GDPR Resource Centre

Sustaining SafetyCulture’s tradition of data security

SafetyCulture treats the protection of customer data as one of its highest priorities.

Below we’ve shared some information on what the General Data Protection Regulation (GDPR) is, how it affects you and what SafetyCulture is doing.

What is the GDPR?

The GDPR expands the rights of individuals to control how their personal information is collected and processed. GDPR places a range of obligations on organisations to be more accountable for data protection.

Check out the ICO’s GDPR guide, designed to assist organisations to comply with their requirements:

Guide to the GDPR

Does the GDPR impact you?

GDPR applies to companies that process personal data about people located in the EU. 

You control the materials and information that you and your users upload, or provide to us, when using our products and services. We do not have control of the content that you collect nor whether it is personal in nature. Accordingly, you are responsible as the Data Controller for ensuring the data you collect while doing inspections or reporting incidents is compliant with the GDPR principles.

What is SafetyCulture doing?

We take our responsibilities under GDPR seriously. Here is a quick summary of what we’ve done to date:

  • We have updated our Terms of Use to be GDPR compliant.
  • We have developed a GDPR-compliant data retention policy.
  • We have updated our data breach procedures to bring them in line with GDPR.
  • We have delivered GDPR-focused training across key areas of the business, so that our staff are aware of what GDPR requires and how it impacts their day-to-day roles.
  • We have engaged with our product and security teams to consider and make necessary changes / improvements to our product and practices.
  • We have conducted a comprehensive data-mapping exercise that tracks personal data flows throughout our systems and services.
  • We have reviewed our key third-party vendor arrangements (ie Sub-Processors) to make sure we have the appropriate contractual protections in place to satisfy GDPR requirements.
  • We refined our procedures to deal with some key data subject rights, like subject access requests and the right to request deletion.

What’s next?

Some of the key items we are still working on include:

  • Developing and implementing company-wide data protection training.
  • Introducing further privacy safeguards into system and product development, including the creation and implementation of data protection impact assessments.

Under GDPR, our customers are considered the Data Controller and SafetyCulture is considered the Data Processor. GDPR specifies requirements for Controllers in relation to the personal data they are responsible for, including the requirement that when they use Data Processors these Processors provide sufficient guarantees that they will abide by GDPR and that the rights of the data subjects are protected.

We host our customer, audit and incident data with Amazon Web Services (AWS), who are a top-tier, third party data hosting provider. 

For more information about AWS’s approach to compliance with the GDPR, see

In some instances, SafetyCulture hosts or processes personal data outside of the European Economic Area – this is most likely with your user details rather than any audit or incident data. GDPR requires that this data remains protected by appropriate safeguards in line with EU law. SafetyCulture achieves this by either entering into the European Commission’s Standard Contractual Clauses with the entity the data is transferred to, or by ensuring the entity is Privacy Shield certified (for transfers to US based entities).

Data subjects may lodge requests with you as Data Controller, to extract all data relating to the data subject. Should you receive such a request and require our assistance in dealing with it, please send a detailed email to and we will endeavour to action the request within 30 days.