Download our latest White Paper: The Science Behind AIMY™
Security is part of CoachHub’s corporate culture
As the global market leader in digital coaching, we take our responsibility to protect your data very seriously. CoachHub adheres to the highest industry standards (such as GDPR, ISO27001, ISO27701, SOC2 Type II, and TISAX) to guarantee your data is handled professionally. In dealing with your customer data, we act as a processor (not controller) of your data, meaning your data is always your data and under your control.
At CoachHub, we care about security as a matter of corporate culture: we use technical and organizational measures at enterprise level:
Because without security, there is neither privacy, nor confidentiality. For details, please refer to the materials in our Trust Center or contact us at infosec@coachhub.com.
The CoachHub Group, with over 10 subsidiaries around the world, operates across 70 countries within 6 continents.
Taking privacy and data protection laws to the next level, since May 2018 the General Data Protection Regulation (GDPR) revolutionizes and unifies European Union (EU) and European Economic Area (EEA) data protection laws. Integrity and trust is at the heart of coaching at CoachHub, which is why GDPR is very important to us. Beyond complying, we seek to improve the protection of our European partners’ rights and provide a transparent overview of how we safeguard their data. Further, as the forerunner and gold standard in data protection, the GDPR inspires other data protection laws across the globe we comply with, such as the California Consumer Privacy Act (CCPA).
Important changes due to the GDPR include more rights for EU individuals, extensive data breach notification duties, strict security requirements, cross-border data protection, extensive accountability and easier enforcement. Consistent application matters: The European Court of Justice and the entire chapter 7 ensure the GDPR is applied cooperatively and consistently across the EEA. The GDPR supports the common data market, allowing for easier flow of personal data within the EEA and with third countries with comparable data protection standards. Measures such as Binding Corporate Rules, Adequacy Decisions, and Standard Contractual Clauses (SCC) secure processing of personal data in third countries with lower data protection standards. We are and remain up to date with the latest European court decisions (such as Schrems II) and other European Data Protection Board (EDPB) guidelines.
Please refer to our standard Data Processing Addendum for details on how we comply with the GDPR and related laws and regulations.
For updates on our subprocessors, please subscribe here.
We are a strong supporter of protecting consumers and their data. And as our operations have expanded internationally, so has our compliance with privacy and security standards. As such, we honor the legal requirements for regional laws such as, includes the California Consumer Privacy Act (CCPA). As of June, 2018, California passed AB 375, a consumer privacy act to better enhance the privacy rights and consumer protection for residents of California.
Data protection and its security are more important than ever and a top priority at CoachHub. To prove we really mean it, at CoachHub we offer our customers a platform with certified data protection according to ISO/IEC 27701, including state of the art security. An independent on site audit by a renowned certification authority approved CoachHub’s data protection and privacy.
At CoachHub, we prioritize your experience by designing our platform and by implementing compliance and data protection measures, to ensure that you can fully enjoy our digital coaching services while we handle the rest. As the leading digital coaching platform, we offer highly confidential digital coaching which effortlessly scales across global corporate groups. You have the option to receive GDPR, CCPA and other compliance requirements, and fully anonymous statistics on coaching success. You transparently control your data and have the freedom to decide what you want to share. We moreover do not stop at GDPR compliance: we aim to go further and implement important privacy and confidentiality features even if they are not legally mandated. We are committed to comply with the GDPR, CCPA and other regulations, even in the cases where it may not apply to you. Further, we take pride in supporting our clients to ensure compliance with relevant foreign and international laws.
CoachHub is committed to maintaining the highest standards in quality and delivering excellence to the global business community and digital coaching market while protecting the environment. Our Quality Management System is certified according to ISO 9001:2015 and is designed to deliver a consistent, high-quality customer experience. Our environmental management system is certified according to ISO 14001 and has had an enormous impact on our emissions as well as of the CoachHub-certified coaches we work with. Every CoachHub employee understands the importance of a relentless focus on quality and the environment, continuous process improvement, and professional well documented processes. This results in increased employee morale, reliably excellent operational results, and sustained outstanding customer satisfaction.
Learn more about our Quality and Learning Policy here and within our Trust Center.
For details about our environmental measures, please visit our Trust Center or contact legal@CoachHub.com.
Curious on our Technicals and Organizational Measures when it comes to information security?
Request access to our Trust Center and contact us at infosec@coachhub.com if you have any unanswered questions.
