Book a Demo

Information Security Policy

Effective Date: Jan 31, 2023, Last Updated: Apr 3, 2023

This Security Statement is aimed at providing you with more information about our security infrastructure and practices.​

Information Security Policy 

Empathy Rocks, Inc. DBA as mpathic, maintains a written Information Security policy that defines employee’s responsibilities and acceptable use of information system resources. The organization receives signed acknowledgment from users indicating that they have read, understand, and agree to abide by the rules of behavior, before providing authorized access to empathy rocks information systems. This policy is periodically reviewed and updated as necessary.

Our security policies cover a wide array of security-related topics ranging from general standards with which every employee must comply, such as account, data, and physical security, to more specialized security standards covering internal applications and information systems.

Asset Management

Empathy Rocks, Inc.’s data and information system assets are comprised of customer and end-user assets as well as corporate assets. These asset types are managed under our security policies and procedures. Empathy Rocks, Inc. authorized personnel who handle these assets are required to comply with the procedures and guidelines defined by Empathy Rocks, Inc.’s security policies. 

Personnel Security

Empathy Rocks, Inc. employees are required to conduct themselves in a manner consistent with the company’s guidelines, including those regarding confidentiality, business ethics, appropriate usage, and professional standards. All newly hired employees are required to sign confidentiality agreements and to acknowledge the Empathy Rocks, Inc. code of conduct policy. The code outlines the company’s expectation that every employee will conduct business lawfully, ethically, with integrity, and with respect for each other and the company’s users, partners, and competitors. Processes and procedures are in place to address employees who are on-boarded and off-boarded from the company. 

Physical and Environmental Security

Our information systems and infrastructure are hosted in world-class data centers managed by AWS and GCP that are geographically dispersed to provide high availability and redundancy to Empathy Rocks, Inc. and its customers. Since we are a remote company we do not have any physical locations.

Operational Security

Change Management

Empathy Rocks, Inc. maintains a change management process to ensure that all changes made to the production environment are applied in a deliberate manner. Changes to information systems, network devices, and other system components, and physical and environment changes are monitored and controlled through a formal change control process. Changes are reviewed, approved, tested, and monitored post-implementation to ensure that the expected changes are operating as intended.

Supplier and Vendor Relationships

Empathy Rocks, Inc. likes to partner with suppliers and vendors that operate with the same or similar values around lawfulness, ethics, and integrity that Empathy Rocks, Inc. does. As part of its review process, we screen our suppliers and vendors and bind them to appropriate confidentiality and security obligations, especially if they manage customer data.

System Backups

Empathy Rocks, Inc. has backup standards and guidelines, and associated procedures for performing backup and restoration of data in a scheduled and timely manner.

Network Security

Our infrastructure servers reside in a VPC which restricts access to systems from external networks and between systems internally. By default, all access is denied and only explicitly allowed ports and protocols are allowed based on business need. Empathy Rocks, Inc. maintains separate development and production environments.

Vulnerability Management

Empathy Rocks, Inc. utilizes automated tools to monitor our codebase for disclosed vulnerabilities. When vulnerabilities are identified they are assessed for risk and patched in priority order.

Patch Management

Empathy Rocks, Inc. strives to apply the latest security patches and updates to operating systems, applications, and network infrastructure to mitigate exposure to vulnerabilities. Our architecture is primarily serverless and relies on our cloud providers to manage operating system security.

Secure Network Connections

HTTPS encryption is configured for customer web application access. This helps to ensure that user data in transit is safe, secure, and available only to intended recipients. The level of encryption is negotiated to either SSL or TLS encryption and is dependent on what the web browser can support.

Access Controls

Role-Based Access

Role-based access controls are implemented for access to information systems. Processes and procedures are in place to address employees who are voluntarily or involuntarily terminated. Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know / least privilege necessary basis. Access control lists define the behavior of any user within our information systems, and security policies limit them to authorized behaviors. 

