Our clients frequently ask us, “Is my data safe?”

You will find all the details about our security measures, policies, and associated documents in our Trust Center.

But to get a first overview, and to find answers to frequently asked questions, keep reading this document.

Quick Links

If you’re just looking for something specific, maybe one of these items is for you:

Found a security vulnerability?

If you feel you have found a security vulnerability, learned about a new threat model, or want to report a security incident, please contact us immediately. We will keep all your data confidential. You can send us an email at [email protected], or call us any time at +49 157 3432 5347. We will deal with your reported issue immediately.

Our software runs in the Google Cloud, using the App Engine platform. This is a Platform-as-a-Service, which enables application developers to focus on creating their application, while Google takes care of provisioning and configuring servers, firewalls and routers, providing the database, running automated backups, logging, auditing, physical access security, and so on.

We don’t operate any of these servers “directly.” All of the servers are managed by the Google Cloud service, so we don’t need to worry about proper configurations, security patches, etc. This is all taken care of automatically.

Google is constantly auditing its services, and has been approved for the following compliance certifications (and many others):

Read more here or download the compliance reports over here.

In addition to the Google Cloud, we use a handful of 3rd-party products to provide our services, you can learn more about them on our subprocessors page.

We don’t operate any servers on our premises, and we don’t have a local network, routers, firewalls (but of course our subprocessors do). We explicitly don’t download any customer data onto local workstations, except for the very rare case of troubleshooting a problem, but in that case the data needs to be encrypted at rest, and deleted immediately afterwards.

All data is encrypted during transit using HTTPS/SSL. All data is also encrypted by default in the Google Data centers, by Google. In addition, we encrypt string-based content such as the written feedback, objectives, performance reviews in the database on a per-field basis, using symmetric AES-256 encryption, making it even harder to analyze the data in case of a database breach.

The encryption/decryption process happens on the server, at the service level, before and after accessing the database. Read more in our Encryption Policy in the trust center.

Many attacks these days are not targeting the server, but work by tricking staff into downloading and running infected software, or visiting sites that have been compromised and which install malware onto visitors’ computers.

There are several ways how we reduce risks:

We’re a small team, so it’s impossible for someone to pretend they are “someone important” from another business division.

We’re security-aware and regularly train all staff to be cautious, and to be especially sceptical about emails, but also about other internal communication channels. If an attacker impersonated the CEO and sent an unrequested (and infected) file by email, the recipient would ask for confirmation, but also suspicious requests via Slack will be confirmed by a phone call.

And we use physical security keys as well, which serve as a final line of defense.

For more detail check out our Access Control Policy, our Anti-Malicious Software Policy, and our Password Policy, all contained in our Trust Center.

Full disclosure policy: In the case, anything should ever happen, we will disclose the incident to minimize damage. See also our Incident Response Policy on the trust center.

Preventive measures are just one side of the coin. It’s crucial to have third parties double-check the security model too. We do this at two levels: Ongoing tests and dedicated security audits.

As an ongoing measure, we use a service called HackerOne that connects white-hat hackers with software vendors. We’re running a bounty program that encourages hackers to break Small Improvements’ security model, and we pay rewards in case someone finds issues.

As an additional measure, we’re using external pentesting companies on an annual basis. The most recent test was conducted by cure53 in January 2025, using a white-box approach. The executive report can be found here, and the detailed report can be requested by mailing us.

Google Cloud is hosted on a highly distributed network across Google Datacenters. The data is constantly replicated as well, so even if an entire data center goes down, others still have all the data, and continue serving requests without any end-user noticing.

We create full backups twice a day as well. So in the event of catastrophic failure of all data centers, or in the case of a grave programming mistake that accidentally wipes data from within our application, we can resort to the backups. We store these backups on an entirely independent service of the Google network.

We keep backups for 6 months, after that they get deleted on a rolling basis.

Additional information can be found in our Backup Policy.

Security is the most important aspect when choosing a cloud platform. But there are other related topics that deserve a mention. An application needs to be more than secure, it needs to be available and functional as well, you need to get support for issues that arise, and so on.

We recommend you let your staff connect to Small Improvements via Single-Sign-on or at least via "Sign in with Google". But if you don't use either, you can increase security by enforcing 2-Factor Authentication, defining a higher password length requirement, and by enforcing an IP Range to match your corporate VPN.

We picked Google Cloud for the very reason that it’s optimized for availability.

Our entire business model is geared to providing the best user experience possible. Availability is a key ingredient. It's rare we're under 99.98% per month, according to our Pingdom tracker (see details here).

Downtime can not be ruled out entirely, but if for some reason we’re offline for more than a few minutes, we’ll write a post-mortem and reimburse customers who were affected, for instance by providing a free month of service.

We typically respond within 24 hours to “normal” questions that don’t seem urgent to us. We try to reply within 2 hours to urgent questions, e.g. if an administrator is stuck and doesn’t know how to proceed with performance reviews that are due within a day or two.

Our company is based in Berlin, Germany, but our support team is distributed across Berlin and the US, so we cover Europe and the US during all business hours. APAC support is limited to late evenings and early mornings local time.

Our normal support hours are Monday through Friday 8am – 6pm CST

Check our contact page or email [email protected] to get in touch.

Even if a system is up and running, program errors (“bugs”) may occur that prevent certain features from working. We take this just as seriously and are doing whatever we can to ensure the highest quality standards.

It starts with a strict hiring process that includes several interviews and a two-day-on-site trial. Every staff member only receives access permissions on the “least privilege principle”, and we take our time until new staff receive admin permission on any system really.

We place a lot of emphasis on automated testing, every feature we write will be code reviewed by another person, and deploy and test new features to our QA system. Only once we’ve tested diligently, we either make the feature available to clients as an “opt-in” beta, or promote it into production, and monitor it for a while. If anything goes wrong, we can roll back to the previous release within a minute.

We have a low threshold for bugs in the product. We don't go as far as saying "no bugs" but typically the total bug count across the entire application is below 30.

You are welcome to create your own exports.

This option needs to be enabled by SI staff. You can download an XML file that contains all your company data, or you can download data per review cycle. You could for instance download just the XML file for all performance reviews done in the Review Cycle 2018. The XML file can be used to populate another system if you decide to leave our service.

You will find the XML-download button for the cycle in the advanced menu on a cycle overview screen, the XML download for the entire system in the general settings -> Advanced tab. Since the XML export contains all data, the download button is off by default. Please contact SI support at [email protected] to enable the XML download button.

We also provide means of exporting data to CSV format, so you can further process it. This is available currently for performance review core data, 360 feedback, for objectives, and for your user database.

Please see our full guide for exporting account data.

You may always decide to permanently delete your data. There’s a button on the Advanced Settings page (Admin View -> Settings -> Company Settings) that lets you wipe all content. If you’ve been using our service for more than 4 weeks, this feature is however protected by an additional master password.

You will only get this password if one of your administrators asks for it by email. We will check if we’ve been in touch you before. If more than one administrator exists in the system, we may ask the other person for confirmation. We put this extra step in to prevent snap decisions. After all, the data would really be gone, and our backups do not allow for selective recovery on a per-company basis.

Once deleted from the live database, the data is still available within our backups for another 6 months, then it also expires there.

The easiest way to report a bug is to send a mail to [email protected]

We are happy to answer more specific questions if you have any, and we’re happy to extend this document too. Please get in touch.

​