, with no commercial constraints governing your use over the API activity. GoodHuman’s secure, restricted public API means that you can access and export the specific data you want, when you want it and have peace of mind that it is protected in-transit.