/w=3840,quality=90,fit=scale-down)
👋 Introduction
At Oliva, we believe in helping companies provide proper mental health support for employees.
Proper mental health support means getting access at the right time to the right professionals. But it also means knowing that your most precious data will be safeguarded from unauthorised access, and handled with the utmost care and respect by those who need access to support you.
This is a core pillar of how we operate at Oliva, and so we’ve put this document together to guide our customers, both existing and prospective, in understanding the efforts we make to keep employee data safe and sound.
We hope this answers all your questions, but if there’s anything else you’d like to know, please reach out.
A word from Javier, Oliva Co-founder and CEO
Security and privacy are extremely important and go hand-in-hand with Oliva’s core value proposition of providing high-quality care. One without the other completely erodes trust at scale. Unless employees and employers can trust us 100% with both, it will be impossible for employers to truly create a psychologically safe culture, for employees to make progress towards their goals and for us to transform the wellbeing at scale. This is why we are so committed to fulfilling security and privacy to the highest possible standards at Oliva.
🏗️ What is Oliva
Before going into detail about our security measures, here’s a summary of what Oliva does.
We provide proper mental health support for employees.
Businesses around the world select us as their health partner to provide mental health support to their employees.
It is totally voluntary for those employees to use our services at their discretion, and if they choose to do so, their use is not shared in any way with the employer.
If they decide to use our services, we carry out a screening to understand some initial health information so that we can direct them to the best health professional for their needs.
Employees can then have video calls with their health professional, exchange messages, and take notes.
We provide high level data insights to the employer to support HR and leadership teams in creating a better work environment — but these insights are carefully crafted not to ever infringe on anyone’s right to privacy.
✅ store and process special category personal data (i.e. health data).
🏢 Our organisation
🔖 Certifications
We understand that having independent validation of our security program will be important to you. We’ve already successfully passed the following security certifications:
✅ Passed: April 2024
We host the Oliva application and data within Amazon Web Services (AWS), who are certified under ISO 27001, as well as SOC 2 and SOC 3.
👮♀️ Governance
Our CEO holds ultimate accountability for information security at Oliva, supported by our VP of Product and external security advisors.
We have a suite of policies in place that cover the following topics:
✅ Risk Management
✅ Asset Management
✅ Secure Development
✅ HR Security Management
✅ Information Security
✅ Penetration Testing
✅ Privacy & Data Protection
✅ Incident Management
✅ Third Party Suppliers
As part of operating our ISMS, these policies get reviewed annually at a minimum, and are approved by our leadership team before being distributed across the company.
👥 Human security
We make sure that our employees know that maintaining good security and privacy is the responsibility of each and every person.
Whenever we have a new hire, they go through an onboarding that includes security awareness training and even a security checklist to make sure they begin their Oliva journey with security in mind. All employees and contractors also have confidentiality/non disclosure clauses to ensure they are legally bound to uphold the standards we expect.
In addition, we:
✅ Provide access to applications and data based on role
✅ Widely use a company-approved and industry recognised password manager
✅ Use a robust password policy, communicated to all staff within our Information Security Policy
✅ Provide the minimum access and privileges required for someone to carry out their duties
✅ Maintain an access tracker to have full visibility on each employee’s level of access in every application we use
✅ Use our tracker to ensure any access no longer needed are swiftly removed (job change and offboarding)
✅ Maintain security awareness throughout the year, such as relevant presentations, workshops and bulletins
🔀 Operational security
We have stringent technical security controls implemented, as part of our commitment to our ISO 27001 certification. These technical controls were designed by the UK National Cyber Security Centre (NCSC) to avoid the most common cyber attacks such as phishing, malware, ransomware, password guessing and network attacks.
These technical controls cover 5 key areas:
✅ Secure configuration (computers, phones, tablets)
✅ Secure boundaries (networks and firewalls)
✅ Access control (limiting access and privileges)
✅ Anti malware (avoiding viruses and ransomware)
✅ Patch management (keeping computers and devices up to date and secure)
As you’d expect, we mandate 2 factor authentication wherever it is available, and audit this periodically to ensure we’re not missing anything.
We have anti virus software installed on all computers, and install any security updates / patches without delay.
