Empuls operates a formally certified Information Security Management System (ISMS) built on ISO 27001:2022 and the NIST Cybersecurity Framework 1.1, covering every layer of the employee recognition and rewards platform — from data storage and access control to incident response and disaster recovery.
Security Framework and Governance
Empuls designs its security posture around two globally recognised standards: ISO/IEC 27001:2022 for information security management and the NIST Cybersecurity Framework (CSF) 1.1. The NIST CSF five core functions — Identify, Protect, Detect, Respond, and Recover — map directly to controls within the Empuls ISMS, providing a structured and auditable approach rather than a compliance-only checklist. Governance sits with a dedicated Chief Information Security Officer (CISO), supported by a cross-functional Information Security Steering Committee and an internal audit team. Security policies are version-controlled, communicated across departments, and reviewed on the Plan-Do-Check-Act (PDCA) cycle to ensure continuous improvement rather than point-in-time compliance.Core Security Controls
Access to Empuls and the data it holds is governed by role-based, least-privilege principles. Multi-factor authentication (MFA) is enforced across user accounts, and access rights undergo formal quarterly reviews. When Empuls connects to HR systems of record — such as Workday, SAP SuccessFactors, or Darwinbox — data flows over encrypted channels only. All data in transit is protected using TLS 1.2+ and all data at rest is encrypted with AES-256. Network domains are segregated, firewall logs are reviewed continuously, and application development follows a secure SDLC aligned to OWASP standards. Vulnerability Assessment and Penetration Testing (VAPT) is conducted annually by an independent third party.Incident Response and Business Continuity
Empuls maintains a formal incident response process covering detection, containment, investigation, and root-cause analysis, with defined escalation paths to senior leadership. This process is tested regularly — not documented and shelved — so response times stay predictable if an event occurs. Business Continuity and Disaster Recovery plans are tested annually with defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO) metrics. Physical data centre controls include restricted access, CCTV monitoring, and redundant power and HVAC systems.Auditing and Continuous Improvement
Internal audits run annually and are supplemented by ISO surveillance audits and third-party VAPT engagements. ISMS objectives — such as reductions in incident frequency and audit non-conformances — are reviewed quarterly against measurable targets. For organisations using Empuls alongside collaboration tools like Slack or Microsoft Teams, all integration touchpoints are covered under the same ISMS scope, so security controls apply end-to-end across the recognition workflow, not just within the Empuls application boundary. Learn more: Empuls Help Centre — GeneralHow does Empuls handle GDPR and data privacy compliance?
Understand how Empuls manages data subject rights, retention policies, and cross-border data transfers under GDPR and equivalent frameworks.
What authentication and SSO options does Empuls support?
Empuls supports SAML 2.0 SSO with providers including Okta, Azure AD, and Google Workspace, alongside MFA enforcement for all user roles.