Authentication and Authorization

We require that authorized users be provisioned with unique account IDs. Our password policy covers all applicable information systems, applications, and databases. Our password policies enforce the use of complex passwords, which are deployed to protect against unauthorized use of passwords. We leverage Auth0 for user management, authentication, and authorization.

Empathy Rocks, Inc. employees are granted a limited set of default permissions to access company resources, such as their email. Employees are granted access to certain additional resources based on their specific job function. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives, as defined by our security guidelines.

Software Development Lifecycle

We follow a defined methodology for developing secure software that is designed to increase the resiliency and trustworthiness of our products. Our products are deployed on an iterative, rapid-release development lifecycle. The Empathy Rocks, Inc. architecture teams review our development methodology regularly to incorporate evolving security awareness, industry practices, and to measure its effectiveness.  

Data Protection

We apply a common set of personal data management principles to customer data that we may process, handle, and store. We protect personal data using appropriate physical, technical, and organizational security measures.

We give additional attention and care to sensitive personal data and respect local laws and customs, where applicable.  

Empathy Rocks, Inc. only processes personal information in a way that is compatible with and relevant for the purpose for which it was collected or authorized in accordance with our privacy policy. We take all reasonable steps to protect information we receive from our users from loss, misuse or unauthorized access, disclosure, alteration, and/or destruction.


Empathy Rocks, Inc. maintains GDPR compliance for EU and UK customers. Our compliance page can be found at


Empathy Rocks, Inc completed SOC 2 Type 1 compliance in summer of 2022, and will begin SOC 2 Type 2 starting March 31, 2023. A copy of our SOC 2 Type 1 report is available upon request.

Penetration Testing

Empathy Rocks, Inc. contracted Moss Adams in summer 2022 to execute an external penetration test of our public-facing infrastructure. The results of this test were 100% clean with no vulnerabilities found. For a detailed report, please speak to your Empathy Rocks, Inc. contact or email Empathy Rocks, Inc. will maintain an annual external testing event on public-facing infrastructure and will have additional testing performed with any major infrastructure/architectural changes.

HIPAA Compliance

Empathy Rocks, Inc. offers HIPAA compliant data analysis and storage via 3rd party off-site solutions. Please see additional documentation of our standard BAA and privacy policies. Through encrypted data transfers and storage, two-factor authentication, constant system monitoring, and planned external HIPAA audits, we meet stringent compliance regulations to protect privacy and confidentiality. Data security attestation reports are available upon request. Our HIPAA Privacy & Security Officers can be contacted at

Website Privacy Policy

This policy describes the types of information we may collect from you or that you may provide (i) when you visit the website or link (the “Site”), or (ii) from using our Empathy Rocks online and mobile software (collectively, the website and the Empathy Rocks software are our “Services”), and our practices for collecting, using, maintaining, protecting, and disclosing that information.

This policy applies to information we collect:

  • That you may provide when you access or use the Services.
  • In email, text, and other electronic messages between you and the Company.

Please read this policy carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, your choice is to not use our Services. By accessing or using the Services, you agree to this privacy policy. This policy may change from time to time. Your continued use of our Services after we make changes is deemed to be acceptance of those changes, so please check the policy periodically for updates.

User Restrictions

Our Services are not directed to people under the age of 18, and we do not intentionally gather personal information from visitors who are under the age of 18, without their parental or guardian’s consent or in some cases, the child’s assent or consent if the legal age of consent for health services is younger than age 18 according to state law. If a parent or guardian becomes aware that his or her child has provided us with information without their consent, they should contact us at We will attempt to delete such information in accordance with the law.

Information We Collect About You and How We Collect It

We may collect the following information from you, for the following purposes:

Contact Information

When you use our Services, including a free trial, we may ask you for your name, address, telephone number, email address, or other contact details in order to respond to your request or inquiry or to verify your identity.

Business Information

When you seek services from us in the course of contractual or customer relationships between you and/or your organization and us, we collect business contact information and other personal information in order to provide you with the services you have requested.

