Certification and security

There is zero data exchange between employers and Peppy, so you and your people are in safe hands.

We are entrusted with people's personal information, and protecting that data is our paramount responsibility in providing a safe, secure, and trustworthy service.

Chris Smith

Head of Information Security

Peppy

Keeping data secure is our biggest priority. It means our users trust the service, and our clients feel confident offering Peppy to their team.

Data security is our no.1 priority

Hear from our team about why we invest in making Peppy as safe, secure and trustworthy as possible.

  • Our total commitment to trust

    Here at Peppy, we bring deep expertise in everything we do – including security. Our commitment to our clients, partners and every one of our users are to keep them and their information safe, whilst maintaining fluidity, innovation and pace. And don’t just take our word for it – we understand that transparency and trust are incredibly important in the space we operate. We seek rigorous external verification of our commitment to the highest standards of clinical safety and information security, and hold the following certifications:

     

    • ISO 27001 certification
    • Cyber Essentials (Plus) certification
    • FSQS registration
    • NHS Digital DSP Toolkit assessment
    • Regular Penetration Testing
    • Comprehensive Information Security Due Diligence assessments conducted on us by leading financial, legal and insurance organisations
    • CQC Registered
  • Personalised support without the personal data

    We do not receive any personal data from the employer organisation. Our service is delivered under a direct end-user agreement with the employee using the service, where Peppy is the Data Controller. Personal data, including health data, is collected from employees during the services. Only data required to deliver the service and to satisfy data protection and clinical governance requirements are collected from employees. Event and data usage analysis are performed on data sets that do not contain personal data. Employees provide their personal details directly to Peppy (the Data Controller).

    For clinical safety and safeguarding reasons, this includes their full name, date of birth, phone number, personal email address, and answers to the service questionnaire to assess their symptoms and support need correctly. Additional personal and sensitive category data is shared by the employee during use of the service (chat data, consultation report data, health data for progress tracking by the employee and practitioners, usage data), and during feedback (contact details, clinical data, general feedback).

  • Security and privacy at the heart of our design

    We are a fully remote cloud-based organisation, using Google Cloud Platform (GCP) and Google Workspace as the provider of our Peppy App and office infrastructure. Google is a best-in-class provider, with comprehensive security accreditations including ISO 27001, SOC 1, 2 & 3, FIPS 140-2 Validated and supporting HIPAA compliance. We also use additional cloud tooling for user engagement and data analytics. These providers, as a minimum, are certified to ISO 27001. All of our cloud infrastructures is geographically restricted, so personal data is only ever stored and processed within designated data centre locations. In compliance with applicable data privacy and protection regulations, data originating in the UK and EEA is only processed within this geographic area. Similarly, data originating from users in the US is only processed within the US environment. Our cloud infrastructure offers us a high degree of flexibility, agility and resilience in the way we are able to deliver our services to you. Security and privacy have been fundamental design considerations right from the outset:

    • All of our cloud infrastructures are geographically restricted so personal data is only stored and processed within the designated and appropriate geographic areas and is encrypted during transit and at rest.
    • Personal data is strictly access-controlled and is segregated from other operational data.
    • We deliberately do not integrate with any client systems to minimise the touchpoints in our data and reduce the complexity of our environment.

    Personal data is never shared outside of our staff. We only provide aggregated and anonymised data back to employers as part of performance tracking. And we do not outsource any part of delivering the service to any third parties.

  • Designated Safeguarding Leads

    Designated Safeguarding Leads (DSLs) are appointed individuals within Peppy who are responsible for managing and reporting concerns about the welfare of vulnerable people. They play a critical role in implementing safeguarding policies, offering advice and support to staff, liaising with other agencies, and providing a safe environment to ensure the physical and psychological well-being of these individuals.

    Led by Linda Gillham (Director of Healthy Minds), our DSLs are: Anne Howard, Bernadette Kilbane, Freda Cuffe, Genevieve West, Janet Wingfield, Jules Sterry, Jenny Lamper.

  • Regulated by the Care Quality Commission

    A Registered Manager for the Care Quality Commission (CQC) is a person who has day-to-day responsibility for running a service such as Peppy, and ensures that the service provides people with high-quality, safe, and effective care in accordance with CQC’s fundamental standards. Our Registered Manager is Kathy Abernethy.

    On the other hand, a Nominated Individual is a senior person in the organisation who is responsible for supervising the management of the regulated activity provided. They play a critical role in ensuring the quality of services provided, maintaining compliance with CQC standards, and acting as a key point of contact with the CQC. Our Nominated Individual is Francesca Steyn RN.

    View our CQC registration page here.

     

Life at Peppy

We’re a mission-based company. Find out more about how we make Peppy a great place to work.