ShopGiv Wellbeing

Security & Compliance Brief

For IT directors and legal teams evaluating ShopGiv Wellbeing as an employee benefit.

ShopGiv Wellbeing is an AI-powered employee assistance platform providing health, financial, mental wellness, and career coaching alongside a certified auto repair Expert Reviewer and employer-funded hardship assistance (EB Fund). This document covers the security, privacy, and compliance measures in place to protect employee data.

Infrastructure

  • Healthcare-compliant AWS cloud infrastructure (Aurora, Lambda, S3, Cognito)
  • United States data center (AWS us-east-1)
  • All services selected from AWS healthcare-eligible service catalog
  • Business Associate Agreement available on request for healthcare clients

Encryption

  • Data encrypted while stored using AWS Key Management Service (KMS)
  • Data encrypted during transmission using TLS 1.3
  • Database encryption at the storage engine level
  • Audit logs retained for 7 years

AI Provider

  • Claude by Anthropic — purpose-built for safe, helpful AI interactions
  • Employee data is never stored by the AI provider
  • Production API keys configured for zero data retention
  • Employee health and financial data is never used to train AI models

Data Access Model

  • Employer admin endpoints return organization-wide data only, guaranteed by design
  • Individual employee coaching conversations, health data, and financial data are never accessible to employers
  • Aggregation occurs server-side — raw individual data never leaves the database for employer queries
  • Organizational Intelligence metrics require a minimum of 15 employees before any data is surfaced
  • This separation is enforced technically at the API layer, not by policy or access controls alone

Authentication

  • Standard secure login via AWS Cognito (email + password with MFA support)
  • Single sign-on available with Wellbeing Enterprise tier (SAML 2.0 / OIDC)
  • JWT-based API authentication with short-lived tokens
  • Session management with automatic expiration

Data Residency

  • All data stored and processed in the United States only (AWS us-east-1)
  • Documented and contractually committed data residency
  • No data transfer outside the United States

Data Export & Portability

  • Employees can export their personal health and financial data at any time
  • Organization-wide reports exportable in spreadsheet and PDF formats
  • 30-day data return window on contract termination
  • Employees offered free transfer to individual Premium plan ($9.99/month) — all personal data preserved
  • Company-level data deleted after the 30-day return window

Third-Party Vendors

  • AWS — infrastructure, database, authentication, file storage
  • Anthropic — AI coaching (zero data retention configured)
  • Stripe — payment processing only (no health data transmitted to Stripe)
  • Twilio — SMS notifications (no health data in message content)
  • AWS SES — transactional email delivery
  • Full subprocessor list available on request

Agreements & Compliance

Business Associate Agreement (BAA)

Available on request for healthcare employer clients. Covers all services handling protected health information.

Data Processing Agreement (DPA)

Available with Wellbeing Plus and Enterprise tiers. Standard DPA provided; custom terms negotiable with Enterprise.

Audit Logs

All system access and data operations logged. Audit trail retained for 7 years. Available for compliance review on request.

Annual Security Assessment

Penetration testing and security assessment conducted annually. Results summary available to Enterprise customers under NDA.

Security Questionnaires & Additional Information

We respond to SIG, CAIQ, and custom security questionnaires. Contact us to request a completed questionnaire or to schedule a security review call with our engineering team.

Contact

info@aincollective.com · (719) 463-0050

shopgiv.com/employee-benefits