CoachHub
Data Processing Agreement
Last update: June 29, 2025
This CoachHub Data Processing Agreement and its appendices (the “DPA”) form part of the CoachHub General Terms and Conditions of Service or of any superseding Master Service Agreement or other agreement that references it (“Agreement”) entered into by and between Customer (as defined in the Agreement) and CoachHub, to reflect the Parties’ agreement with respect to the processing of Personal Data by CoachHub on behalf of Customer in connection with the Services.
This DPA is effective upon the effective date of the Agreement.
In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.
1. Definitions
Capitalized terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.
1.1. “Customer Personal Data” or “Customer Personal Information” means Personal Data and Personal Information processed by CoachHub on behalf of Customer under this DPA and the Agreement in connection with the Services;
1.2. “Data Protection Laws” means all data protection and privacy laws applicable to the respective party in its role in the Processing of Customer Personal Data under the Agreement, including, where applicable (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR“), together with any national implementing laws in any EU Member State, (ii) the GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR“) and the UK Data Protection Act 2018 (together the “UK Data Protection Laws”); (iii) the Swiss Federal Act on Data Protection of 19 June 1992; and (iv) laws and regulations of the United States of America, including the California Consumer Privacy Act of 2018, Cal. Civil Code Sec. 1798.100 et seq. (“CCPA”); in each case as amended, repealed, consolidated or replaced from time to time;
1.3. “EEA” means the European Economic Area;
1.4. “EU” means the European Union;
1.5. “Personal Data Breach” means any incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data. Personal Data Breach will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems;
1.6. “Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 available at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en, as may be amended, superseded or replaced from time to time;
1.7. “Sub-Processor” means a third party engaged by CoachHub as another Processor under this DPA to process Customer Personal Data in order to provide parts of the Services;
1.8. “UK Addendum” means the International Data Transfer Addendum issued by the Information Commissioner’s Office and laid before Parliament in accordance with section 119(A) of the UK Data Protection Act 2018 on 2 February 2022 (as it is revised under its Section 18) to facilitate the international transfer of Personal Data in compliance with the UK GDPR, and currently found at https://ico.org.uk/media/for-organisations/documents/4019538/international-data-transfer-agreement.pdf;
The terms “Personal Data”, “Data Subject”, “processing”, “Controller” and “Processor” as used in this DPA have the meanings given in the GDPR. The terms “Business”, “Business Purpose”, “Consumer”, “Personal Information”, “Sell”, “Share” and “Service Provider” as used in this DPA have the meanings given in the CCPA.
2. Scope, Role of the Parties and Details of Processing
2.1. This DPA applies to any processing of Customer Personal Data by CoachHub subject to Data Protection Laws.
2.2. Customer and CoachHub agree and acknowledge that with respect to the processing of Customer Personal Data on behalf of Customer:
(a) CoachHub is the Processor of such Customer Personal Data and Customer is the Controller;
(b) For the purposes of the CCPA (to the extent applicable), Customer is the Business and CoachHub is the Service Provider and receives Customer Personal Data pursuant to the Business Purpose of providing the Services to Customer in accordance with the Agreement;
(c) Appendix 1 describes the subject matter and details of the processing.
2.3. At the Customer's request, the CoachHub Platform may be integrated with third-party products (such as the Customer’s Microsoft Teams space) via a dedicated API to enable the sharing of Personal Data or Personal Information from the third-party product to the CoachHub Platform. The Parties acknowledge that, in this case, CoachHub remains the Customer's Processor and acts on the Customer's instructions. The Parties further acknowledge that CoachHub is not responsible for third-party products.
3. Obligations of Customer
3.1. Customer, in its use of the Services, shall comply with Data Protection Laws.
3.2. Customer shall be solely responsible for (i) the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired such data; (ii) complying with all necessary transparency and lawfulness requirements under Data Protection Laws, including obtaining any necessary consents and authorizations and having any and all required legal bases in order to collect, process and transfer to CoachHub the Customer Personal Data, and to authorize the processing by CoachHub, and for CoachHub’s processing activities on Customer’s behalf, including the pursuit of Business Purposes as under the CCPA; and (iii) ensuring that its instructions to CoachHub regarding the processing of Customer Personal Data comply with applicable laws, including Data Protection Laws.
