Skip to content
English
Go to www.movetohappiness.com
  • There are no suggestions because the search field is empty.

MTH SECURITY OVERVIEW

Context

CRANIUM has supported Move To Happiness (“MTH”) in structuring and documenting its security, privacy, cloud and AI governance practices for the purpose of customer and partner due diligence.

The Annex below is intended to be used by MTH as a standard information pack and can be incorporated into a document with MTH branding.

This information is based on input from existing documentation provided by various sources from MTH and therefore does not imply any verification or confirmation of the accuracy of this information.

Annex

This document provides a high-level overview of the security, privacy, cloud and AI governance practices of Move To Happiness (“MTH”). It is designed to be shared with our customers and partners as a standard response to security and due diligence questionnaires. It reflects current operational practices and is not intended to replace contractual documentation or customer-specific agreements. This document is confidential.

1. Organisation and Service Context

1.1. Legal entity

Move To Happiness Hub BV, Belgium

Move To Happiness Hub BV is the legal entity responsible for the development, operation and delivery of the Move To Happiness platform.

1.2. Business scope

Move To Happiness provides a digital wellbeing platform for organisations, offered as a Software-as-a-Service (SaaS) solution.

The platform enables organisations to support employee wellbeing through:

  • a customisable community and content platform for internal communication and wellbeing content;
  • configurable wellbeing campaigns and journeys;
  • an individual digital wellbeing assistant for employees;
  • an AI-based analytics layer that provides aggregated and anonymised wellbeing insights at organisational or team level.

The platform is primarily designed to support wellbeing and engagement within organisations. In addition, MTH offers dashboards that provide structured insights based on predefined indicators. These dashboards may support reflection, coaching and organisational discussions, but do not autonomously make or enforce employment-related decisions.

1.3. Data processed

In the context of delivering the platform, the following categories of data may be processed:

  • basic identification and professional data of users (such as name, work email address, role or department);
  • user-generated interaction data related to wellbeing content and platform usage;
  • platform and usage metadata (such as timestamps, interaction types and technical identifiers);
  • optional wellbeing-related data derived from connected wearables or surveys, only where explicitly enabled by the user.

No data is processed beyond what is necessary for the provision and operation of the platform.

1.4. Cloud usage

The Move To Happiness platform is fully hosted in a European cloud environment using Microsoft Azure.

  • The service is delivered exclusively as a SaaS solution.
  • Data and application workloads are hosted within the European Economic Area (EEA).
  • Cloud infrastructure, availability and baseline security controls are provided by Microsoft Azure, while application-level security, access control and data protection measures are managed by Move To Happiness.

This cloud setup supports availability, scalability, data protection and security monitoring in line with customer and regulatory expectations.

2. Data Protection and Privacy

2.1. Data protection governance

MTH does not have a formally appointed internal Data Protection Officer.

Data protection and digital law compliance support is provided by CRANIUM, a specialised privacy and digital law consultancy firm. CRANIUM supports MTH with GDPR governance, contractual alignment, regulatory interpretation and risk assessments.

Bernd Fiten, Head of Digital Law at CRANIUM, acts as the external point of contact for legal and privacy-related questions.

MTH maintains internal governance measures to support GDPR compliance, including a Record of Processing Activities, internal data protection policies and documented procedures for handling personal data. Where required, Data Protection Impact Assessments are carried out before new or materially changed processing activities are put into production.

MTH maintains a privacy policy that describes how personal data is collected and used across its website, social media, services and events, including the applicable purposes, legal bases, retention periods and data subject rights. This privacy policy can be found on the website: https://knowledge.movetohappiness.com/en/privacy-policy

GDPR awareness within MTH is supported through periodic internal sessions and practical guidance, ensuring that employees understand confidentiality, security obligations and data protection principles in their daily work.

Personal data is processed solely for predefined purposes and in accordance with the GDPR principles of lawfulness, fairness, transparency, data minimisation and purpose limitation. Where required, processing is based on explicit user consent or another applicable GDPR legal basis.

All personal data processing is contractually governed where required through Data Processing Agreements and documented in MTH’s standard contractual and privacy documentation.

