Privacy at Bonusly
At Bonusly, security and data privacy aren’t just checkboxes - they’re a core part of how we operate. We know that when you entrust us with your team’s data, you expect us to protect it. This article outlines our general privacy and security practices, answers common questions, and points you to additional resources to help your team feel confident using Bonusly.
For our full security documentation and access to compliance reports, visit bonusly.com/security, and review our Privacy policy.
What data does Bonusly collect?
Bonusly only collects the minimum amount of information necessary to operate your recognition program effectively. Required fields include:
First name
Last name
Work email address
Additional optional fields used to enable specific features include:
Department
Office location
Hire date (for work anniversary celebrations)
Birth month and day (for birthday celebrations)
You are always in control of the user data shared with Bonusly. Information can be uploaded manually, imported via SFTP integration, or synced through HRIS connections.
How is personal data protected?
All data, including any personally identifiable information (PII), is securely stored and processed in AWS US-East region data centers. Bonusly maintains:
SOC 2 Type II compliance
GDPR and CCPA compliance
Compliance under EU-U.S., Swiss-U.S., and UK extension Data Privacy Frameworks
Role-based access controls with strict internal permissions
Secure SFTP, HTTPS encryption, and audit logging
Access to sensitive data is limited to authorized personnel only. Policies and procedures are reviewed internally at least every 6 months to ensure we meet evolving privacy standards.
How do we notify customers of policy changes?
We notify Global Admins via email at least 30 days in advance of any data privacy policy changes taking effect, giving your organization time to review and adjust as needed.
How do we use AI and what does it mean for data privacy?
AI in Bonusly is always deployed with user privacy in mind. Some features like content summarization or post suggestions use OpenAI’s API to enable helpful functionality.
However:
No direct user interaction with AI takes place
No PII is shared with OpenAI except what might appear in public-facing recognition messages
OpenAI does not train on our data and meets SOC 2 compliance standards
Bonusly monitors all AI-driven features and uses internal QA processes to improve performance and accuracy
Learn more about OpenAI’s data handling in their Enterprise Privacy Portal and Customer Trust Portal.
Who manages security at Bonusly?
Our cross-functional security team includes:
CTO (also serves as Data Protection Officer)
SVP of Engineering
Senior CloudOps Engineer
Head of People Operations
Senior Talent Partner
This team oversees our compliance programs, vendor vetting, and incident response protocols ensuring we always meet the highest standards for your data.
Can users request access or deletion of their data?
Yes. In line with GDPR and CCPA regulations, individuals can access, update, or delete their personal information from Bonusly upon request. Admins can also manage user data directly via the Admin Panel.
Where can I learn more?
For detailed information, compliance documentation, and downloadable certification reports, visit our official trust page: https://bonusly.com/security
If you have additional questions or would like to speak with our security and compliance team, reach out to your Customer Success Manager or contact Bonusly Support.