3.3. Customer shall immediately inform CoachHub if Customer detects any errors or irregularities in the data processing operations which affect compliance with Data Protection Laws.
4. Processing of Customer Personal Data on behalf of Customer
4.1. CoachHub shall only process Customer Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of Customer’s documented and lawful instructions, except where and to the extent otherwise required by applicable laws (the “Permitted Purposes”).
4.2. The Parties agree that the Agreement (including this DPA), together with Customer’s use of the Services in accordance with the Agreement, constitute Customer’s complete instructions to CoachHub in relation to the processing of Customer Personal Data. Any additional instruction from Customer must be made in writing, specifying the purpose concerned and the operation to be carried out, being understood that the implementation of any additional instruction may be conditional on Customer's acceptance of the corresponding cost estimate issued by CoachHub.
4.3. CoachHub shall immediately inform Customer if, in its opinion, an instruction of Customer infringes Data Protection Laws. CoachHub may, without any kind of liability to Customer, temporarily cease all processing of the affected Customer Personal Data (other than securely storing such data) until such time as Customer issues new instructions with which CoachHub is able to comply.
4.4 Customer acknowledges that certain Services under this Agreement involve the use of Artificial Intelligence (AI) systems to process Personal Data. These systems comply with the GDPR, including without limitation GDPR requirements on transparency, purpose limitation, data minimization, and safeguards for automated decision-making where applicable. CoachHub will conduct risk assessments, implement appropriate security measures, and provide Customer with relevant information about the AI systems’ operations and their impact on Personal Data processing upon request. Any processing of Personal Data for a purpose other than the provision of the Services (such as training machine learning systems with Personal Data) will only be carried out with the prior consent of the Customer and/or the Data Subject or as otherwise permitted under applicable law.
5. CoachHub Personnel
5.1. CoachHub personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. CoachHub conducts reasonably appropriate background checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.
5.2. Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, CoachHub’s confidentiality and privacy policies. Personnel handling Customer Personal Data are provided with security training. CoachHub’s personnel will not process Customer Personal Data without authorization and always on a need-to-know basis.
6. Security
6.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, CoachHub shall implement and maintain appropriate technical and organizational measures to protect Customer Personal Data, as described under Appendix 2 to this DPA (the “Security Measures”).
6.2. Customer acknowledges and agrees that the Security Measures provide a level of security appropriate to the risk in respect of Customer Personal Data.
6.3. CoachHub may update the Security Measures from time to time provided that such updates do not materially decrease the overall protection of Customer Personal Data.
6.4. Customer acknowledges that the Services are not designed, intended for, or authorized to process special categories of Personal Data (“Sensitive Data”). The extent of any submission of Sensitive Data in connection with the use of the Services, including those involving the use of an AI system, is determined and controlled by Customer in its sole discretion and at its own risk.
7. Sub-processing
7.1. Customer agrees that CoachHub may engage Sub-Processors to process Customer Personal Data on Customer’s behalf.
7.2. The list of Sub-Processors currently engaged by CoachHub and authorized by Customer is accessible from this webpage:
7.3. CoachHub shall inform Customer of any intended changes of that list through the addition or replacement of Sub-Processors at least thirty (30) business days in advance by posting any update on CoachHub public website. Customer shall have the right to object to such changes for reasons relating to the protection of Personal Data intended to be processed by such Sub-Processor by providing a written notice to CoachHub at privacy@coachhub.com, listing all specific legitimate gaps allegedly preventing the use of such Sub-Processor by CoachHub, within thirty (30) business days after receipt of CoachHub’s notice. Customer may also subscribe to CoachHub’s subprocessor update subscription and receive automatic updates to CoachHub’s subprocessors (https://resources.coachhub.com/subprocessor-update-subscription). Failure to object to such new Sub-Processor in writing within such time period shall be deemed as acceptance of the new Sub-Processor by Customer.
7.4. In the event Customer reasonably objects to a new Sub-Processor, as permitted in clause 7.3, CoachHub shall have the right to cure the objection through one of the following options (to be selected at CoachHub’s sole discretion): (i) cancel its plan to use the Sub-Processor with regard to Client Personal Data; (ii) take the corrective steps curing the gaps listed by Customer in its objection (which steps will be deemed to resolve Customer’s objection) and proceed to use the Sub-Processor to process the Customer Personal Data. If CoachHub is unable to implement any of such remediations and no commercially reasonable resolution can be achieved by the Parties, Customer may, as a sole remedy, terminate the affected Service in accordance with the termination provisions of the Agreement without liability to CoachHub (but without prejudice to any Fees due to CoachHub prior to termination). Until a decision is made regarding the new Sub-Processor, CoachHub will temporarily suspend the processing of affected Customer Personal Data.