CoachHub welcomes feedback from security experts and the public to improve security. If you believe you have discovered a vulnerability, privacy issue, exposed data or other (including quality or environmental) issue in any of our assets, please feel free to let us know. This policy outlines the steps for reporting vulnerabilities to us, what we expect and what you can expect from us. CoachHub welcomes reports from bona fide security professionals who are conducting or have conducted security analysis under this RVD Policy.
The following test methods are prohibited and not considered bona fide/authorized research:
– DoS or DDoS (Network Denial of Service) tests or other tests that compromise or damage access to a system or data. – Physical tests (e.g. office access, open doors, eavesdropping), social engineering (e.g. phishing, vishing) or other non-technical vulnerability tests.
This policy applies to the digital resources listed below that are owned, operated or maintained by CoachHub.
Any other resource(s) directly operated by CoachHub and not listed here for privacy/security reasons are also in scope, as long as they can be formally identified as being managed by CoachHub (e.g. hosting instances, specific tool instances… etc.).
All other services, such as all associated services, are excluded from the scope and will not be accepted for review.
The following potential security issues are not considered in scope:
If you participate in our vulnerability disclosure program in good faith, we ask that you:
CoachHub accepts reports of security vulnerabilities at: responsible.disclosure@coachhub.com
Reports can be submitted anonymously. If you provide us with your contact details, we will acknowledge receipt of your report within 20 working days.
Please note that we register your data in connection with your report and our internal further processes. If you want to know more about how we process your personal data, please read more on this page.
If you wish to report an issue anonymously, please state this in your communication, and we will not contact you or retain your personal information.
NB: CoachHub does not currently offer a policy or promise on payment or compensation for submitted vulnerability reports. But we will seek to reward valuable reports including via granting coaching licenses.
CoachHub Privacy Notice
CoachHub Terms and Conditions
CoachHub List of Subprocessors
Subprocessor Update Subscription
Please contact us for details on CoachHub’s Corporate Compliance and TOMs.
Do you process personal data?
Yes, we do.
Can we use your platform completely without personal data?
No.
Do you have a data protection officer?
Yes, we do: DataCo GmbH, Nymphenburger Str. 86, 80636 Munich, Germany
Is the CoachHub digital coaching platform GDPR-compliant?
Yes, CoachHub meets the requirements of the GDPR.: We’re data protection compliant as an organization and as a platform according to GDPR. We have been and continue to be regularly audited by DataGuard. We may use the DataGuard Seal.
Is personal data transmitted in encrypted form?
Yes, we use state-of-the-art SSL encryption in combination with an Extended Validation SSL Certificate.
Is a profile picture mandatory?
No. The specification of a profile picture is not mandatory. We would like to point out that, even if it was, non-personal pictures would be possible.
Do you support Single Sign-On (“SSO”)? Do you support Active Directory?
The CoachHub platform supports SSO with all common security standards. In particular, we support Microsoft (Azure) Active Directory, Okta and other providers.
Where are the standard Terms of Use for the platform?
The standard Terms of Use to access our Platform are accessible following this link: https://coachhub.com/terms/.
There are several CoachHub entities. Which entity processes personal data?
Only CoachHub GmbH, our main entity in Berlin, Germany, processes personal data for the CoachHub platform and web site. Other establishments may process personal data for sales purposes.
Which service providers / contract processors do you use for the processing of personal data? Where do you process these data?
A list of contractors with further information on processing, including our data centers, can be found in our list of service providers: https://coachhub.com/subprocessors. The data are processed in accordance with the GDPR.
Are your data centers safe?
Yes. We use cloud service providers such as Amazon AWS, which are safe, boast a wide array of relevant and high-level certifications, and are regularly audited. For more on AWS Data Center Controls see here
Who is controller and processor for which processing?
Generally, as the customer, you act as controller as you determine the purposes and means of processing of the personal data, and we act as processor on your behalf and in accordance with your written instructions. You also act as controller and we act as processor handling the anonymization for your needs, for example for anonymous statistics about CoachHub in your company we create on your behalf. Once anonymization is complete, the data is no longer personal and the GDPR no longer applies to it.
Are international data transfers GDPR compliant?
Data processing operations in third countries, as far as they occur, are GDPR-compliant. We have generally selected EU located/GDPR-compliant servers. We have concluded DPAs with our service providers. In the event that an international data transfer is done outside the EEA in a country not benefiting from a GDPR adequacy decision, the DPAs provides for a subsidiary relapse to binding corporate rules and standard contractual clauses pursuant to Art. 46 GDPR. We constantly monitor current case law and adapt our processing procedures accordingly.
What certifications does CoachHub have?