Security Trust Centre

At Culture Amp, the security of our platform and the protection of our customers' data are our highest priorities. We are aware of the recent supply chain attack involving Axios (versions 1.14.1 and 0.30.4) and have completed a comprehensive internal review of our systems.

Our Findings: Following a thorough investigation by our security team, we can confirm the following:

• No Exposure to Compromised Versions: While Culture Amp uses Axios within our environment, the specific compromised versions (1.14.1 and 0.30.4) were never present in our development or production environments.
• Data and Credential Integrity: Because the affected versions were never deployed to our development or production environments, there was no risk to or impact on our stored credentials, API keys, cloud secrets, or sensitive configuration data.
• No Indicators of Compromise (IoC): We have performed a full review of all known IoCs associated with this supply chain attack. Our monitoring and logs show no suspicious activity or service impacts in these environments related to this incident.

Our Commitment
Our security team continues to monitor the situation and our software supply chain closely. Because our environments were not running the affected code, no remediation actions such as secret rotation or version rollbacks were required.

We remain committed to maintaining a secure environment for our customers and will provide further updates if new information becomes available.

At Culture Amp, the security of our platform and the protection of our customers' data are our highest priorities. We are aware of the recent supply chain attack involving LiteLLM (specifically versions 1.82.7 and 1.82.8) and have completed a comprehensive internal review of our systems.

Our Findings: Following a thorough investigation by our security team, we can confirm the following:

• No Exposure to Compromised Versions: While Culture Amp uses LiteLLM within our environment, the specific compromised versions (1.82.7 and 1.82.8) were never present in any of our development, build, CI/CD, hosting, or production environments.

• Data and Credential Integrity: Because the affected versions were never deployed, there was no risk to or impact on our stored credentials, API keys, cloud secrets, or sensitive configuration data.

• No Indicators of Compromise (IoC): We have performed a full review of all known IoCs associated with this supply chain attack. Our monitoring and logs show no suspicious activity or service impacts related to this incident.

Our Commitment: Our security team continues to monitor the situation and our software supply chain closely. Because our environments were not running the affected code, no remediation actions such as secret rotation or version rollbacks were required.
We remain committed to maintaining a secure environment for our customers and will provide further updates if new information becomes available.

You may be aware of the critical vulnerability (CVE-2025-55182) within the React Server Components Framework that was published on December 3rd, 2025.

Culture Amp confirms that our infrastructure is not impacted by this security issue. We do not utilise the vulnerable React Server Components (RSC) functionality or affected packages.

You may be aware that Ivanti has issued an important security update addressing recently identified vulnerabilities for Ivanti Connect Security, Policy Secure, and Neurons for ZTA Gateways.

Culture Amp does not use Ivanti and is not impacted by this security issue.

Hi all, Culture Amps Security Documentation may be temporarily only available in read only format as we tweak some settings with the underlying platform. For anyone performing due dilligence activities, most documentation should be downloadable (if required) hopefully by Monday US-time.
The exception to this will be our SOC2 report, which will remain available in read only format indefinitely.