Computer and Internet Information

When you visit our Site or use our Services, we collect information about your computer and internet connection, including your IP address, operating system, browser type, cookies, and data about the pages you visit. This information may be collected automatically from your browser or your mobile device and is used to understand how you interact with the Services.

Location Information

When you use our Services, we collect information about your use of and interaction with our Services in order to (a) serve you the content and functionality you request, and (b) to maintain the privacy and security of the Services. Location information collected includes your Internet Protocol (IP) address or unique device identifier.


When you visit or use our Services, we use cookies to securely authenticate users to our servers, to improve our marketing efforts, and for usage analytics purposes (e.g., page response times, download errors, length of visit, webpages visited, etc.). Because cookies are required for secure authentication of our  Services, our Services cannot operate without them. If you don’t accept cookies, you cannot use our Services.  Please see Empathy Rocks’ cookies policy here. 

Feedback / Support / Inquiries

If you provide us with feedback or contact us for support or to ask us questions, we will collect your name, email address, other contact information, and other information needed to respond to your feedback, provide the requested support, or to answer your question.

Financial and Payment Information 

If you choose to purchase Services from us, you will need to give personal information and authorization for us to obtain information from various credit services. We may collect your bank account and other data necessary to process payments, including credit card numbers, security codes, expiration dates, and other related billing information. For example, you may need to provide the following information:

  • Name
  • Mailing address
  • Email address
  • Credit card number
  • Home and business phone number

We do not store your payment information. By submitting your payment card information, you expressly consent to the sharing of your information with third-party payment processors and other third-party services (including but not limited to vendors who provide fraud detection services to us and other third parties).


We use various third-party vendors for risk analytics and compliance purposes, to track and analyze usage and volume statistical information of our Services and to process commercial transactions. We may use services provided and/or hosted by third parties, such as analytics services, to assist in providing our services and to help us understand how you use the Services. This information about your use of Services (including your IP address) may be transmitted to and stored at, our data warehouses or our vendors.

Web Beacons

Pages of our Services may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit the Company, for example, to count users who have visited those pages or opened an email and for other related website statistics (e.g., recording the popularity of certain website content and verifying system and server integrity).

Third-Party Services

Some content or applications, including advertisements, available with our Services are served by third parties, including advertisers, ad networks and servers, content providers, and application providers. We may also use the services of third parties for completing tasks related to the provision of our Services (e.g. processing of payments, execution of agreements). Where confidential information, such as information about our users, may be exchanged with third-party service providers, these providers are bound by confidentiality requirements at least as restrictive as those set forth herein. If you leave our Services to visit another website or use the services of a third party, you should review the privacy policies of each third party that you visit before using their sites or services. 

These third parties may provide you with ways to choose not to have your information collected or used. For example, you can opt out of receiving targeted ads from members of the Network Advertising Initiative (NAI) on the NAI’s website.

These third parties may use cookies alone or in conjunction with web beacons or other tracking technologies to collect information about you when you use our website. The information they collect may be associated with your personal information or they may collect information, including personal information, about your online activities over time and across different websites and other online services. They may use this information to provide you with interest-based (behavioral) advertising or other targeted content.

We do not control these third parties’ tracking technologies or how they may be used. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly. For information about how you can opt out of receiving targeted advertising from many providers, see Choices About How We Use and Disclose Your Information.

We are not responsible, or liable to you or any third party, for the materials, goods, or services provided by any third parties.

How We Use Your Information

We use information that we collect about you or that you provide to us, including any personal information:

  • To present our Services and its contents to you.
  • To provide you with information, products, or services that you request from us.
  • To fulfill any other purpose for which you provide it.
  • To provide you with notices about your account and subscription, including expiration and renewal notices.
  • To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection.
  • To notify you about changes to our Services or any products or services we offer or provide through it.
  • To conduct research and analysis.
  • To validate the accuracy of existing products.
  • To develop new products and services.
  • In any other way we may describe when you provide the information.
  • For any other purpose with your consent.

