CultureAI

Human Risk Management platform

The CultureAI Human Risk Management Platform empowers security teams to proactively monitor human risk across multiple applications, providing real-time insights into risky employee behaviours and security vulnerabilities. Armed with these insights, organisations can deliver coaching in the moment and automate fixes, ensuring optimal efficiency and effectiveness.

Features

• Real-time employee risk scoring & reporting
• Continuous, automated, personalised phishing simulations
• Data-driven, just-in-time security awareness coaching
• Workplace applications' security behaviour monitoring
• IM PII & confidential information detection & response
• Employee security awareness gamification, nudges & rewards tools
• Multi-factor authentication phishing simulations
• Automated response workflows & integrations with SIEMs
• Employee security app
• Sensitive data use in GenerativeAI

Benefits

• Run, manage and generate savings on fully automated phishing simulations
• Educate employees on security risks using real-time data & scores
• Create an engaged and positive employee security culture
• Reduce the number of employee security mistakes, risks & incidents
• Provide visibility into organisation-wide human security risks and behaviours
• Empower & equip employees to prevent & detect security breaches
• Use human risk automations to generate savings
• Help organisations comply with ISO 27001 & other security requirements

£2.25 to £27 a user a year

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at kristina.lazurenko@culture.ai. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

934530619837524

Contact

Kristina Lazurenko
07772545672
kristina.lazurenko@culture.ai

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: N/A
• System requirements:
  • No specific requirements
  • Accessible over any internet connection over HTTPS using standard web-browser
  • Directory data sync from multiple sources including Azure, Okta, Google
  • Ability to allowlist inbound emails

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Our maximum turnaround times are 48 hours excluding weekends.
• User can manage status and priority of support tickets: No
• Phone support: No
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: Our webchat is supported by Hubspot and is accessible via the platform.
• Web chat accessibility testing: N/A
• Onsite support: No
• Support levels: We provide a uniform support service to all our users. It includes full technical, onboarding, offboarding, training and integration support. The cost of customer support is included in the software license. Our customer success manager has a technical knowledge of the platform and from time to time may seek assistance from the development/engineering team.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We guide our clients through the initial onboarding which includes a directory sync and enablement of data sources. Depending on the client and their maturity we provide online training on how to get the most of the platform and best practice use of the functionality. Some the core documentation is available on our online portal. ; https://success.culture.ai/hc/en-gb
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: We provide a variety of ways to export data in the platform, we can also export raw data upon request in standard formats (e.g. CSV).
• End-of-contract process: There is a 30 day period during which the client is provided a copy of any relevant data from the platform. The clients account is then terminated and data securely erased. There are no additional costs as part of the off-boarding process.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
  • Windows Phone
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Our web-platform can be accessed on desktop and mobile, there are no differences in the web-services in terms of functionality. Additionally, we offer a Cyberscore app for mobile devices.
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: CultureAI has has two core interfaces:; Platform which enables organisations to understand human risks through insights, analytics and automation.; Security Centre which is focused on end user engagement, support and coaching.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: CultureAI regularly assess their platforms with industry standard WCAG compliance tools including Axe, this is complimented with independent third party testing which includes users of assistive technologies to validate our compliance against WCAG 2.1 (Level AA).
• API: Yes
• What users can and can't do using the API: CultureAI offers a Client API which is designed to allow clients to programmatically pull information from the CultureAI platform; for example, employee risk metrics and incident data to display on standard internal dashboards.
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: The CultureAI platform is customised to our clients' branding specifications. The platform offers a range of data sources that clients can choose to enable. Clients have the ability to select simulated phishing scenarios and set distribution frequencies that match their organisation's needs. The platform allows clients to design automation response workflows that match their own technical requirements. Additionally, upon request, customers can customise some of the training content, content delivery, reporting and configuration requirements. We work closely with our customers and build necessary integrations upon request in a timely manner.

Scaling

• Independence of resources: The CultureAI platform has been built with a scalable cloud-first mindset, with the platform automatically able to scale both vertically and horizontally to meet any end-user or processing requirements.

Analytics

• Service usage metrics: Yes
• Metrics types: Human risk events, % of positive and negative security behaviours,; Trend changes in security behaviours over time,; Employee risk scores,; More granular metrics around phishing email opens, reports etc.,; Training / compliance completion rates,; End user engagement - leader boards, rewards etc.
• Reporting types:
  • Real-time dashboards
  • Regular reports

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Data and analytics can be exported from the platform including via API, CSV, email or sent directly to client endpoints.
• Data export formats: CSV
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • AD sync with Microsoft Azure, Google and Okta
  • API