7.5. When engaging a Sub-Processor, CoachHub shall do so by way of a contract which imposes on the Sub-Processor, in substance, the same data protection obligations as the one imposed on CoachHub in accordance with this DPA.
7.6. CoachHub shall remain fully responsible to Customer for performance of each Sub-Processor’s obligations and will be Customer’s sole point of contact regarding the processing of Personal Data by the Sub-Processor.
7.7. Coaches are freelancers and thus not Sub-Processors or third parties, as defined by Art. 4.10 GDPR (“Third Parties”). This DPA only applies to Coaches as a fallback in case and to the extent there is a final determination - not subject to appeal or preliminarily enforceable - that Coaches must be regarded as Sub-Processors or Third Parties. In this case, Coaches who provide Services to Customer automatically join this DPA.
8. Data Subject Rights
8.1. In the event that CoachHub receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data, CoachHub shall, to the extent legally permitted, promptly notify Customer and not respond directly unless legally required to do so.
8.2. To the extent that Customer is unable to independently address a Data Subject request through the Service, then upon written request CoachHub will provide reasonable assistance to Customer to respond to any Data Subject requests.
8.3. Data Subjects utilizing AIMY, CoachHub’s AI-based coaching platform, can typically directly manage and delete their personal data through their account settings, ensuring that they retain full control over their data.
8.4. CoachHub shall not be liable if Customer fails to respond or correctly or timely respond to any Data Subject request.
8.5. If claims pursuant to Article 82 GDPR are brought by the Data Subject against CoachHub or Customer, the Parties shall assist each other in their defense against such claims.
9. Personal Data Breach
9.1. CoachHub shall notify Customer without undue delay after becoming aware of any Personal Data Breach and provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by Customer to assist Customer to meet Customer's obligations to report a Personal Data Breach as required under Data Protection Law. Such notification shall not be interpreted or construed as an admission of fault or liability by CoachHub.
9.2. CoachHub shall make reasonable efforts to identify the cause of such Personal Data Breach and take all measures CoachHub deems necessary and reasonable to remediate the cause of such a Personal Data Breach to the extent it is within CoachHub’s reasonable control.
9.3. The obligations herein shall not apply to incidents that are caused by Customer or its Permitted Users.
10. Assistance
10.1. If, pursuant to Data Protection Law, Customer is required to perform a data protection impact assessment or prior consultation with a data protection supervisory authority, at Customer's request, CoachHub will provide such documents as are generally available for the Services (e.g., this DPA, the Agreement, Audit Reports and Certifications). Any additional assistance shall be mutually agreed between the Parties.
10.2. CoachHub may assist Customer, at Customer’s request and cost, in ensuring compliance with Customer’s obligations pursuant to Data Protection Laws.
11. Download or Deletion of Customer Personal Data
11.1. Customer may, at any time before the expiration or termination of the Agreement, (i) download Customer Personal Data available on the Platform or (ii) request CoachHub to provide a copy thereof.
11.2. Upon termination of the Agreement, CoachHub shall delete all the Customer Personal Data promptly and in any event within six (6) months.
11.3. CoachHub may retain Customer Personal Data to the extent authorized or required by Data Protection Laws and only to the extent and for such period as authorized or required by Data Protection Laws and always provided that CoachHub shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only processed as necessary for the purpose(s) specified in the Data Protection Laws authorizing or requiring its retention and for no other purpose.
12. Information and Audit
12.1. CoachHub shall make available to Customer, at its own expense, all information that Customer may reasonably request to demonstrate compliance with this DPA and Data Protection Laws.
12.2. CoachHub shall allow for and contribute to audits, including inspections, of the processing activities covered by this DPA, in accordance with the following procedures:
12.2.1. CoachHub undertakes to regularly test and evaluate the technical and organizational measures implemented in accordance with this DPA. The results of these tests and evaluations will be recorded in an audit report (the "Audit Report").
12.2.2. Upon Customer’s written request, CoachHub will provide Customer or its mandated auditor with a copy of the latest Audit Report.
