CoachHub Compliance Center

Enterprise-Level Privacy and Information Security

As the global market leader in digital coaching, we take our responsibility to protect your data very seriously. CoachHub adheres to the highest industry standards (such as GDPR, ISO27001, ISO27701, SOC2 Type II, and TISAX) to guarantee your data is handled professionally. In dealing with your customer data, we act as a processor (not controller) of your data, meaning your data is always your data and under your control.

At CoachHub, we care about security as a matter of corporate culture: we use technical and organizational measures at enterprise level:

• PCI DSS Level 1, ISO 9001-, SOC 2- and ISO 27001- certified data centers
• multi-factor authentication, password managers,
• No recordings of coaching sessions
• End to end encryption
• FIDO2 authentication for admins
• Automated vulnerability testing
• And many other security best practices, as evidenced by our various certifications (including ISO27001, ISO27701, SOC2 Type II).

Trust Center

Because without security, there is neither privacy, nor confidentiality. For details, please refer to the materials in our Trust Center or contact us at infosec@coachhub.com.

The CoachHub Group, with over 10 subsidiaries around the world, operates across 70 countries within 6 continents.

Compliance with the GDPR

Taking privacy and data protection laws to the next level, since May 2018 the General Data Protection Regulation (GDPR) revolutionizes and unifies European Union (EU) and European Economic Area (EEA) data protection laws. Integrity and trust is at the heart of coaching at CoachHub, which is why GDPR is very important to us. Beyond complying, we seek to improve the protection of our European partners’ rights and provide a transparent overview of how we safeguard their data. Further, as the forerunner and gold standard in data protection, the GDPR inspires other data protection laws across the globe we comply with, such as the California Consumer Privacy Act (CCPA).

A Comprehensive overview of the GDPR

Important changes due to the GDPR include more rights for EU individuals, extensive data breach notification duties, strict security requirements, cross-border data protection, extensive accountability and easier enforcement. Consistent application matters: The European Court of Justice and the entire chapter 7 ensure the GDPR is applied cooperatively and consistently across the EEA. The GDPR supports the common data market, allowing for easier flow of personal data within the EEA and with third countries with comparable data protection standards. Measures such as Binding Corporate Rules, Adequacy Decisions, and Standard Contractual Clauses (SCC) secure processing of personal data in third countries with lower data protection standards. We are and remain up to date with the latest European court decisions (such as Schrems II) and other European Data Protection Board (EDPB) guidelines.

Please refer to our standard Data Processing Addendum for details on how we comply with the GDPR and related laws and regulations.

For updates on our subprocessors, please subscribe here.

Compliance with the CCPA

We are a strong supporter of protecting consumers and their data. And as our operations have expanded internationally, so has our compliance with privacy and security standards. As such, we honor the legal requirements for regional laws such as, includes the California Consumer Privacy Act (CCPA). As of June, 2018, California passed AB 375, a consumer privacy act to better enhance the privacy rights and consumer protection for residents of California.

Certified Data Protection

Data protection and its security are more important than ever and a top priority at CoachHub. To prove we really mean it, at CoachHub we offer our customers a platform with certified data protection according to ISO/IEC 27701, including state of the art security. An independent on site audit by a renowned certification authority approved CoachHub’s data protection and privacy.

Built for Global Enterprises

At CoachHub, we prioritize your experience by designing our platform and by implementing compliance and data protection measures, to ensure that you can fully enjoy our digital coaching services while we handle the rest. As the leading digital coaching platform, we offer highly confidential digital coaching which effortlessly scales across global corporate groups. You have the option to receive GDPR, CCPA and other compliance requirements, and fully anonymous statistics on coaching success. You transparently control your data and have the freedom to decide what you want to share. We moreover do not stop at GDPR compliance: we aim to go further and implement important privacy and confidentiality features even if they are not legally mandated. We are committed to comply with the GDPR, CCPA and other regulations, even in the cases where it may not apply to you. Further, we take pride in supporting our clients to ensure compliance with relevant foreign and international laws.

Our Commitment to Quality and the Environment

CoachHub is committed to maintaining the highest standards in quality and delivering excellence to the global business community and digital coaching market while protecting the environment. Our Quality Management System is certified according to ISO 9001:2015 and is designed to deliver a consistent, high-quality customer experience. Our environmental management system is certified according to ISO 14001 and has had an enormous impact on our emissions as well as of the CoachHub-certified coaches we work with. Every CoachHub employee understands the importance of a relentless focus on quality and the environment, continuous process improvement, and professional well documented processes. This results in increased employee morale, reliably excellent operational results, and sustained outstanding customer satisfaction.

Learn more about our Quality and Learning Policy here and within our Trust Center.

For details about our environmental measures, please visit our Trust Center or contact legal@CoachHub.com.

