Certification and security

Here at Peppy, we bring deep expertise in everything we do – including security. Our commitment to our clients, partners and every one of our users are to keep them and their information safe, whilst maintaining fluidity, innovation and pace. And don’t just take our word for it – we understand that transparency and trust are incredibly important in the space we operate. We seek rigorous external verification of our commitment to the highest standards of clinical safety and information security, and hold the following certifications:

•  ISO 27001 certification
• Cyber Essentials (Plus) certification
• FSQS registration
• NHS Digital DSP Toolkit assessment
• Regular Penetration Testing
• Comprehensive Information Security Due Diligence assessments conducted on us by leading financial, legal and insurance organisations
• CQC Registered

We do not receive any personal data from the employer organisation. Our service is delivered under a direct end-user agreement with the employee using the service, where Peppy is the Data Controller. Personal data, including health data, is collected from employees during the services. Only data required to deliver the service and to satisfy data protection and clinical governance requirements are collected from employees. Event and data usage analysis are performed on data sets that do not contain personal data. Employees provide their personal details directly to Peppy (the Data Controller).

For clinical safety and safeguarding reasons, this includes their full name, date of birth, phone number, personal email address, and answers to the service questionnaire to assess their symptoms and support need correctly. Additional personal and sensitive category data is shared by the employee during use of the service (chat data, consultation report data, health data for progress tracking by the employee and practitioners, usage data), and during feedback (contact details, clinical data, general feedback).

We are a fully remote cloud-based organisation, using Google Cloud Platform (GCP) and Google Workspace as the provider of our Peppy App and office infrastructure. Google is a best-in-class provider, with comprehensive security accreditations including ISO 27001, SOC 1, 2 & 3, FIPS 140-2 Validated and supporting HIPAA compliance. We also use additional cloud tooling for user engagement and data analytics. These providers, as a minimum, are certified to ISO 27001. All of our cloud infrastructures is geographically restricted, so personal data is only ever stored and processed within designated data centre locations. In compliance with applicable data privacy and protection regulations, data originating in the UK and EEA is only processed within this geographic area. Similarly, data originating from users in the US is only processed within the US environment. Our cloud infrastructure offers us a high degree of flexibility, agility and resilience in the way we are able to deliver our services to you. Security and privacy have been fundamental design considerations right from the outset:

• All of our cloud infrastructures are geographically restricted so personal data is only stored and processed within the designated and appropriate geographic areas and is encrypted during transit and at rest.
• Personal data is strictly access-controlled and is segregated from other operational data.
• We deliberately do not integrate with any client systems to minimise the touchpoints in our data and reduce the complexity of our environment.

Personal data is never shared outside of our staff. We only provide aggregated and anonymised data back to employers as part of performance tracking. And we do not outsource any part of delivering the service to any third parties.