Disclosure of Your Information

Empathy Rocks does not sell your information to third parties. We may disclose aggregated information about our users, and information that does not identify any individual, without restriction. We may disclose personal information that we collect or you provide as described in this privacy policy:

  • To our subsidiaries and affiliates.
  • To contractors, service providers, and other third parties we use to support our business and who are bound by contractual obligations to keep personal information confidential and use it only for the purposes for which we disclose it to them.
  • To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Empathy Rocks’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by Empathy Rocks about our Website users is among the assets transferred.
  • To fulfill the purpose for which you provide it.
  • For any other purpose disclosed by us when you provide the information.
  • With your consent.

We may also disclose your personal information:

  • To comply with any court order, law, or legal process, including to respond to any government or regulatory request.
  • To enforce or apply our subscription agreements, and other agreements, including for billing and collection purposes.
  • If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Empathy Rocks, our customers, or others (e.g., exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction).

Choices About How We Use and Disclose Your Information

We strive to provide you with choices regarding the personal information you provide to us. We have created mechanisms to provide you with the following control over your information:

  • Tracking Technologies and Advertising. You can set your browser to refuse all or some browser cookies, or to alert you when cookies are being sent. To learn how you can manage your Flash cookie settings, visit the Flash player settings page on Adobe’s website. If you disable or refuse cookies, please note that some parts of this site may then be inaccessible or not function properly.

California residents may have additional personal information rights and choices. Please see California Residents for more information.

California Residents

If you are a California resident, California law may provide you with additional rights regarding our use of your personal information. To learn more about your California privacy rights, visit

California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of our System that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to

Accessing and Correcting Your Information

If you sign up for an Empathy Rocks product you can review and change your personal information by visiting your account profile page.

Data Security

Any data access is logged by user with time-stamping and IP information. User access is controlled with strong passwords. The server uses algorithms to identify and block any malicious users. Empathy Rocks conducts regular system security audits using outside security professionals. Further information can be found in Empathy Rocks’s Data Security Statement.

The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Services, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted via our Services. Any transmission of personal information is at your own risk. Except as otherwise set forth in this privacy policy or in a separate agreement between you and Company, we are not responsible for circumvention of any privacy settings or security measures contained on the Services.

Information Received as Business Associate

Some of our US-based customers (such as healthcare providers) may be subject to laws and regulations governing the use and disclosure of the health information they create or receive, including the Health Insurance Portability and Accountability Act (HIPAA) and the regulations adopted thereunder. Empathy Rocks, Inc. will only use or disclose such information as permitted by the controlling business associate agreement (BAA) or as otherwise permitted by law. Empathy Rocks, Inc. limits access to “protected health information” in accordance with HIPAA. Empathy Rocks, Inc. workforce members are trained on the privacy and security requirements applicable to protected health information, and mpathic’s “business associates” are required, pursuant to the terms of their agreements with us, to implement required safeguards.

Representation for data subjects in the UK

We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact.

Prighter gives you an easy way to exercise your privacy-related rights (e.g., requests to access or erase personal data). If you want to contact us via our representative Prighter or make use of your data subject rights, please visit the following website:

Exercise your data subject rights under GDPR

We provide you with an easy way to submit to us a privacy related request like a request to access or erase your personal data. If you want to make us of your data subject rights, please visit our public privacy landing page:


Empathy Rocks may revise these Terms of Use from time to time by updating this posting. You should visit this page from time to time to review the current terms.

We may also, at our option, email you at the address you provide with your account to notify you the privacy policy has been updated. If we make material changes to how we treat our users’ personal information, we will notify you by the email address specified in your account. 

Contact Information

To ask questions or comment about this privacy policy and our privacy practices, contact us at 

PrighterUKRep certificate of Art 27 representation
Prighter certificate of Art 27 representation