12.2.3. CoachHub will also provide Customer or its mandated auditor with any additional information it may require regarding the technical and organizational measures in place, in order to help Customer understand the scope of these measures.
12.2.4. If further information is needed by Customer to comply with its own audit obligations or a competent data protection supervisory authority’s request, Customer will inform CoachHub in writing to enable CoachHub to provide such information or to grant Customer access to it.
12.3. If the Audit Report or the additional information provided by CoachHub in accordance with clause 12.2.1 to 12.2.4 reveals a material breach of this DPA, Customer may conduct audits in accordance with the following principles:
12.3.1. The audit must be preceded by a document audit under the conditions of Section 12.2. which revealed material points of non-compliance of CoachHub.
12.3.2. The audit must be conducted by an independent, reputable, third-party auditor jointly selected by the Parties for its expertise, independence and impartiality. Any auditor selected by the Parties to conduct an audit shall not be a competitor of CoachHub, shall not be in conflict with CoachHub and shall be under confidentiality obligations no less strict than the obligations of Customer under the Agreement.
12.3.3. Audits may include inspections at the premises or physical facilities of CoachHub, provided that auditors shall have no right to view or access any systems, data, records or other information relating or pertaining to CoachHub’s other customers.
12.3.4. Audits may be carried out once per calendar year with a reasonable notice period of at least 20 (twenty) business days (which may be reduced to three (3) business days in case of emergency such as in case of Personal Data Breach).
12.3.5. Customer acknowledges that conducting an audit during certain busy periods is likely to interfere with CoachHub’s proper performance of the Services and substantially disrupt its business with all of its clients. Therefore, Customer may only exercise its right to audit during the period 1 March to 31 May of each year to reduce the number of parallel audits (except in case of Personal Data Breach).
12.3.6. Audits shall be carried out during normal business hours and only in a manner that causes minimal disruption to CoachHub’s business, subject to coordinating the timing of such visit and in accordance with any applicable audit procedures in order to reduce any risk to CoachHub’s other customers. Under no circumstances shall the audit performed deteriorate or slow down the Services provided by CoachHub or affect the organizational management of CoachHub.
12.3.7. CoachHub’s information collected during audit operations will be considered as confidential information and may only be used for the purposes of the audit and the necessary corrective actions to the exclusion of any other use by Customer.
12.3.8. An identical copy of the audit report shall be provided to Customer and CoachHub following the completion of the audit. The Parties may comment on this audit report. This report may, if necessary, be subject to further review by a steering committee.
12.3.9. The cost of the compliance audit shall be borne solely by the Customer.
12.3.10. In case the audit report reveals a violation by CoachHub to the terms of this DPA, CoachHub shall have a period of six (6) months from the communication of the final audit report to provide and implement, at no cost to Customer, a remediation plan. If necessary, CoachHub may exceptionally extend this period by three (3) months after expressly informing Customer and objectively justifying such extension.
12.4. The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent data protection supervisory authorities on request.
13. International Data Transfers
13.1. Customer Personal Data may be transferred from the EU/EEA and the UK to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection supervisory authorities of the EEA, the EU, the Member States, or the European Commission (“Adequacy Decisions”), without any further safeguard being necessary.
13.2. If the processing of Customer Personal Data involves transfers from the EU/EEA to countries which have not been subject to an Adequacy Decision, and such transfer is not permitted through alternative means approved by the European Commission or by applicable Data Protection Laws, CoachHub will take all reasonable steps to ensure that Customer Personal Data is treated securely and in accordance with Data Protection Laws, including by signing of a data transfer agreement governed by the relevant Standard Contractual Clauses. Customer acknowledges and agrees that CoachHub shall be entitled to enter into Standard Contractual Clauses with any Sub-processor on behalf of the Customer.
13.3. For data transfers governed by UK Data Protection Laws, the UK Addendum shall apply.
14. CCPA Requirements
14.1. Customer and CoachHub hereby acknowledge and agree that in no event shall the transfer of Customer Personal Information from Customer to CoachHub pursuant to the Agreement constitute a sale of information to CoachHub, and that nothing in the Agreement shall be construed as providing for the sale of Customer Personal Data to CoachHub.
14.2. CoachHub is prohibited from using or disclosing Customer Personal Information for any purpose other than the Permitted Purposes.