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: CultureAI will make the platform available to client for at least 99.9% of each calendar month, excluding scheduled downtime or excused unavailability. Availability shall be determined as follows: ; [((total-unavailable)/total) ×100]; ; If CultureAI determines that the required platform availability level has not been met for a particular month, client shall be entitled to a service credit representing a portion of the fees paid by it for that month as follows: ; ; Platform availability Service credit (% of monthly fees); ≥ 99.0% but < 99.9% - 10%; ≥ 98.0% but < 99.0% - 25%; ≥ 95.0% but < 98.0%- 50%; < 95.0% - 100%; ; A service credit only applies to fees paid for a month where the required availability level has not been met. Client must be in compliance with this agreement in order to be eligible for a service credit. ; ; Client may terminate this agreement on written notice to CultureAI in the event the platform is available less than 95.0% in any three months in any consecutive six month period.
• Approach to resilience: CultureAI websites and client data are hosted in Amazon Web Services (AWS) UK cloud split across 3 availability zones. AWS data centres comply with the most rigorous industry standards and best practice. The microservice architecture powers automatic scaling based on demand where and when required. Data in transit is always over HTTPS. Data at rest is encrypted with a minimum of AES 256. Keys are stored in AWS KMS.
• Outage reporting: We have a public dashboard, status.culture.ai and provide alerts via CS to impacted clients as applicable.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Our Access Control Policy adheres to ISO27001 certification.; We operate a least-privilege policy where only people who need access are given it. Our access control policy requires CTO/CEO approval for the temporary granting of privileged access to any systems. Authentication information for user access is controlled through our access control processes. Users ability to access system functionality is limited to only the scope permitted by our access control policy. CultureAI uses password management tools, SSO and MFA. All endpoints are monitored for unauthorised applications. Access is fully audited.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Citation ISO Certification Limited
• ISO/IEC 27001 accreditation date: 27/04/2023
• What the ISO/IEC 27001 doesn’t cover: Our system is approved for the provision of cyber security assessments, training software, consultancy and related services.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: CultureAI have multiple policies including the 'data protection policy' and 'information and security management' policies which are communicated and shared with all employees and relevant stakeholders. These are audited as part of our ISO 27001 certification. The policy is approved by the senior leadership team and updated on an annual basis. All policies are made available in our employee handbook on a HR portal. Employees are required to formally accept these policies annually and acceptance is audited.; The CEO covers the role of DPO and holds responsibility data protection and information security. Responsibilities are defined, documented, accepted and reviewed regularly. Internal audits are conducted regularly in line with our ISMS and non-compliances and/or risks logged in our risk register. This is audited annually as part of our ISO 27001 certification.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: CultureAI has a documented secure development policy that is communicated to, and accepted by, all developers. Adherence is monitored through the use of various tools that check code quality, security issues etc. Changes in the development lifecycle are covered by CultureAI's change management process. Platforms are continuously tested and monitored to ensure no security or operational impacts. New operating systems are continuously tested in a staging environment that is an exact replica of production to identify any adverse impact ahead of deployment. CultureAI test all new systems/upgrades against a pre-defined set of acceptance criteria, functional/non-functional requirements prior to release.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: CultureAI run continuous vulnerability scans across all assets. Any medium-level vulnerabilities or higher are remediated within 24 hours, with any low-level issues that are not-risk accepted addressed within 2 weeks.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: CultureAI's infrastructure is auto-scaling and operates with a significant amount of headroom. Available resources are monitored via various tools, with early-warning alerting in the event of potential issues. We operate a 24 hour remediation procedure.; A range of security controls, education and tooling minimises the risk of malware. CultureAI's environments also run on Kubernetes with ephemeral storage, meaning that builds are continuously re-built from a known 'good' base image.; CultureAI has a defined backup policy and a documented and regularly tested business continuity plan, which includes testing backups.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: CultureAI have a documented and tested incident response plan that contains procedures and named management stakeholders with defined responsibilities. ; Implementation of this policy is achieved by managing the risk and utilising the controls within ISO27002 and CultureAI best practice. Information security management is addressed within the relevant company’s policies, procedures and standards and ISO 27001 accreditation is maintained at all times.; Overall responsibility for information security management resides with the managing director (MD), whom also holds the role of information security officer (ISO). Users can report any security incident to their immediate manager or directly to the MD via telephone.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Tackling economic inequality

  Tackling economic inequality

  The risk landscape is continually evolving, with the modern workforce encountering an expansive range and volume of risks. Fuelled by the widespread adoption of SaaS apps, collaboration tools, and generative AI, these technological advancements enrich our capabilities but also expose us to fresh challenges and vulnerabilities. In response, security leaders are pivoting from traditional content-based training to dynamic human risk management platforms. Gartner’s prediction reinforces this shift, forecasting that by 2030, 80% of enterprises will implement a well-defined human risk management programme, up from just 20% in 2022. So it’s not a case of if this shift will happen, but when.; The CultureAI Human Risk Management Platform enables security teams to proactively monitor human risk across multiple applications, providing immediate insights into the riskiest employee behaviours and security vulnerabilities within an organisation. With these insights, organisations can deliver personalised coaching and automate risk response, ensuring optimal efficiency and effectiveness.

Pricing

• Price: £2.25 to £27 a user a year
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: A free trial is typically limited to a period of between 2 weeks and 1 month. Provides access to all product features for the entire population of users.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at kristina.lazurenko@culture.ai. Tell them what format you need. It will help if you say what assistive technology you use.