Trust Centre
Privacy-first by design. Here’s how we protect your people’s data.
Atherio brings managers wisdom in the moments that matter, and that only works if leaders trust us with how their people’s data is handled. We’ve put this page together to help customers, current and prospective, understand exactly how we keep employee data safe, who we share it with, where it lives, and where we are on our compliance journey. If there’s anything else you’d like to know, please reach out.
👋 Introduction
At Atherio, we believe great leadership should be supported in the moments that matter. Delivering that means learning from how teams actually work, which makes safeguarding that data, and handling it with respect, central to everything we do. This document explains the efforts we make to keep employee data safe and sound.
🏗️ What is Atherio
Atherio is an AI leadership coach for managers. With a customer’s authorisation, we integrate with workplace tools (currently Microsoft 365 and Slack, with HRIS and CRM available on request) to understand engagement and behaviour, then deliver timely, tailored coaching nudges and on-demand guidance. We provide aggregated, high-level insights to the organisation to support people and leadership teams, carefully designed never to infringe individual privacy.
In terms of data, we:
- store and process basic personal data (e.g. names, work emails, role);
- process workplace and behavioural signals on behalf of the customer, strictly on their instructions and scoped to what they configure.
Controller vs processor: for our direct relationship with account users and website visitors, Atherio is the data controller. For the workplace and coaching data an organisation enables, that organisation is the controller and Atherio acts as a data processor under a Data Processing Agreement (DPA).
🏢 Our organisation
Atherio Ltd is the entity behind Atherio, registered in England & Wales (company no. 16434061). Our registered office is C/O RPGCC, 40 Gracechurch Street, London, England, EC3V 0BT. Overall responsibility for data protection sits with our CEO, Ben Stocken; you can reach our data protection contact at privacy@atheriohq.com.
DPO status: A statutory Data Protection Officer is not required under UK GDPR Article 37 (we do not carry out large-scale systematic monitoring of individuals or large-scale processing of special category data as our core activity). Responsibility for data protection is held by the CEO.
🔖 Compliance & certifications
Independent validation matters to our customers. Here’s exactly where we stand today, stated honestly:
- UK GDPR & Data Protection Act 2018: compliant. We process personal data in line with UK data protection law, are registered with the ICO (registration ZC064276), and offer a UK GDPR-compliant DPA.
- ISO 27001 in progress (target end of 2026). We are building our Information Security Management System (ISMS) aligned to the ISO 27001 standard and are actively working towards certification. We’ll publish the certificate and its number here once an accredited body has certified us.
- Roadmap. We plan to pursue SOC 2 and Cyber Essentials in H1 2027. Happy to discuss our roadmap under NDA.
Hosting note: Our infrastructure runs on Microsoft Azure (UK region), which is itself certified to ISO 27001 and SOC 2.
👮 Governance
Accountability. Our CEO, Ben Stocken, holds ultimate accountability for information security at Atherio, supported by an external cyber security adviser.
Policies. We maintain a suite of security and data-protection policies covering risk management, access management, secure development, HR security, information security, incident management, third-party suppliers, and privacy & data protection. Policies are reviewed at least annually and approved by leadership.
👥 People security
Security and privacy are everyone’s responsibility at Atherio. In practice that means:
- new joiners complete security-awareness and data-protection training as part of onboarding;
- all staff and contractor contracts include confidentiality / non-disclosure obligations;
- staff are vetted appropriately before access is granted;
- access to systems and data is granted by role, on a least-privilege basis;
- access is reviewed and promptly removed on role change or off-boarding.
🔀 Technical security
- Encryption: data is encrypted in transit (TLS) and at rest using industry-standard algorithms.
- Access control: role-based access, customer data logically segregated, and multi-factor authentication enforced for staff accounts.
- Endpoint & patching: anti-malware on company devices; security updates and patches applied without undue delay.
- Network & infrastructure: hosted on Microsoft Azure (UK region) with firewalling, monitoring and resilience built in; databases are not publicly accessible.
