October
Book a demo
← October HealthFile no. OCT-OCTOBE-26
Instrument of agreement

DataBrief | Securing What Matters

In the matter of —At October Health, safeguarding the privacy and security of our users’ personal information is our highest priority. This document provides a comprehensive overview of our data practices, ensuring transparency and trust in how we process, store, and protect user data.

Effective14 Jan 2025
Revision04
StatusIn force

At October, protecting the privacy and security of personal information across both October Health (mental health platform) and October People (HCM/HR operations platform) is our top priority. This document outlines our data practices across both products.

Scope of this brief

October operates two integrated products on a shared security and compliance backbone:

  • October Health - the consumer-facing and employer-sponsored mental health, coaching, and wellbeing platform.
  • October People - a modular Human Capital Management (HCM) platform covering Core HR, Leave & Time, Talent, Compensation, Analytics, Compliance, and Assets, with built-in AI workflows and native integration with October Health.

Unless stated otherwise, all controls described below (encryption, access management, SOC 2, GDPR, POPIA alignment, penetration testing, sub-processor management) apply equally to both products.

Lawful basis for processing personal information

We process personal data on the following lawful bases:

  • Consent - Individual users of October Health voluntarily sign up and agree to our Terms & Conditions and Privacy Policy, providing informed and explicit consent for processing.
  • Contract / legitimate interest of the employer - For October People, the employer is the data controller for employee HR records and October acts as a data processor under a Data Processing Agreement (DPA). Employees' data is processed to deliver the HR services the employer has contracted for.
  • Legal obligation - Where retention or disclosure is required by applicable law (e.g., tax, employment, or regulated health record requirements).

When an October People customer also enables October Health for their workforce, the two products remain logically separated: an employer cannot see an employee's mental health content, sessions attended, or journal entries. Only aggregated, anonymized wellbeing metrics are surfaced to employer dashboards.

Data collected

A core design principle of October Health is maximum user anonymity. For October People, the data set is necessarily broader because HR operations require it but the same minimization principle applies: we collect only what is required to deliver the contracted service.

October Health: Data Categories

  • Account information: email, nickname, hashed password, optional gender, age range, selected interests.
  • User content: any text or audio voluntarily uploaded by users (chats, coaching messages, journal entries).
  • Usage data: screens viewed, buttons clicked, in-app navigation.
  • Device information: IP address, browser type, operating system.

No additional personally identifiable information is requested.

October People (HCM): Additional Data Categories

When an employer uses October People, the following additional categories may be processed on the employer's behalf:

  • Employee profile data: full name, work email, employee ID, job title, department, manager, start date, employment type, work location, contact details, and emergency contact.
  • Compensation and payroll data: salary, pay grade, equity, benefits enrollment, expense submissions. Where October People integrates with a payroll provider, banking detail submission is delegated to that provider.
  • Leave and time data: leave balances, leave requests, timesheets, overtime.
  • Talent data: candidate applications, CVs, interview notes, offer letters, performance reviews, competency assessments, succession plans, learning records.
  • Asset and equipment records: equipment assigned to an employee (e.g., laptop serial numbers).
  • Documents: HR documents uploaded by the employer or employee (contracts, ID copies where required for compliance, certifications).
  • Compliance data: jurisdiction-specific fields required for US and South African regulatory compliance (e.g., tax identifiers handled per local regulation, EEO data where lawfully collected).
  • AI feature inputs: text submitted to AI-powered modules (e.g., job description generation, onboarding checklists, performance improvement plans). AI features operate under our AI governance policy; submitted content is not used to train third-party foundation models.

Sensitive categories (e.g., health, biometric, trade union membership) are not collected by default. Where a customer's lawful HR use case requires them, configuration and processing are governed by the customer's DPA and applicable law.

Data transfers and residency

Data is hosted in the United States. This is disclosed in our Privacy Policy and DPA. For customers requiring specific regional residency arrangements (e.g., EU or South African data residency for October People), contact security@october.health to discuss available options. Cross-border transfers from the EU/UK are covered by Standard Contractual Clauses (SCCs); transfers from South Africa rely on the appropriate POPIA mechanisms.

User and data subject rights

Data subjects may access, modify, or delete their personal information.

  • October Health users exercise rights directly in-app or by contacting support.
  • October People employees exercise rights through their employer (the controller) in the first instance; October as processor will support the controller in fulfilling the request.

