GPTW Institute Philippines, Inc.

Policy Explanation

Will GPTW provide a copy of its SOC 1 and/or SOC 2 audits or other third-party security/financial audits?

Yes. The GPTW analytical survey platform named Emprising™ is hosted by the cloud provider Microsoft Azure. GPTW contracts with Azure to maintain the highest level of Data Security and Data Privacy global compliance at all times. This legal protection is passed along to all GPTW clients though the warranties in the Products and Services Agreement for the entire term of our engagement as detailed below. The Azure audit reports and other resource documentation as well as the Azure Compliance Manager Tool used by GPTW to comply with the GDPR and other privacy laws are found at the following URLs: https://servicetrust.microsoft.com/ and other compliance offerings: https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings. A general article about Azure compliance is here: https://www.communicationsquare.com/news/everything-about-gdpr-compliance-in-microsoft-cloud/ and a blog here: https://azure.microsoft.com/en-us/blog/protecting-privacy-in-microsoft-azure-gdpr-azure-policy-updates/ There are some country specific compliance resources as well. For example, compliance in Germany is addressed at the following URL: https://servicetrust.microsoft.com/ViewPage/GermanComplianceResourcesV3.

GPTW provides the highest standard of legal protection by warranting to our clients that during the entire term of the engagement, GPTW will comply with the following industry standards: Service Organization Controls (SOC) Report 1 and 2 under the Statement on Standards for Attestation Engagements (SSAE) 18 standard as well as with the International Organization for Standardization (ISO) 27001:2013 and ISO 9001:2015 standards and the National Institute of Standards and Technology (NIST 2015) cybersecurity framework. If applicable, GPTW also complies with the Payment Card Industry Data Security Standard (PCI DSS). This warranty is stated in Section 7 (Data Security) of the GPTW Products and Services Agreement which governs the terms of the engagement with GPTW clients and which has the following link on the bottom of the GPTW homepage: https://www.greatplacetowork.com.ph/products-services-agreement.

GPTW uses commercially reasonable efforts consistent with industry standards to collect, transmit, store, protect and maintain the Data and Company Data obtained through the Services. GPTW represents and warrants that during processing or the term of the client’s engagement that it complies with the European Union (EU) 2016 General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 AB 375 (CCPA), and the Data Protection Laws of all other country, state, or regulating bodies. This warranty is stated in Section 8 (Data Privacy) of the GPTW Products and Services Agreement which governs the terms of the engagement with GPTW clients and which has the following link on the bottom of the GPTW homepage: https://www.greatplacetowork.com.ph/products-services-agreement

In an abundance of caution, GPTW also provides the same warranties and representations for the GPTW Network even though it does not support Emprising. Any communication between Emprising hosted on Azure and the GPTW Network is strictly limited to an end-to-end secure VPN connection using IPSec protocol. Accordingly, GPTW considers the third party security/financial audits of the GPTW Network to be confidential and does not release them to any company. There are several reasons for this policy. First, the audits are static in time and may not cover the entire term of the company’s engagement. Second, the audits provide no legal protection to a company. Third, a company having possession of these audits places itself at serious risk for no benefit, e.g. should there be a GPTW security breach, any company in possession of these audits would be a primary litigation target and would have to prove that company’s possession of the audits did not cause the GPTW breach. Instead, GPTW provides the highest standard of legal protection by warranting to all GPTW clients the company that during the entire term of the engagement GPTW will comply with the following industry standards:

Service Organization Controls (SOC) Report 1 and 2 under the Statement on Standards for Attestation Engagements (SSAE) 18 standard as well as with the International Organization for Standardization (ISO) 27001:2013 and ISO 9001:2015 standards and the National Institute of Standards and Technology (NIST 2015) cybersecurity framework. If applicable, GPTW also complies with the Payment Card Industry Data Security Standard (PCI DSS) if applicable. This warranty is found on the GPTW website in Section 7 (Data Security) of the of the GPTW Products and Services Agreement (PSA).

GPTW maintains a full-time Data Protection Officer (DPO) to ensure compliance with all DPA and its IRR and other relevant issuances of the NPC and regulatory government agencies. The DPO reports directly to the President of GPTW. GPTW also employs full-time Certified Information Privacy Practitioner (CIPP) and staff who is certified under by the International Association of Privacy Professionals at www.iapp.org whose credentials is accredited by the American National Standards Institute (ANSI) under the International Organization for Standardization (ISO) standard 17024:2012.