Privacy by design is embedded into the platform architecture, including anonymisation of the data warehouse used for analytics and reporting. Users retain control over their data and may withdraw consent at any time where consent is the applicable legal basis.

A detailed data stream overview is available and can be shared upon request to document how personal data flows through the platform and which technical and organisational measures apply at each stage.

2.2. Data subject rights

MTH has defined processes in place for handling data subject requests, including the rights of access, rectification, erasure, restriction, objection and withdrawal of consent where applicable.

Requests can be submitted via the contact details referenced in the MTH privacy policy and are tracked and handled through the appropriate internal and external support channels, depending on the nature and scope of the request.

2.3. Data sharing, processors and sub processors

MTH engages third party service providers to support the delivery of its platform and related services. These parties act as processors or sub processors depending on the processing context.

Data Processing Agreements are concluded where required, and sub processors are documented, reviewed and updated when processing conditions change or new vendors are introduced. Suppliers and sub-processors supporting the MTH platform are subject to security and risk considerations prior to onboarding. Where relevant, contractual clauses and due diligence checks are used to ensure alignment with MTH’s security, confidentiality and data protection requirements.

Where transfers of personal data outside the European Economic Area would occur, such transfers are subject to appropriate safeguards, such as the use of European Commission Standard Contractual Clauses, in line with the approach described in the MTH privacy policy.

Sub-processors supporting specific platform functionalities include Microsoft Azure (cloud hosting and infrastructure), Brevo (email communications), Vimeo (video content delivery), WeFitter (wearable data connectivity), and Typeform (survey and form processing). These sub-processors are either EU-based or, where applicable, rely on appropriate GDPR transfer safeguards, including the European Commission’s Standard Contractual Clauses.

3. AI Governance

Move To Happiness uses artificial intelligence as a supporting capability within its wellbeing platform. AI is designed to assist users and organisations with guidance and insights, and does not take binding or autonomous decisions about individuals.

Detailed information on AI functionality, data use, safeguards, governance and compliance alignment is provided in a separate document (available on request). This security and due-diligence document therefore only summarises AI at a high, governance-oriented level. At a minimum, the following principles apply across all AI features within MTH:

  • Advisory only: AI outputs are not binding and do not have legal or similarly significant effects.
  • No autonomous HR decision-making: AI functionality does not autonomously make or enforce individual employment-related decisions. Any HR-related insights available within the platform are generated outside the AI components and remain non-binding.
  • Privacy by design: individual interactions remain confidential and organisations only receive aggregated and anonymised insights.
  • No training on customer data: customer and user data are not used to train underlying AI models.
  • Human oversight: users retain autonomy, and AI outputs are subject to technical and organisational safeguards.
  • Functionally limited: AI systems operate within predefined use cases and technical guardrails.

All AI functionality is integrated into MTH’s broader security, privacy and governance framework. Each new AI feature or integration is subject to:

  • a prior legal and risk assessment;
  • where required, a DPIA and/or AI Act compliance check;
  • internal validation before production use;
  • transparent documentation for customers.

For full transparency on AI components, data flows, safeguards, and governance measures, customers are referred a separate document (available on request).

4. Secure Configuration

4.1. System hardening and baseline configuration

MTH applies a hardened-by-default configuration approach across its cloud and application environment. Security controls are embedded at system, network, and application level to minimise attack surface and prevent unauthorised access.

All default, generic or unnecessary system and application accounts are disabled or removed before production deployment.

Only named service accounts with strictly scoped permissions are allowed.

Strong authentication is enforced through Microsoft Entra ID or client-side SSO integrations. Where SSO is enabled, the customer's own identity provider governs password policies, MFA enforcement, session timeouts and conditional access. Unnecessary software, operating system utilities, background services and system components are removed or disabled as part of the standard build process.

All production environments are deployed from a standardised configuration baseline that is maintained in line with internal security policies and reviewed when major platform changes occur.

The production environment is deployed on a Microsoft Azure App Service Plan (EU region) with zone redundancy, ensuring that data and application components are replicated across multiple availability zones within Europe to support continuity and resilience.

4.2. Execution controls

AutoRun and similar execution mechanisms are disabled on production systems.

