Certification and security

There is zero data exchange between employers and Peppy, so you and your people are in safe hands.

We are entrusted with people's personal information, and protecting that data is our paramount responsibility in providing a safe, secure, and trustworthy service.

Ben Doyle

Chief Information Security Officer


Keeping data secure is our biggest priority. It means our users trust the service, and our clients feel confident offering Peppy to their team.

Data security is our no.1 priority

Hear from our team about why we invest in making Peppy as safe, secure and trustworthy as possible.

  • Our total commitment to trust

    Here at Peppy, we bring deep expertise in everything we do – including security. Our committment to our clients, partners and every one of our users is to keep them and their information safe, whilst maintaining fluidity, innovation and pace. And don’t just take our word for it – we understand that transparency and trust are incredibly important in the space we operate. We seek rigorous external verification of our commitment to the highest standards of clinical safety and information security, and hold the following certifications:

    •  ISO 27001 certification
    • Cyber Essentials (Plus) certification
    • FSQS registration
    • NHS Digital DSP Toolkit assessment
    • Regular Penetration Testing
    • Comprehensive Information Security Due Diligence assessments conducted on us by leading financial, legal and insurance organisations
    • Care Quality Commission (CQC) Registered (UK)


  • Personalised support without the personal data

    We do not receive any personal data from the employer organisation. Our service is delivered under a direct end user agreement with the employee using the service, where Peppy is the Data Controller. Personal data, including health data, is collected from employees during the services. Only data required to deliver the service and to satisfy data protection and clinical governance requirements are collected from employees. Event and data usage analysis are performed on data sets that do not contain personal data. Employees provide their personal details directly to Peppy (as the Data Controller). For clinical safety and safeguarding reasons, this includes their full name, date of birth, phone number, personal email address, and answers to the service questionnaire to correctly assess their symptoms and support need. Additional personal and sensitive category data is shared by the employee during use of the service (chat data, consultation report data, health data for progress tracking by the employee and practitioners, usage data), and during feedback (contact details, clinical data, general feedback).

  • Security and privacy at the heart of our design

    We are a fully remote cloud-based organisation, using Google Cloud Platform (GCP) and Google Workspace as the provider of our Peppy App and office infrastructure. Google is a best-in-class provider, with comprehensive security accreditations including ISO 27001, SOC 1, 2 & 3, FIPS 140-2 Validated and supporting HIPAA compliance. We also use additional cloud tooling for user engagement and data analytics. These providers, as a minimum, are certified to ISO 27001. All of our cloud infrastructure is geographically restricted, so personal data is only ever stored and processed within designated data centre locations. In compliance with applicable data privacy and protection regulations, data originating in the UK and EEA is only processed within this geographic area. Similarly, data originating from users in the US is only processed within the US environment. Our cloud infrastructure offers us a high degree of flexibility, agility and resilience in the way we are able to deliver our services to you. Security and privacy have been fundamental design considerations right from the outset:

    • All of our cloud infrastructure is geographically restricted so personal data is only stored and processed within the designated and appropriate geographic areas and is encrypted during transit and at rest.
    • Personal data is strictly access controlled and is segregated from other operational data.
    • We deliberately do not integrate with any client systems to minimise the touchpoints into our data and reduce the complexity of our environment.

    Personal data is never shared outside of our staff. We only provide aggregated and anonymised data back to employers as part of performance tracking. And we do not outsource any part of delivering the service to any third parties.

Life at Peppy

We’re a mission-led company. Find out more about how we make Peppy a great place to work.