Retention and deletion

  • Active accounts: personal information is retained for the duration of the contractual relationship and as required by applicable legal and statutory obligations.
  • Closed October Health accounts: on deletion, personal information is anonymized, randomized so that records cannot be forward- or backward-solved to an individual, and the profile is deactivated. Anonymized records are retained to preserve the integrity of aggregate analytics and reporting, which is consistent with GDPR and POPIA, since anonymized data is no longer personal data.
  • Closed October People records: on termination of an employee or termination of the customer contract, data is handled per the customer's DPA. Default behavior is to return or delete personal data within a defined offboarding window, subject to the customer's lawful retention obligations (e.g., tax, employment, payroll record-keeping, which in some jurisdictions require multi-year retention).
  • Right to erasure: October promptly complies with valid deletion requests unless retention is required or permitted by law (e.g., to complete a transaction, satisfy statutory record-keeping, or defend a legal claim).

Data protection and compliance

October maintains a full-time Head of Legal / Data Protection Officer and a Chief Information Security Officer. Our compliance and certification posture covers both October Health and October People:

  • SOC 2 certified (security, availability, and confidentiality).
  • GDPR and POPIA aligned, with a published Privacy Policy and customer DPAs available.
  • US and South African HR regulatory features built into October People's Compliance module.

SOC 2 and penetration test reports are available to enterprise prospects and customers under NDA on request.

Audits and monitoring

  • Automated security scans run continuously, with hourly source code dependency scans for vulnerable components.
  • Independent third-party penetration testing of the entire platform (both October Health and October People) is conducted at least annually, with additional targeted testing on major releases.
  • Continuous monitoring of API and infrastructure for anomalous activity.

Reports (SOC 2 and penetration testing) are available to enterprise customers on request.

Infrastructure and security controls

  • Access control: production access to personal information is restricted to staff who require it for their role, granted on least-privilege principles, logged, and reviewed.
  • Encryption: all data is encrypted in transit (TLS) and at rest.
  • Data stores: PostgreSQL for relational data and Redis for in-memory caching, both encrypted and access-controlled.
  • Password storage: PBKDF2 with SHA-256, individually salted per user, in line with NIST guidance.

Data sharing

October does not sell personal information. We do not share personal information with third parties for their own commercial purposes.

Statistical data shared with partners and employers is fully anonymized and aggregated. For October People, employer access to identifiable employee data is by design - the employer is the controller of that data - and is governed by role-based access controls inside the product (5 role types, configurable per module).

Personal data may be shared only with partners and sub-processors for limited purposes such as:

  • Delivering our services and support
  • Ensuring platform security and performance
  • Managing payments and billing
  • Conducting regulated health operations (October Health)
  • Supporting HR-specific integrations such as payroll, identity providers, and background checks (October People), only where the customer has enabled them
  • Complying with lawful requests from authorities

All sub-processors are contractually bound to our confidentiality and security standards, receive only the minimum data required, and are not permitted to use the data for their own purposes or share it further. October retains control of personal information at all times.

Recipients of data

Refer to October's published 3rd Party Service Provider list. A product-specific sub-processor list is available for October People customers on request.

Authentication and device security

October enforces secure password policies for end users:

  • Password-to-email similarity is prevented
  • Minimum length and complexity required
  • Common passwords disallowed
  • Purely numeric passwords disallowed

Passwords are protected using PBKDF2-SHA256 with a per-user salt - a NIST-recommended password stretching mechanism that prevents precomputation attacks.

Where supported, devices use local biometric authentication (e.g., FaceID, TouchID) as a second factor for app access.

AI governance

October uses AI features across both products (October Health coaching support and October People HR workflows such as job description generation, onboarding checklists, and PIP drafting). Our AI governance principles include:

  • Customer and user content submitted to AI features is not used to train third-party foundation models.
  • AI outputs are positioned as drafts for human review, especially in sensitive HR contexts (performance, hiring, discipline).
  • Sub-processors providing AI capability are listed in the sub-processor schedule and bound by our DPA terms.

The full AI governance policy is published at october.health/ai.

Contact

We are committed to minimizing data collection, restricting access to authorized staff, and prioritizing privacy across both October Health and October People.

For data protection, security, or compliance queries, including DPA requests, sub-processor lists, SOC 2 reports, and penetration test summaries, contact security@october.health