Host-based firewalls are active on all servers and cloud workloads. Inbound and outbound connections are restricted to explicitly approved endpoints using Azure Firewall and Web Application Firewall (WAF) policies. Only whitelisted IP ranges and secure virtual networks may access backend systems and databases.

The platform architecture is logically segmented, with separate data stores for operational processing (OLTP) and analytical reporting (OLAP), preventing reporting workloads from impacting production systems and reinforcing separation of environments.

Internal platform components (including the MTH Engine, APIs and Data Warehouse) are strictly separated from external service providers such as Vimeo, Brevo, Typeform and WeFitter.

4.3. Backup and recovery configuration

Backups are implemented according to a 3-2-1 strategy:

  • Primary production data in Azure
  • Automated Azure cloud backups

Backups are stored on separate media and across different availability zones to prevent single points of failure.

The recovery objectives are:

  • RTO (catastrophic incident): 4 hours
  • RTO (granular restore): 1-2 days

Granular recovery is possible at record level, allowing partial restores without full database rollback. These backup and recovery controls form part of MTH’s broader business continuity and resilience strategy and are designed to ensure service availability, data recoverability and operational continuity in the event of technical failures, security incidents or disaster scenarios.

5. Access Control

5.1. Authentication

User access to the MTH platform is subject to formal approval and justification and is always linked to named individuals. Access rights are granted based on role and business need and are reviewed on a regular basis.

For standard users, MTH supports a passwordless login mechanism. Users authenticate via a unique, one-time login code sent to their email address. This code is valid for five minutes and cannot be reused, reducing the risk of password compromise or reuse.

Authentication is centrally managed through Microsoft Entra ID, providing:

  • Single Sign-On (SSO) for end users,
  • Multi-Factor Authentication (MFA), depending on the customer's Entra ID configuration,
  • Conditional access policies defined by the customer's identity environment.

Where SSO is enabled, MTH relies on the customer's identity provider and security controls, ensuring alignment with the customer's own authentication and access security standards. MTH supports both Microsoft and Google authenticator applications through this setup.

5.2. Authorisation

Within the platform, Role-Based Access Control (RBAC) is enforced. Users only have access to data and functionalities required for their role. Administrators access a segregated management environment protected by additional authentication controls, including MFA. External access, such as for developers or auditors, is only granted after approval and for a limited time window.

User accounts are automatically disabled or removed when no longer required through API-based lifecycle management. Administrative and privileged access is restricted to a limited number of authorised staff. Elevated privileges are role-based and are reviewed on a periodic basis. Administrative authentication and password policies follow the customer's SSO and identity security configuration, including password complexity and rotation requirements.

6. Endpoint and Device Security

Access to administrative interfaces, production environments and customer data is restricted to authorised personnel using company-managed laptops. Access is further constrained through network-level restrictions. At present, administrative and production access is only permitted from explicitly whitelisted IP addresses associated with approved MTH locations, including the office network and authorised home-working environments. Connections originating from non-whitelisted IP addresses are blocked.

Private or unmanaged devices are not authorised for administrative or production access. Mobile devices are limited to communication and authentication purposes, such as multi-factor authentication applications, and do not have direct access to production systems or customer data.

Endpoint security relies on operating system–level protections and standard security configurations applied on company-managed devices. These include full-disk encryption, local endpoint protection, automatic system updates, and device-level access controls. Devices are protected through user authentication, screen locking and inactivity timeouts.

In the event a device is lost, stolen or replaced, access credentials can be revoked and accounts disabled to prevent further access. Device access and changes are reviewed as part of MTH’s access and security governance processes.

7. Malware Protection

Anti-malware protection is deployed across all servers and cloud infrastructure used within the MTH environment. These protections are automatically managed and include real-time malware detection, regular signature updates and monitoring for suspicious activity.

For endpoint devices used by MTH staff, malware protection relies on operating system–level security mechanisms and user-level protective measures. Company-managed laptops apply standard OS security features, including built-in protections, automatic updates and restricted execution rights. Individual endpoint devices may additionally run local anti-malware software.

Users are restricted from executing untrusted or potentially malicious software. Protections are also in place to reduce the risk of unauthorised code execution. Access to known malicious websites is partially blocked through security controls applied at endpoint and/or network level.