Top-notch Technical and Organizational Security Measures

Curious on our Technicals and Organizational Measures when it comes to information security?

Request access to our Trust Center and contact us at infosec@coachhub.com if you have any unanswered questions.

Responsible Vulnerability Disclosure (RVD) Policy (Valid from: 2024-10-30 / Last update: 2024-10-30)

CoachHub welcomes feedback from security experts and the public to improve security. If you believe you have discovered a vulnerability, privacy issue, exposed data or other (including quality or environmental) issue in any of our assets, please feel free to let us know. This policy outlines the steps for reporting vulnerabilities to us, what we expect and what you can expect from us.
CoachHub welcomes reports from bona fide security professionals who are conducting or have conducted security analysis under this RVD Policy.

Test Methods

The following test methods are prohibited and not considered bona fide/authorized research:

– DoS or DDoS (Network Denial of Service) tests or other tests that compromise or damage access to a system or data.
– Physical tests (e.g. office access, open doors, eavesdropping), social engineering (e.g. phishing, vishing) or other non-technical vulnerability tests.

Scope of application

This policy applies to the digital resources listed below that are owned, operated or maintained by CoachHub.

• app.coachhub.com
• dashboard.coachhub.com
• coachhub.com

Any other resource(s) directly operated by CoachHub and not listed here for privacy/security reasons are also in scope, as long as they can be formally identified as being managed by CoachHub (e.g. hosting instances, specific tool instances… etc.).

All other services, such as all associated services, are excluded from the scope and will not be accepted for review.

Outside the scope

• Assets or other equipment not belonging to CoachHub.
• Discovered or suspected vulnerabilities in out-of-scope systems should be reported to the relevant provider or authority.
• Findings from physical testing such as office access (e.g. open doors, tailgating… etc.)
• Findings derived primarily from social engineering (e.g. phishing, vishing… etc.)
• Findings from applications or systems not listed in the ‘Scope’ section
• UI and UX bugs and spelling mistakes

The following potential security issues are not considered in scope:

• Lack of rate limiting on any resources
• Password policy issues, including lack of upper limit on passwords
• HTTP 404 or other error codes and pages
• Banner or version disclosure of any kind
• CSRF on anonymous resources, or any CSRF issue which does not include an exploit showing control over sensitive actions
• Clickjacking issues, unless an exploit showing account takeover or disclosure of sensitive resources is provided
• Self-XSS issues
• SPF/DKIM/DMARC configuration issues
• Forbidden
• DoS and overloading server with many requests or large requests
• Accessing and copying our customer data
• Conducting research against our partners and customers
• Abusing our services to conduct fraud
• Spamming
• Use of automated scanning tools

Our obligations

• We will acknowledge receipt of your report within 20 working days.
• We will work with you to understand and validate your findings.
• We will discuss issues in an open email exchange.
• We will endeavor to keep you informed of the progress of a vulnerability as it is addressed.
• We will work to resolve discovered vulnerabilities in a timely manner within our operational capabilities.

Our expectations

If you participate in our vulnerability disclosure program in good faith, we ask that you:

• Abide by the rules, including following this Policy and any other relevant agreements. In the event of any inconsistency between this Policy and any other applicable terms, the terms of this Policy shall prevail;
• Promptly report any security vulnerabilities you discover;
• Avoid violating the privacy of others, interfering with our systems, destroying data and/or compromising the user experience;
• Only use official channels to discuss information about security vulnerabilities with us;
• Give us a reasonable amount of time (at least from the initial report) to resolve the issue before you ever consider making it public;
• Only perform tests on systems that are in scope and pay attention to systems and activities that are not in scope;
• Write reports in English if possible;
• Write a detailed description of the steps required to reproduce the vulnerability (proof-of-concept scripts or screenshots are helpful);
• If a vulnerability allows unintended access to data: limit the amount of data you access to the minimum required to effectively demonstrate a proof of concept. Stop testing and submit a report immediately if you encounter user data such as personally identifiable information (PII), personal health information (PHI), credit card data or proprietary information during testing;
• Only interact with test accounts that belong to you or for which you have explicit authorisation from the account holder; and
• Do not engage in extortion.

Reporting a vulnerability

CoachHub accepts reports of security vulnerabilities at: responsible.disclosure@coachhub.com

Reports can be submitted anonymously. If you provide us with your contact details, we will acknowledge receipt of your report within 20 working days.

Please note that we register your data in connection with your report and our internal further processes. If you want to know more about how we process your personal data, please read more on this page.

If you wish to report an issue anonymously, please state this in your communication, and we will not contact you or retain your personal information.

NB: CoachHub does not currently offer a policy or promise on payment or compensation for submitted vulnerability reports. But we will seek to reward valuable reports including via granting coaching licenses.