Great Place to Work® Institute, Inc.
Policy Explanation

1. Where is a SOC 2 report available?

The GPTW analytical survey platform named Emprising is hosted by the cloud provider Microsoft Azure. GPTW contracts with Azure to maintain the highest level of Data Security and Data Privacy global compliance at all times. This legal protection is passed along to all GPTW clients though the warranties in the Products and Services Agreement for the entire term of our engagement as detailed below. The Azure audit reports and other resource documentation as well as the Azure Compliance Manager Tool used by GPTW to comply with the GDPR and other privacy laws are found at the following URLs: https://servicetrust.microsoft.com/ and other compliance offerings: www.microsoft.com/en-us/trustcenter/compliance/complianceofferings. A general article about Azure compliance is here: www.communicationsquare.com/news/everything-about-gdpr-compliance-in-microsoft-cloud/ and a blog here: azure.microsoft.com/en-us/blog/protecting-privacy-in-microsoft-azure-gdpr-azure-policy-updates/ There are some country specific compliance resources as well. For example, compliance in Germany is addressed at the following URL: servicetrust.microsoft.com/ViewPage/GermanComplianceResourcesV3.

To offer an abundance of legal protection to GPTW clients, contractual warranties and representations are provided for the GPTW computer network even though Emprising is hosted by Azure and not the GPTW computer network. Any communication between Emprising hosted on Azure and the GPTW computer network is strictly limited to an end-to-end secure VPN connection using IPSec protocol. GPTW provides the highest standard of legal protection by warranting to our clients that during the entire term of the engagement, GPTW has not received notice of non-compliance  with the following industry standards: CPA-audited financial statements by the firm Abbott, Stringham & Lynch, Service Organization Controls (SOC) Report 2 under the Statement on Standards for Attestation Engagements (SSAE) 18 as well as with the International Organization for Standardization (ISO) 27001:2013 and ISO 9001:2015 and the National Institute of Standards and Technology (NIST 2015) cybersecurity framework. If applicable, GPTW also complies with the Payment Card Industry Data Security Standard (PCI DSS).  These warranties are stated in Section 7 (Data Security) of the GPTW Products and Services Agreement which governs the terms of the engagement with GPTW clients and which has the following link on the bottom of the GPTW homepage:  www.greatplacetowork.com/products-services-agreement. GPTW maintains a full-time Chief Data Protection Officer (CDPO) and staff to ensure compliance with these industry standards.  The CDPO reports directly to the CEO of GPTW.

GPTW considers the third-party financial and security audits of the GPTW computer network to be for “restricted use” and confidential.  Accordingly, GPTW does not release them to any company.  There are several reasons for this policy.  First, a “restricted use” provision is recited in every valid SOC 2 Report.  Second, the audits are static in time and may not cover the entire term of the company’s engagement.  Third, the audits provide no legal protection to a company.  Fourth, a company having possession of these audits places itself at serious risk for no benefit, e.g. should there be a GPTW security breach, any company in possession of these audits would be a primary litigation target and would have to prove that company’s possession of the audits did not cause the GPTW breach.

2. Can a Company use its Master Services Agreement?

Yes, but only if the Company agrees to pay a review fee of $18,000 that will be invoiced separately. Why the fee? GPTW has quoted to Company the lowest price for its products and services. This low price quote means accepting the GPTW Order Form and /or SOW and the GPTW Products and Services Agreement found at the website: www.greatplacetowork.com/Products-and-Services-Agreement. The quote does not include what GPTW needs to be compensated for the extra time and personnel required to perform the review and the documentation that must be developed just for your Company. It is important to note that because of the unique products and services being delivered by GPTW, a company’s Master Services Agreement definitely will not properly address Data ownership, Data processing, compliance with global privacy compliance laws, compliance with all Data Protection Laws, compliance with Data security industry standards, etc.

3. Can a Company change the GPTW Product and Services Agreement?

Yes, but only if the Company agrees to pay a review fee of $12,000 that will be invoiced separately. Why the fee? GPTW has quoted to Company the lowest price for its products and services. This low price quote means accepting the GPTW Order Form and /or SOW and the GPTW Products and Services Agreement found at the website: www.greatplacetowork.com/Products-and-Services-Agreement. The quote does not include what GPTW needs to be compensated for the extra time and personnel required to perform the review and the documentation that must be developed just for your Company. It is important to note that because of the unique products and services being delivered by GPTW, a company’s Master Services Agreement definitely will not properly address Data ownership, Data processing, compliance with global privacy laws, compliance with all Data Protection Laws, compliance with Data security industry standards, etc.

4. Will GPTW fill out a Company’s security survey/document?

Yes, but only if the Company agrees to pay a review fee of $6,000 that will be invoiced separately.  Why the fee?  All of the answers to any security survey are found on the GPTW website at www.greatplacetowork.com/GPTW-External-Security-Policy.  The Company can use the GPTW External Security Policy to fill out its own security survey.  GPTW has quoted to Company the lowest price for its products and services.  This low-price quote means accepting the answers to a security survey provided in the above GPTW External Security Policy.  Otherwise, GPTW needs to be compensated for the extra time and personnel required to answer the survey.   Furthermore, a company’s security survey provides no legal protection.  A survey is static in time and may not cover the entire term of the company’s engagement.  Instead, GPTW provides the highest standard of legal protection by warranting to the company that during the entire term of the engagement GPTW will comply with the following industry standards: CPA-audited financial statements, Service Organization Controls (SOC) Report 2 under the Statement on Standards for Attestation Engagements (SSAE) 18 as well as with the International Organization for Standardization (ISO) 27001:2013 and ISO 9001:2015 and the National Institute of Standards and Technology (NIST 2015) cybersecurity framework.  If applicable, GPTW also complies with the Payment Card Industry Data Security Standard (PCI DSS).  Another problem is that the questions in a company’s security survey inevitably are directed towards the GPTW computer network and, as a result, are irrelevant.  The Emprising survey platform is hosted on Azure.  The Emprising survey questions and responses never touch the GPTW computer network.

5. Will GPTW provide Certificates of Insurance (COI)?

Yes, but only if the Company agrees to pay a review fee of $2,000 that will be invoiced separately.  Why the fee?  GPTW has quoted to Company the lowest price for its products and services.  This low-price quote means accepting the quote without further involvement of GPTW personnel.  Otherwise, GPTW needs to be compensated for the extra time and personnel required to retrieve the COI.  Furthermore, a Certificate of Insurance provides no legal protection.  A COI is static in time and may not cover the entire term of the company’s engagement.  Instead, GPTW provides the highest standard of legal protection by warranting to the company that during the entire term of the engagement GPTW will carry the insurance coverage itemized in Section 13.10 (Insurance) of the GPTW Products and Services Agreement found on the GPTW homepage website.

March 31, 2021

ABOUT OUR METHOLOGY​

To be eligible for the World’s Best Workplaces list, a company must apply and be named to a minimum of 5 national Best Workplaces lists within our current 58 countries, have 5,000 employees or more worldwide, and at least 40% of the company’s workforce (or 5,000 employees) must be based outside of the home country. Extra points are given based on the number of countries where a company surveys employees with the Great Place to Work Trust Index©, and the percentage of a company’s workforce represented by all Great Place to Work surveys globally. Candidates for the 2017 Worlds Best Workplaces list will have appeared on national workplaces lists published in September 2016 through August 2017.

ABOUT OUR METHOLOGY​