8. Asset Security

8.1. Asset inventory

MTH maintains a structured overview of hardware and software assets involved in the delivery of the platform and related processing activities. The overview covers, where applicable, cloud environments, servers, network components, company-managed laptops, security tooling and relevant SaaS services used to support operations and service delivery.

The asset-related information is managed under role-based access restrictions. Only authorised roles may register, modify or remove entries, in line with MTH’s access management practices. MTH is working towards further formalization of its asset inventory as part of its broader information security maturity trajectory.

8.2. Patch management

All software deployed within the MTH environment is licensed, supported by the vendor, and monitored for security updates. Systems are configured to ensure that operating systems, applications, and supporting components remain within supported lifecycle phases.

Security patches for operating systems and application software are applied within a maximum period of 14 days following release, in line with standard vulnerability remediation timelines. Patch deployment is performed in a controlled manner to minimise operational impact while maintaining security.

Where possible, automatic updates are enabled by default, in particular for SaaS services and Azure-managed components. Critical platform components (including APIs, databases and the data warehouse) are monitored and updated in a controlled manner, with updates applied outside peak usage periods where feasible to preserve availability.

Legacy, end-of-life, or unsupported software is not permitted in production environments. Where temporary retention is unavoidable, such systems are isolated, access is restricted, and compensating controls are applied until full remediation is completed.

8.3. Vulnerability management

MTH operates a formal vulnerability management process that includes:

  • identification of vulnerabilities through vendor advisories and monitoring,
  • assessment of severity and potential impact,
  • prioritisation of remediation actions,
  • tracking of patch deployment and resolution.

The asset inventory and update approach are reviewed on a periodic basis. The IT Manager performs at least semi-annual reviews to validate that software licences remain valid, that hardware continues to meet performance and security expectations, and that registered access and logging arrangements remain aligned with the current organisational structure. These reviews are documented as part of MTH’s security governance records.

9. Monitoring and Logging

Security and system event logs are generated for:

  • authentication attempts
  • privilege changes
  • system access
  • API calls
  • configuration changes

These logs are stored within the Azure environment and are protected from tampering.

Real-time monitoring and alerting are implemented through Azure Monitor and Application Insights, which automatically detect and flag abnormal behaviour, failed authentication attempts and suspicious activity.

Security-relevant events within the cloud environment are logged and monitored. Logs are protected against unauthorised access and tampering to support security monitoring, incident detection and forensic analysis. Security telemetry and alerts are centrally monitored using Azure-native tooling to support rapid detection and response to potential security incidents.

10. Secure Development

MTH applies security controls throughout the software development lifecycle to reduce the risk of vulnerabilities being introduced into production systems.

Source code is subject to manual security reviews prior to deployment. These reviews aim to detect logic flaws, security weaknesses, and misconfigurations before changes are released.

At present, automated source code analysis tools are not yet standardised across the development lifecycle. Code quality and security controls therefore rely primarily on manual review and testing processes.

Security considerations are embedded in the development workflow, including review of changes, validation of configurations, and verification of access restrictions before release.

11. Network and Perimeter Security

MTH protects its infrastructure through layered network security controls at the perimeter and system boundaries.

The platform follows a defence-in-depth security model, combining network segmentation, access controls and continuous monitoring to safeguard confidentiality, integrity and availability of data. The infrastructure uses Azure Firewall and Web Application Firewall (WAF) to filter traffic, detect abnormal behaviour and protect against distributed denial-of-service (DDoS) attacks.

Network firewalls and security gateways are deployed to restrict inbound and outbound traffic and to segment critical systems. These controls are designed to prevent unauthorised access and limit exposure to external threats.

All connections between platform components are secured using SSL/TLS 1.2 or higher. Data exchanges between internal systems occur via authenticated APIs, and external partners only receive anonymised or pseudonymised data, as illustrated in the MTH data stream overview.

Default usernames and passwords on network devices and boundary systems are changed and hardened prior to production use.

Open ports and exposed services are identified, documented and reviewed. Where technical or business dependencies require specific ports or services to remain open, this is justified and approved. At present, part of this approval and review process is still performed manually.

