Trust Hub

Security

PeopleForce offers Software as a Service (SaaS) solution to address various business needs for thousands of users globally. Security is a fundamental aspect of our services, encompassing our personnel, procedures, and products. This page delves into subjects such as data security, operational security, and physical security to elucidate how we deliver security assurances to our customers.

1.Summary

Our security approach encompasses these key elements:

1.1 Is your data kept safe?

At PeopleForce, we prioritize security greatly. Our product and company's integrity are built on upholding the most rigorous standards for information security and privacy:

• Compliance Certifications: Our commitment to compliance involves adhering to established industry security and privacy frameworks, utilizing best practices and widely accepted standards. This enables us to assist our customers in fulfilling their own compliance requirements.
• Integrating with the best security standards practices in the industry: Integration with Industry-Leading Security Standards: PeopleForce places a continuous emphasis on safeguarding your data, dedicating resources to ensure its protection. We implement security measures, maintain comprehensive policies, and establish procedures to align with essential data security benchmarks. Our unwavering dedication to enhancing our information security level is a priority. Notably, PeopleForce proudly holds ISO 27001:2013 certification.
• Full control over your data:  Your data is fully transparent to us. You alone have the keys to access your information, sharing only what's needed with the right people, at the right time, thanks to our robust permissions structure. Protected at every stage, from start to finish, all the way through.
• Access Control Management: Our company has established a comprehensive system to manage and oversee the authorization of every employee to various tiers of data, software, applications, and all corporate resources without any exclusions. As a result, access to our system and customer information is meticulously restricted and monitored. Our staff members are not authorized to reach client data stored within the PeopleForce platform, except for the CTO of the company or those who have been granted permission by clients to solve specific tasks.

2. How does PeopleForce ensure adherence to security standards?

As a SaaS company, we're constantly working hard to meet and exceed the best security standards. Our aim is to ensure that our customers are always protected from any potential security risks or vulnerabilities.

2.1 Adherence to Security Regulations

• ISO 27001:2013 certified
• GDPR certified
• Responsible disclosures
• We engage in routine audits to acquire current ISO 27001 assessments and GDPR compliance, accessible upon inquiry and contingent on a non-disclosure agreement (NDA)

3. Certifications

3.1 What types of certifications and materials can I access?

Our certifications and materials can be provided upon request. Certain resources might require the signing of a non-disclosure agreement (NDA). The available choices are as follows:

3.2 Accessible Resources:

ISO/IEC 27001 stands as a universally accepted international standard for security. Organizations that meet ISO's stringent global requirements are granted this certification.

PeopleForce has secured ISO/IEC 27001:2013 accreditation in the areas of Applications, Systems, People, Technology, and Processes.

GDPR is a Europe-wide regulation requiring companies to protect the personal data and privacy of EU citizens during data processing activities.

PeopleForce has consistently gone above and beyond industry norms to prioritize user data privacy. We see GDPR not as a hurdle, but as an enhancer of our already robust, privacy-first culture.
PeopleForce platform feature privacy settings that are GDPR-compliant. In managing customer data, we strictly follow the data protection principles outlined by GDPR. For more insights into PeopleForce's GDPR compliance, click here.

3.3 Materials bound by a non-disclosure agreement (NDA)

• Penetration Test Summary

3.4 Data Accessibility

Let's examine two categories of entities with potential access to your data:

• You and your authorized personnel: Your designated staff members will be able to access the data using the provided data access credentials.
• Our team: Our CTO or specific team members (individuals regularly trained and authorized by PeopleForce) will have access only if YOU authorize them for specific tasks. Each instance of PeopleForce personnel engaging in such tasks will be for precise, auditable purposes as per your request through our support desk, and only after obtaining your explicit approval.

3.5 Data Backup Inquiry

Is there a backup system in place for my data? Rest assured, data within PeopleForce undergoes backup procedures at least once daily. Nevertheless, we advise considering regular data backup for your HRIS system as well.

3.6 Data Storage and Security Overview

How and where is my data stored and safeguarded? Your data is managed and protected as follows.

4. Infrastructure and Data Hosting Location

4.1 Europe

To ensure the security of Personal Data, including its storage on Cloud resources, we exclusively utilize secure and reliable facilities. 
As per the requirements of the GDPR (General Data Protection Regulation), we securely retain all data belonging to our customers who are residents or citizens of the European Union. This data is stored within a data center located in the European Union, specifically in Frankfurt am Main, Germany.

4.2 Network Security Measures

What network security measures are in place? PeopleForce employs robust network security strategies alongside various other protective technologies to safeguard your data. These measures encompass:

4.3 Security Measures

We fortify our network using essential AWS security services, conducting routine audits, and utilizing advanced network intelligence technologies. These technologies continuously monitor for and deter recognized malicious network traffic and potential attacks.

4.4 Architectural Framework

Our network security architecture is structured around distinct security zones. Notably, database servers reside within the most secure zone, situated in Frankfurt, Germany—a highly trusted location.

4.5 Network Vulnerability Assessment

Our approach involves comprehensive network security scans that provide us with in-depth insights. This enables swift identification of systems that may be non-compliant or susceptible to vulnerabilities.

