Security overview

BetterUs Workplace — Security & Privacy Overview

A one-page summary for buyers and their security teams. Send this to procurement, legal, or your CISO — they should find every answer they need without a follow-up email.

Last updated: 04/05/2026. For questions or a custom DPA: hello@thebetterusproject.com.

Company & infrastructure facts

Founded: 2024
Legal entity: The School of Play Pty Ltd (AU)
ABN: Available on request
Primary data region: Australia (Sydney)
Backup region: Australia (Melbourne)
Headcount with prod access: ≤ 3 (named, MFA-required)
Data classification: Customer Restricted by default
Encryption in transit: TLS 1.2+, HSTS preload
Encryption at rest: AES-256 (database + backups)
Authentication: JWT (HS256), 30-min access + 30-day refresh
MFA on admin tools: Required
Customer SSO: Google, Microsoft, Apple (optional per workspace)
Customer SAML: Roadmap — Q4 2026
Customer SCIM: Stub deployed; production targeting Q3 2026
Audit log retention: 12 months (Pro), 36 months (Enterprise)
Backup cadence: Continuous WAL + daily snapshot, 30-day retention
RTO: 4 hours
RPO: 15 minutes

Sub-processors

These third parties process customer data on our behalf. We notify customers of changes 30 days before they take effect, per our DPA.

Vendor	Purpose	Region	Data handled
Vercel	Web hosting + edge runtime	Global (US/EU primary)	Encrypted in transit; ephemeral compute, no persistence.
Stripe	Payment processing	US/EU/AU per Stripe routing	Cardholder name, card token (PCI-DSS compliant). No PAN stored by us.
Resend	Transactional email	US	Recipient email + email body. Retention: 30 days for delivery logs.
Sentry	Error tracking	US (with EU region available)	Error stack traces, browser metadata. PII masked by default.
PostHog	Product analytics	EU (eu.posthog.com)	Anonymous event stream. Identifiers hashed, no email.
OpenAI	AI feature surfaces (optional, off by default)	US	First names + aggregate counts only. No mood text or recognition free-text.

Compliance

In place
GDPR + UK GDPR
DPA available on request. EU sub-processor list above.
In place
Australian Privacy Principles
APP-aligned; we are bound by the AU Privacy Act 1988.
In progress
SOC 2 Type II
Under audit. Letter of intent available now; full report Q1 2027.
Roadmap
ISO 27001
Targeting 2027 once SOC 2 is in hand.
Roadmap
HIPAA
Not currently positioned for healthcare PHI. BAA on request.

Data handling

Customer data ownership. The customer is the data controller; we are the data processor. Workspace data is exportable on demand from /admin/export and deletable on demand within 30 days.
Aggregation by default. Managers and admins see aggregate distributions, not individual answers. Mood logs and pulse responses are individual-level only to the packmate who created them.
No model training on customer data. We do not use customer data to train, fine-tune, or improve any model — including third-party models we call (e.g. OpenAI). Where AI is enabled, we send first names + aggregate counts only, never free-text recognitions or mood entries.
Retention. Active workspace data is retained for the life of the subscription plus 90 days. After that, check-in history is anonymised and recognition free-text is deleted. Audit logs follow the retention table above.
Access controls. Production database access is limited to ≤ 3 named engineers, MFA-required, SSH-key-only. All admin actions are logged to an immutable audit trail.
Backups. Continuous WAL + daily snapshots. Restoration tested quarterly. Backups are encrypted at rest with the same AES-256 keys as primary data and rotated annually.

Incident response

Detection. Sentry + UptimeRobot + Vercel logs alert on-call within 5 minutes of an error spike or downtime.
Triage. On-call assesses severity (sev1/2/3) within 30 minutes. Sev1 (data exposure or prod down) triggers a war-room thread immediately.
Customer notification. If customer data is materially affected, we notify named admin contacts within 24 hours of confirmation, with a follow-up within 72 hours per GDPR.
Post-mortem. Every incident of more than 5 minutes' impact gets a written post-mortem within 7 days, available to affected customers on request. Template lives in our ops runbook.

Vulnerability disclosure

Report security issues to security@thebetterusproject.com. We acknowledge within one business day, triage within five, and credit reporters publicly on /security/hall-of-fame on request. We do not currently run a paid bounty programme.

This overview describes BetterUs Workplace as of the date above. Changes that materially affect customer data handling are announced 30 days in advance via email to named admin contacts and on /changelog. For a custom DPA, BAA, or SIG questionnaire response: hello@thebetterusproject.com.