A default-deny approach is partially applied, meaning that only explicitly authorised connections are allowed where technically feasible.

Remote administrative interfaces on firewall and network devices are restricted and only accessible to authorised personnel through controlled access paths.

12. Cloud Security

The MTH platform is delivered as a Software as a Service (SaaS) solution and is hosted in a cloud environment on Microsoft Azure.

The cloud infrastructure hosts both application services and customer data. All core platform components, including databases, APIs and application services, are deployed within the European Economic Area. High availability is supported through cloud-native redundancy and availability zone replication within the Microsoft Azure environment, reducing the risk of single points of failure and enabling continued service operation in the event of infrastructure outages.

The platform is hosted on a Microsoft Azure App Service Plan (EU region) with built-in zone redundancy, ensuring geographic replication and continuity across multiple European availability zones.

Data is encrypted both in transit and at rest using industry-standard encryption mechanisms provided by the Azure cloud environment and application-layer security controls. Data is encrypted in transit using TLS 1.3. Data at rest is protected using encryption mechanisms and key management based on RSA HSM 2048-bit, as reflected in MTH’s data stream documentation.

MTH supports data portability by enabling customers to retrieve their data in a structured and commonly used format upon request.

An exit strategy is defined to ensure that customer data can be securely extracted and systems can be decommissioned in a controlled manner at the end of a contractual relationship. These measures support operational resilience, disaster recovery and long-term service continuity for customers.

The underlying cloud infrastructure is provided by Microsoft Azure within the EEA. Microsoft Azure maintains internationally recognised security certifications and attestations, including ISO 27001, ISO 27701 and SOC 2 Type II, and operates in compliance with the GDPR. These certifications apply to the cloud service provider and form part of the shared responsibility model under which MTH operates.

13. Physical Security

Physical security is addressed through a cloud-native operating model. MTH does not operate on-premises data centres or office-based servers for the storage of personal data. All primary data and backups are hosted within secured cloud environments.

Physical security risks are therefore primarily managed through Microsoft’s physical and operational security controls for Azure data centres, complemented by organisational controls for company-managed user devices.

Microsoft Azure implements multiple layers of physical security for its data centres, including 24/7 monitoring and surveillance, controlled physical access (for example badge-based access, security staff and additional verification mechanisms), segregation of zones for visitors and staff, and environmental protections such as fire detection and response measures, leak detection, and redundant power and climate controls to support availability and integrity.

Within MTH, organisational physical security measures focus on endpoint protection and controlled workplace access, including encrypted company-managed laptops (full-disk encryption) and automatic device locking. Office access is restricted to authorised staff, and MTH operates with limited on-site presence due to a hybrid working model.

14. Governance

14.1. Operational processes

MTH operates formal, documented governance and operational processes to ensure that information security, data protection, and system integrity are managed in a structured and auditable manner.

A formal change management process is in place for modifications to systems, configurations, and platform features. Changes are assessed for security and operational impact before implementation and are documented and traceable.

A security incident management process is established to ensure timely detection, escalation, investigation, containment, and remediation of security incidents. Incidents are logged and reviewed to support continuous improvement.

MTH maintains a vulnerability handling process under which security weaknesses are identified, assessed, prioritised, and remediated. This process is aligned with the patch and risk management workflows and supports both proactive and reactive security controls.

Access management is governed through defined procedures for granting, modifying, and revoking access rights, ensuring that access is role-based, approved, and reviewed.

All staff members and contractors are contractually bound by confidentiality and non-disclosure obligations as a condition of engagement, ensuring that customer and organisational data remains protected.

14.2. Insurance coverage

MTH is covered by a cyber and professional liability insurance policy for the ICT sector issued by KBC, underwritten via ADD nv (Almarisk), policy number 37987431. The policy provides, among others, the following key coverages: professional liability up to €500,000 per insurance period, business liability (BA Uitbating) up to €1,500,000 per claim including consequential damages, post-delivery liability up to €1,500,000 per claim, and legal assistance up to €25,000 per claim. Cyber-related incidents are covered under professional errors, data loss and liability arising from data breaches, as further described in sections 1.1–1.2 of the policy conditions. This insurance covers incidents such as data loss, unintentional breaches of confidentiality and cyber incidents resulting from professional faults.