- Monitoring & logging: systems are monitored and significant actions logged to detect and investigate anomalies.
- Incident response & breach notification: we maintain a documented incident response process and, in the event of a personal data breach likely to pose a risk, notify the ICO within 72 hours and affected customers without undue delay, as required by UK GDPR.
💽 Data protection
- Data minimisation: we collect only what’s needed to coach and measure impact, scoped by the customer.
- Purpose limitation: customer data is processed only on documented instructions to provide and improve the Service.
- No model training on your data: our agreement with the Azure OpenAI Service prohibits training general-purpose models on customer data.
- Aggregation & anonymisation: organisation-level insights and benchmarks use aggregated, de-identified data.
- Rights & control: customers control their data, including export and deletion on termination. Individual rights are set out in our Privacy Policy.
- DPA: we provide a DPA covering processor obligations, sub-processors, international transfers and security measures; request it at privacy@atheriohq.com.
🤝 Sub-processors
We keep our list of providers limited, carry out due diligence before adopting new tools, and bind each to data-protection terms. International transfers are protected by the UK IDTA or Standard Contractual Clauses (SCCs).
Microsoft Azure
Purpose: Cloud hosting & infrastructure
Loacation: UK
Transfer basis: UK (no transfer)
Microsoft Azure OpenAI Service
Purpose: AI coaching generation (no training on your data)
Loacation: UK / EU
Transfer basis: Microsoft DPA / SCCs
Microsoft 365
Purpose: Customer-authorised workplace integration
Loacation: Customer tenant
Transfer basis: Microsoft DPA / SCCs
Slack (Salesforce)
Purpose: Customer-authorised workplace integration
Loacation: US
Transfer basis: SCCs
HubSpot
Purpose: CRM, marketing & communications
Loacation: EU / US
Transfer basis: SCCs
Additional customer-authorised integrations (e.g. HRIS, CRM) are disclosed and enabled only at the customer’s instruction. We notify customers of material changes to this list as set out in the DPA.
💻 Product security
Security is built into how we design, build and ship the product:
Design. Privacy and security considerations are mapped during feature planning, and we run security reviews on significant changes.
Development. Code changes go through peer review and automated checks, including dependency and vulnerability scanning, and cannot be merged without approval and passing checks.
Assurance & release. Changes are tested in a staging environment before production. We engage an external cyber security adviser for penetration testing; reports available under NDA.
🔐 Third parties & suppliers
We recognise that protecting customer data means holding our suppliers to a high standard too. We carry out due diligence on providers handling sensitive information, keep the supplier list limited with senior approval required before adopting new tools, and document and track our suppliers.
📔 Resources
To support your due diligence, the following are available, some under NDA. Email privacy@atheriohq.com to request:
- Data Processing Agreement (DPA)
- Security overview / completed security questionnaire
- Penetration test summary (under NDA)
- ISO 27001 certificate (once certified)
- Links to our Privacy Policy (/privacy) and Terms & Conditions (/terms)
❓ FAQ
Q: Where is our data hosted?
A: Our core platform and coaching data are hosted in the UK on Microsoft Azure. Further detail is available on request.
Q: Do you use our data to train AI models?
A: No. Our agreement with the Azure OpenAI Service prohibits training general models on customer data.
Q: Are you ISO 27001 certified?
A: Not yet; certification is in progress, targeted for end of 2026. We already operate security controls aligned to the standard and are happy to share detail under NDA.
Q: Can we get a DPA?
A: Yes, contact privacy@atheriohq.com.
Q: Can we get a security questionnaire completed?
A: Yes. Send your questionnaire to privacy@atheriohq.com and we’ll turn it around promptly.
Q: How is individual privacy protected?
A: Organisation-level insights are aggregated and de-identified; they are designed not to expose any individual.
Q: How do you handle a data breach?
A: We maintain a documented incident response process and notify the ICO within 72 hours and affected customers without undue delay, in line with UK GDPR.
✉️ Contact
Have a security or privacy question, or need our DPA or security pack? Email privacy@atheriohq.com and we’ll respond quickly.