🔒 Physical security
Oliva has a physical office in Barcelona, as well as remote workers across Europe. Our perimeter is protected by virtual key card access and as a result we have individual, fully logged access for each staff member. We also have CCTV and alarms in place.
We rely on our robust security awareness program to ensure that our team remains constantly aware of their surroundings, avoiding physical security risks while remote working.
We also maintain a lock-screen policy whenever someone steps away from their computer, and this is backed up by a technical lockout policy. Similarly, we operate a clear-desk policy, making sure that no company materials are accessible to unauthorised people.
💽 Data protection
For Oliva, data protection and upholding privacy for our clients and their employees is a fundamental aspect of information security.
We have a comprehensive data protection program, aligned with our obligations under the UK and EU General Data Protection Regulation (GDPR) and the US Health Insurance Portability and Accountability Act (HIPAA). We have a close partnership with a privacy consultancy to support us in fulfilling all our obligations.
✅ We have nominated data protection champions strategically distributed across the company to take the lead on data protection in each department, in addition to every team member’s individual responsibilities
✅ We maintain a data protection risk register and continuously strive to manage risks by making informed decisions
✅ We conduct quarterly management review meetings to ensure continual progress and raise any necessary topics for review
🤝 Third parties & suppliers
At Oliva, we understand that maintaining our own security simply isn’t enough. We also have a responsibility to ensure client data is only shared where absolutely necessary, and to those who will protect it to an equally high standard.
As a result, we:
✅ Carry out due diligence on any providers dealing with critical or sensitive information
✅ Keep our list of providers limited, with new third party tools going via C-level for approval before they can be used
✅ Document and track our third party suppliers and tooling
💻 Our product
Our product is how we facilitate providing proper mental health support to employees around the world. Aside from ensuring we have proper information security across our organisation, our security efforts naturally also focus specifically on the secure lifecycle of our product.
🔒 Security & Privacy Requirements
✅ All members of our product and engineering team go through security and data protection awareness training to give them a high level understanding of common risks, issues and our individual/team obligations
✅ All health data is encrypted at rest and during transit
✅ 2 Factor Authentication (2FA) is mandatory for all Oliva staff accounts
✅ Product and engineering team members have individual user accounts to carry out their role in production, providing non-repudiation
✅ We aim to carefully control where personal data exists and avoid unnecessary storage or transfer of such information
📐 Design
✅ We carry out regular product security workshops with members of our product and engineering team to review the design of our product from a security perspective
✅ In these workshops, we use the STRIDE threat model to analyse our product carefully and identify security risks or opportunities for improvements
✅ During the planning stages of a new feature, we map out different considerations including those of privacy and security
✅ We also review the architecture implications to ensure performance, reliability and scalability
🧑💻 Development
✅ All code Pull Requests (PR’s) go through peer review and automated testing and require approval before the code can be merged
✅ Our checks also include scanning for security vulnerabilities and errors
✅ Code cannot be merged without the approval of the code owner and checks being passed
👁️ Assurance
✅ We release new code to our staging environment first, where we carry out testing to ensure the functionality and user interface operate as expected, before eventually releasing the new code into production
✅ We work with an independent third party to carry out penetration testing on our platform on an annual basis
📦 Release
✅ We use Cloudflare to provide important controls that protect the confidentiality, integrity and availability of our platform
✅ The product is a significant part of the scope for our monthly data protection committee meetings, ensuring that any relevant compliance needs are identified and dealt with appropriately
✅ We maintain a product security risk register, containing known risks and vulnerabilities as soon as they are identified. Our product and engineering teams tackle issues from this list based on severity, with anything serious being addressed without delay.
🧑⚕️ Our Health Practitioners
Oliva Health Practitioners are contractors who carry out the health mental health support services directly with client employees.
✅ All our health practitioners have signed contractual agreements with Oliva, which clearly state responsibilities regarding data protection, confidentiality, and more
✅ We have an internal team in Oliva responsible for the oversight of our Health Practitioners, ensuring quality assurance and that there are no issues
✅ All Health Practitioners have mandatory 2FA on their Oliva platform accounts, just like internal Oliva staff
📔 Security Resources
We understand that you may want more information to carry out your due diligence of Oliva.
Here’s a list of resources available to our clients. If you require anything further, please reach out and we’ll do our best to help!