Can a Company use its Master Services Agreement?

Yes, but only after payment of a review fee received before any review starts. Why the fee? GPTW has quoted to Company the lowest price for its products and services. This low price quote means accepting the GPTW Order Form and /or SOW and the GPTW Products and Services Agreement found at the website: www.greatplacetowork.com.ph/Products-Services-Agreement. The quote does not include what GPTW needs to be compensated for the extra time and personnel required to perform the review and the documentation that must be developed just for your Company. It is important to note that because of the unique products and services being delivered by GPTW, a company’s Master Services Agreement definitely will not properly address Data ownership, Data processing, compliance with global privacy compliance laws, compliance with all Data Protection Laws, compliance with Data security industry standards, etc.

Can a Company change the GPTW Product and Services Agreement?

Yes, but only after payment of a sizeable review fee received before any review starts. Why the fee? GPTW has quoted to Company the lowest price for its products and services. This low price quote means accepting the GPTW Order Form and /or SOW and the GPTW Products and Services Agreement found at the website: www.greatplacetowork.com.ph/Products-Services-Agreement. The quote does not include what GPTW needs to be compensated for the extra time and personnel required to perform the review and the documentation that must be developed just for your Company. It is important to note that because of the unique products and services being delivered by GPTW, a company’s Master Services Agreement definitely will not properly address Data ownership, Data processing, compliance with global privacy laws, compliance with all Data Protection Laws, compliance with Data security industry standards, etc.

Will GPTW fill out a Company’s security survey/document?

Yes, but only after payment of a sizeable review fee received before any review starts. All of the answers to any security survey is found on the GPTW website at www.greatplacetowork.com.ph/External-Security-Policy. The Company can use the GPTW External Security Policy to fill out its own security survey. Why the fee? GPTW has quoted to Company the lowest price for its products and services. This low-price quote means accepting the answers provided in the above GPTW External Security Policy. Otherwise, GPTW needs to be compensated for the extra time and personnel required to answer the survey. Furthermore, a company’s security survey provides no legal protection. A survey is static in time and may not cover the entire term of the company’s engagement. Instead, GPTW provides the highest standard of legal protection by warranting to the company that during the entire term of the engagement GPTW will comply with the following industry standards:

GPTW represents and warrants that during the Term it complies with Service Organization Controls (SOC) Report 1 and 2 under the Statement on Standards for Attestation Engagements (SSAE) 18 standard as well as with the International Organization for Standardization (ISO) 27001:2013 and ISO 9001:2015 standards and the National Institute of Standards and Technology (NIST 2015) cybersecurity framework. GPTW also complies with the Payment Card Industry Data Security Standard (PCI DSS). This is found on the GPTW website in Section 7 (Data Security) of the GPTW PSA.

Will GPTW provide Certificates of Insurance (COI)?

Yes, but only after sizeable review fee received before retrieval begins. Why the fee? GPTW has quoted to Company the lowest price for its products and services. This low-price quote means accepting the quote without further involvement of GPTW personnel. Otherwise, GPTW needs to be compensated for the extra time and personnel required to retrieve the COI. Furthermore, a Certificate of Insurance provides no legal protection. A COI is static in time and may not cover the entire term of the company’s engagement. Instead, GPTW provides the highest standard of legal protection by warranting to the company that during the entire term of the engagement GPTW will carry the insurance coverage itemized in Section 12.8 (Insurance) of the GPTW PSA found on the GPTW website.

ABOUT OUR METHOLOGY​

To be eligible for the World’s Best Workplaces list, a company must apply and be named to a minimum of 5 national Best Workplaces lists within our current 58 countries, have 5,000 employees or more worldwide, and at least 40% of the company’s workforce (or 5,000 employees) must be based outside of the home country. Extra points are given based on the number of countries where a company surveys employees with the Great Place to Work Trust Index©, and the percentage of a company’s workforce represented by all Great Place to Work surveys globally. Candidates for the 2017 Worlds Best Workplaces list will have appeared on national workplaces lists published in September 2016 through August 2017.

ABOUT OUR METHOLOGY​