14.3. CoachHub shall not Sell or Share Customer Personal Information.
14.4. To the extent applicable to the Services, CoachHub hereby certifies that it understands and will comply with the requirements in this DPA relating to CCPA.
15. Liability
15.1. Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
15.2. Customer acknowledges that CoachHub is reliant on Customer for direction as to the extent to which CoachHub is entitled to use and process Customer Personal Data on behalf of Customer in performance of the Services. Consequently, CoachHub will not be liable under the Agreement for any claim brought by a Data Subject arising from any action or omission by CoachHub, to the extent that such action or omission resulted directly from the Customer's instructions or from Customer's failure to comply with its obligations under Data Protection Laws and CoachHub was acting in accordance with Customer’s instructions.
Subject Matter
CoachHub’s provision of the Services to Customer.
If Customer has a subscription for AIMY(CoachHub’s AI Chat Bot) the subject matter is specifically to provide the SaaS Services, including provision of user accounts, processing of the user interactions, the aggregation and anonymization of Customer Data (as defined in the Agreement).
Duration of the Processing
The Processing is performed for the duration of the Agreement.
When using AIMY, voice recordings are deleted after their transcription and not kept and the transcript of the request and the chat are kept until the Data Subject deletes their history or until the end of the Agreement, whichever comes first.
Nature and Purpose of the Processing:
CoachHub will process Customer Personal Data for the purposes of providing the Services to Customer in accordance with the Agreement.
This notably involves the following processing operations: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Only if and to the extent that the Services include AI Coaching Companion and/or AIMY:
In the interest of both the Customer and CoachHub, the content of the (typically anonymized) chat with AI Coaching Companion may be monitored in order to limit the risks of harmful and abusive use of Coaching Companion.
Categories of Data:
If Customer uses the CoachHub Platform:
a. Identification Data: name, title and position, contact information (company email, phone number for example for the dial-in feature), salutation (Mr./Ms.)
b. CoachHub Platform Data:
c. Information during Video Calls (unless end-to-end-encrypted): Audio-Video-Transmission, CoachHub Platform Coachee ID, User Agent, Coachee IP-Address, Coachee location in order to provide you with the best possible video and sound quality - Video call are not recorded.
d. Data Processing Protocols may contain:
Only if and to the extent that the Services include psychometric assessments of the Coachee:
e. Psychometric Assessment Data
If Customer has a Subscription for the AI Chat Bot AIMY:
a. Identification Data such as: name, title and position, contact information (company email, phone number for example for the dial-in feature), salutation (Mr./Ms.)
b. CoachHub Saas Services Data such as:
c. Data Processing Protocols may contain such as:
Data Subjects:
Coachees
Coachee Counterparts (limited to the cases as defined above in sect. “Category of Data”, para. e) Psychometric Assessment Data)
Only if and to the extent that the Services include psychometric assessments (or other kind of coaching related assessment) of the Coachee provided by independent providers:
Personal data collected by the third-party service provider and shared with CoachHub according to and aligning with Customer’s instructions.
PEOPLE SECURITY
Personnel Security Management
CoachHub maintains established policies and procedures designed to standardize employee onboarding and offboarding using automated processes, enabled by using identity and access management (IAM). Background checks are performed on new employees in accordance with CoachHub’s hiring procedures and applicable law prior to onboarding. Confidentiality agreements and terms of acceptable use are in place for each party.
Security Awareness Training
In order to promote a culture that enables members of CoachHub’s workforce to safeguard data and information in a secure manner, CoachHub maintains a comprehensive Security Awareness Training program to address general and role-based security training.
Policy Communication and Enforcement
All information security policies are communicated internally and available for reference in a centralized location. Known violations of policies follow an established disciplinary and enforcement process.
DATA SECURITY
Encryption
CoachHub data is encrypted in transit and storage using industry-standard ciphers and methods. This includes the use of AES-256 and TLS encryption ciphers. Encryption keys are stored securely with limited access. Advanced encryption is applied to various application infrastructure layers, and can include disk, application, and database encryption. Sharing of encryption keys is prohibited and key management procedures are reviewed on a yearly basis.