14.3. Audit support

Where customers request reasonable audit support in connection with due diligence or contractual verification, MTH can facilitate such support subject to prior notice and appropriate confidentiality safeguards. Audit support is provided at a standard hourly rate of €130 per hour.

15. Personnel Management

MTH applies a formal personnel access management process, as defined in its internal Access Policy, which is overseen by a designated Access Manager. This process governs onboarding, role changes and offboarding for all staff with access to personal data or production systems.

15.1. Onboarding

Before a new employee or contractor receives system access, the Access Manager receives the confirmed start date and validates the required access based on the individual’s role. Access is granted strictly according to the principle of least privilege and only after completion and approval of an access request form signed by the Access Manager.

Standard access profiles per role and application (such as internal portals, collaboration tools and administrative platforms) are defined in a central register and are reviewed at least annually.

15.2. Role changes

When an employee’s role or responsibilities change, existing access rights are formally reviewed. Where required, new permissions are granted or existing rights are revoked via a documented access review form approved by the Access Manager.

15.3. Offboarding

When a staff member leaves the organisation, the Access Manager is notified of the departure date in advance. A formal revocation form is submitted, and all access to customer data, applications, internal systems and corporate email is removed before the last working day.

All access-related documentation (access requests, reviews and revocations) is retained for a maximum period of three months after termination, after which it is securely deleted. This ensures a fully auditable access lifecycle in line with the GDPR principles of accountability, data minimisation and access limitation.

16. Training and Awareness

MTH organises a formal GDPR and data security training for all staff every three years. This training is developed and delivered in collaboration with CRANIUM and focuses on strengthening organisational awareness of data protection and information security.

The most recent session took place in December 2023 and was led by Bernd Fiten, Head of Digital Law at CRANIUM.

The training programme covers, among others:

  • the core GDPR principles (lawfulness, purpose limitation, transparency, data minimisation);
  • the roles and responsibilities of controllers and processors;
  • data breach response procedures and the 72-hour notification obligation;
  • the handling of health-related data and wearable data;
  • internal access management and data security procedures.

The training combines theory with practical scenarios, interactive cases and polls based on real operational situations within MTH.

Training effectiveness is monitored. The results of the 2023 session showed that 100 percent of participants correctly identified the role of the DPO, 88 percent understood the data breach notification obligation, and the average satisfaction score was 4.4 out of 5.

Between formal training cycles, employees receive continuous security awareness communications and refreshers addressing, among others:

  • phishing risks;
  • secure password and authentication practices;
  • encrypted communications;
  • correct handling of personal data in emails, reports and internal systems.

New employees receive a GDPR and information security introduction as part of their onboarding, ensuring they are familiar with internal rules and security expectations from their first day.

17. Supplier Management

17.1. Supplier onboarding

Supplier onboarding and ongoing oversight follow a structured, risk-based approach. For each new integration or supplier relationship, MTH assesses (at a minimum) data residency within the EEA, the presence of relevant security certifications (for example ISO 27001 or SOC 2 Type II where applicable), whether customer support or other forms of access occur outside the EU, and whether a Data Transfer Impact Assessment (DTIA) is required. Where these conditions cannot be met, or where legal and security risks cannot be sufficiently mitigated, the integration is not approved.

17.2. Contractual approach

Where a supplier processes personal data, a Data Processing Agreement (DPA) is required. For larger providers (including providers offering standard, non-negotiable DPAs), MTH performs an internal legal and technical review of the available contractual documentation to ensure that GDPR requirements are addressed, including processing instructions, clarity on data residency and support locations, incident and notification commitments, and the description of appropriate technical and organisational measures.

Supplier oversight is typically performed through documented due diligence, contractual review and periodic re-validation of the sub-processor list, rather than through on-site audits. Where relevant, DTIA outputs are retained as reference material for future supplier assessments and comparable integrations.

17.3. Further formalisation

MTH is working towards further formalisation of supplier risk management as part of its broader information security maturity trajectory, including the development of a more structured supplier risk management framework aligned with its ongoing ISO 27001 implementation efforts.