Trust and security
At GoodHuman, we’re serious about security and privacy. Below, we’ve included a summary of the industry-leading measures we take to ensure that the data entrusted to us remains safe and secure.
Information security
We have certified our security program against the international standard in information technology security, ISO/IEC 27001. Compliance with this certification relates to themes including:
- Strict adherence to consumer consent while acquiring personal details.
- Software providers are unable to store data indefinitely and must delete this information permanently upon request.
- Adequate security, encryption, psuedonymisation, redundancy and intrusion detection mechanisms that ensure consumer data is not compromised in any way.
Current and prospective customers can view this certification upon request.
GoodHuman is compliant with the Privacy Act 1988. Read more in our Privacy policy.
GoodHuman is hosted in Google Cloud, giving us access to additional security measures including Identity-Aware Proxy, Google Cloud firewalls, disaster recovery plans and more.
Your data is stored locally in Australia data centres. The GoodHuman database and back-ups (performed daily) are encrypted at rest with AES-256. All data in transit is protected with TLS.
GoodHuman is a 100% cloud-based infrastructure — we have no on-premise infrastructure. GoodHuman operates via a modern, auto-scaling microservices architecture that is managed by code. All API endpoints require authentication to access, which is strictly enforced through integration with Firebase Authentication. Our fully-documented change control process is utilised for any infrastructure changes.
Encryption is used throughout the GoodHuman application to protect your data from unauthorised access.
- By default, all data passed between GoodHuman users and the GoodHuman web application is encrypted in-transit via TLS.
- The GoodHuman database and back-ups (performed daily) are encrypted at rest with TLS.
- GoodHuman account passwords are hashed and cannot be viewed by the GoodHuman team.
At GoodHuman, we use third-party service providers to assist with payments, emails, support, analytics and for hosting our platform. These providers include:
- Stripe, payment processing
- Google Cloud, Cloud service provider
- Google Firebase, hosting, authentication and document storage
- MailChimp, email provider
- Hubspot, customer relationship management
- SendGrid, email provider
- PubNub, push notifications
- Zendesk, customer support and sales engagement platform
- Google Meet, video conference provider
- Twilio, communications
GoodHuman has implemented a robust user permissions structure, placing the control in the hands of your organisation to determine and refine access to different areas of the platform on a user-by-user basis.
- There can only be one primary owner of your organisation’s GoodHuman account. Primary owners have full access to every part of the platform and can transfer primary ownership to another user at any time.
- Users with the required permission level can remove team members from GoodHuman at any time. This will remove their access to the GoodHuman workspace and/or app and they will be removed from any shifts they have upcoming. Removed team members can be reactivated at any time.
In GoodHuman, your data is yours. You have the right to access your data at any time, though the kind of data that can be accessed can differ from user to user depending on their assigned user permissions.
Our API confirms to OpenAPI specifications and there are no commercial constraints governing our API activity.
- GoodHuman’s secure, restricted public API means that you can access and export the specific data you want, when you want it and have peace of mind that it is protected in-transit.
- Users can archive their own data as they see fit. Requests for complete and irreversible hard wipes of data can be made by submitting a request to our support team. Data is removed from production immediately; permanently erased after 7 days.
- GoodHuman’s access to your data is limited to only those with roles that require access to perform their job duties, an example of this is our customer support team.
Internal access points to production instances are strictly managed. System access is centrally managed via password manager and multi-factor authentication is enforced across the organisation.
GoodHuman has robust incident management policies and procedures that are tested annually to verify their effectiveness and identify improvements across the complete incident lifecycle. Our documented processes include the management and classification of incidents, how and when incidents are declared, escalation points and customer communication. Processes for post-incident activities including post-mortems, lessons learned and action items are also outlined and tested regularly accordingly.
Disaster recovery
Whilst our data is stored securely in Australia, we use a globally distributed system so that if something goes wrong in one region, the application continues to provide service.
Google Cloud offers several relevant features to disaster recovery planning, including the following:
Google has one of the largest and most advanced computer networks in the world. The Google backbone network uses advanced software-defined networking and edge-caching services to deliver fast, consistent, and scalable performance.
Multiple points of presence (PoPs) across the globe mean strong redundancy. Data is mirrored automatically across storage devices in multiple locations.
Google Cloud is designed to scale like other Google products (for example, search and Gmail), even when we experience a huge traffic spike. Managed services such as App Engine, Compute Engine autoscalers, and Datastore give us automatic scaling that enables our application to grow and shrink as needed.
The Google security model is built on over 15 years of experience helping keep customers safe on Google applications like Gmail and Google Workspace. In addition, the site reliability engineering teams at Google help ensure high availability and prevent abuse of platform resources.
Google undergoes regular independent third-party audits to verify that Google Cloud aligns with security, privacy, and compliance regulations and best practices. Google Cloud complies with certifications such as ISO 27001, SOC 2/3, and PCI DSS 3.0.
FAQs
Yes. GoodHuman is hosted locally in Australian data centres.
Users can archive their own data as they see fit. Requests for complete and irreversible hard wipes of data can be made by submitting a request to our support team. Data is removed from production immediately; permanently erased after 7 days.
GoodHuman has an open API that conforms to OpenAPI specifications, with no commercial constraints governing your use over the API activity. GoodHuman’s secure, restricted public API means that you can access and export the specific data you want, when you want it and have peace of mind that it is protected in-transit.