Product Access Controls
CoachHub provides a number of mechanisms to help customers keep their data secure and control access. This includes a series of controls that are based on the principle of least privilege. We encourage all customers to enable integration into their Federated Identity Provider through SAML. CoachHub’s platform is fully responsive across desktop, laptop, and mobile devices. It supports industry-standard SAML 2.0 for Single Sign-on (SSO) and user authentication. Security event and audit logs are collected and continuously monitored to detect and respond to anomalous behavior.
Multi-factor authentication (MFA), or SSO when available, is required for CoachHub’s employees to access CoachHub’s core information systems and resources. Access is controlled through a central directory system, with access limited and granted based on the principle of least privilege.
Network Controls
The CoachHub platform is built on isolated, private networks using security groups and firewalls within AWS. All inbound and internal traffic is restricted to specific ports. All traffic rates, sources, and types are actively monitored at various points in the network beyond ingress and firewalls. CoachHub logically isolates customer data using application container technology and unique identifiers, which assures that access to customer data is limited to only that customer.
Data Retention and Disposal
Customer data will be deleted upon written request or by default at the end of the contractual relationship according to the CoachHub Data Deletion Policy. Certain data might be directly accessed/deleted by the Coachee directly in the CoachHub App. Data is retained as needed to satisfy data classification and/or external requirements. Processes are in place for the secure disposal of tangible property containing Customer Data are in place and take into account available technology so that Customer Data cannot practicably be read or reconstructed
SDLC (Secure Development Lifecycle)
Agile Development
CoachHub has a dedicated cross-functional team to drive the Secure Development Lifecycle (SDLC) that supports the principles of agile development.
This group is responsible for the coordination, communication, refinement, development of and adherence to security controls in our processes. In order to ship secure, high-quality products at pace, CoachHub leverages automated Security Testing to identify any potential vulnerabilities within source code, dependencies, and underlying infrastructure before releasing to our customers.
Dependency and third party library scanning
CoachHub analyzes project dependencies to determine vulnerabilities. Strict scoring criteria prevent the shipment of vulnerable dependencies in a product until it is resolved by Engineering teams.
Static Application Security Testing
CoachHub analyzes the web application source code yearly to determine bugs, technical debt, and security vulnerabilities. A strict scoring criterion is adhered to by the Engineering teams to ensure not only the security of code in our products but quality as well. Any code not meeting these criteria is not shipped until resolved.
Dynamic Application Security Testing
CoachHub runs automated web application vulnerability scans against the platform on a frequent basis. This allows for bugs, common exploits, security vulnerabilities, and issues to be discovered early on in the development process. By automating this approach, CoachHub is able to improve the quality and security of our platform for our customers.
Code Standards and Role-Based Access Control
In alignment with industry best practices, CoachHub has developed a baseline of source code controls to provide proper hygiene around code repositories supporting our platform. These controls are developed across the company. Controls automatically being enforced include but are not limited to: role-based access control, least privilege, code & repository ownership, segregation of duties, branch protections, and secrets management.
SECURITY MONITORING AND RESPONSE
Logging and Monitoring
CoachHub’s security logs are collected, aggregated, and correlated using a centralized security information and event management (SIEM) solution. Industry-standard log protection mechanisms are in place to ensure the integrity of the logs generated.
Incident Response
CoachHub has security incident response procedures in place to be followed in the event of any security breach. These procedures include areas that cover roles and responsibilities, investigation, communication, event logging, and remediative actions to be taken.
Contingency Planning
Availability of data is protected through the use of data replication and backup services provided by AWS. Data backups are captured on a periodic basis according to a defined schedule. CoachHub leverages automated scaling to centrally deploy backup policies to configure, manage, and govern backup activity across CoachHub’s AWS resources.
Business continuity and disaster recovery plans and processes are maintained for responding to an emergency or adverse event that could damage Customer Data or production systems that contain Customer Data. Data restore tabletop testing exercises are completed bi-annually employing methodologies based on best practices and various scenarios. Test results enable CoachHub to verify the integrity of backup data and assurance in achieving recovery point and time objectives (RPO/RTO), as defined in CoachHub’s Business Continuity Plan (BC Plan).
Penetration Testing
CoachHub uses the services of a reputable third-party for an independent penetration test of our web application and thus yearly. These have resulted in continuous updates to our products and processes for improving security and reliability. These assessments are part of ongoing compliance and security requirements to keep CoachHub as a trusted provider of services.
A customer-facing redacted executive summary of the latest penetration test is made available to customers under mutual non-disclosure agreement.