4.6 External Security Assessments

Alongside our comprehensive annual internal scanning and testing initiative, PeopleForce enlists the services of third-party security professionals to conduct a wide-ranging penetration test covering both the PeopleForce production and corporate networks.

4.7 Security Incident Management

We've developed a methodical strategy, a defined sequence of actions, and a toolkit that we employ to efficiently identify, address, and minimize the impact of security incidents. This approach enables us to adeptly handle and synchronize our actions in response to cybersecurity threats, breaches, or any issues related to information security.

4.8 Logical Access

Access to the PeopleForce production network is limited by an explicit need-to-know basis, utilizes least privilege. This meaning that individuals are granted the minimum level of access necessary for their tasks. To ensure security, employees who need to use the PeopleForce production network are required to use multiple factors of authentication.

4.9 Security Incident Response

We've established a mechanism that enables our relevant technical specialists and security personnel to promptly address incidents. Responsible staff members undergo training in security incident response protocols, including effective communication methods and procedures for escalating issues.

4.10 DDoS prevention

We adeptly employ specific tactics, methods, and technological solutions to safeguard against Distributed Denial of Service (DDoS) attacks.

4.11 Intrusion detection and prevention

We've established specific protocols, technologies, and setups to identify and avert unauthorized or harmful actions within a computer network or system. These strategies collaborate to enhance the security of the digital ecosystem by recognizing potential risks and initiating pre-emptive actions to thwart them.

4.12 Virtual Private Network (VPN)

We've set up a Virtual Private Network (VPN) that establishes a safe and encrypted link, often referred to as a "tunnel," to a distant server. Through this connection, we can securely access the internet and internal network assets while maintaining privacy and security.

4.13 Web application firewall (WAF)

We use this security tool to protect web applications from a wide range of online threats and attacks. It acts as a protective barrier between a web application and potential attackers by filtering and controlling incoming and outgoing traffic.

4.14 Input data validation

We use input validation to check and verify data provided by you to ensure that it meets predefined criteria, rules or formats before it is processed or accepted by a system, application or database. This validation step helps us prevent erroneous, malicious or unexpected data that could cause errors, vulnerabilities or system failures.

4.15 Continuous security management and monitoring

This practice allows us to implement consistent, real-time oversight of security measures to identify, respond to, and mitigate risks as they arise, ensuring the overall security posture of the company's digital assets.

4.16 We'd be happy to explain encryption to you

We employ encryption both while data is stored and while it's being transferred. All endpoints and connections are required to use SSL connections with at least TLS 1.2. For data at rest, we ensure complete encryption for all data uploaded and stored in our blob storage (S3), adhering to the encryption standards set by AWS.
Regarding Key Management, we've established a rigorous system for handling, accessing, and rotating encryption keys. This approach strengthens the effectiveness of our encryption techniques.

4.17 Can you confirm whether you offer availability and continuity services?

Business Continuity Planning (BCP). We have a comprehensive Business Continuity Planning (BCP) in place. This strategic process involves recognizing possible risks, devising strategies to guarantee uninterrupted execution of crucial business functions amid and following disruptive incidents. Our objective is to reduce the effects of such incidents on the company's operations. While Disaster Recovery (DR) is closely related, BCP encompasses a wider spectrum, emphasizing the continuous operation of the entire business, not just the recovery of IT systems and data.

5. How is the security of the PeopleForce application ensured?

5.1 Secure Software Development Life Cycle (SDLC)

We've incorporated the Secure Software Development Life Cycle (SDLC), which seeks to incorporate security aspects at every stage of the software development process. The primary objective is to systematically address security concerns from the initial phases of development all the way to deployment and ongoing maintenance. This approach is designed to identify, prevent, and mitigate vulnerabilities and flaws within software applications. The ultimate aim is to craft software that can withstand attacks, safeguard sensitive data, and deliver a more secure user experience.

5.2 Distinct Environments

We ensure a clear distinction between testing and staging environments, which are kept separate from the production environment. Our development and test environments do not utilize any of your data.

5.3 Static Code Analysis

We use integrated static analysis tools to scan the source code repositories of our platform and mobile applications for security vulnerabilities.

5.4 External Penetration Testing by Third Parties

Apart from our comprehensive internal scanning and testing initiative, PeopleForce collaborates with external security specialists to conduct thorough penetration tests on the PeopleForce software, including all applications included in it.

5.5 What further security precautions have been implemented?

Here are a few additional security measures we employ:

• 2-Factor Authentication (2FA): PeopleForce recommends integrating with enterprise SSO 2-factor (2FA) authentication.
• Role-Based Access Controls:Data access in PeopleForce applications is regulated using a system of role-based access control (RBAC).

6. Security Awareness

6.1 Policies

At PeopleForce, we have created an extensive collection of security policies that encompass various subjects. These policies are distributed to and accessible by all personnel and contractors who have access to PeopleForce information assets.

6.2 Training and Education

Every employee participates in security awareness training upon joining the company and subsequently on an annual basis. Additionally, all staff undergo specialized sessions for secure code training. Our security team ensures ongoing security awareness updates through email communications, blog posts, and presentations during internal events.

6.3 ISMS Audit

Audit of the internal information security management system. We conduct an annual audit of an organisation's information security practices, policies, procedures and controls to ensure compliance with established standards and regulations. The purpose of such an audit is to assess the effectiveness of the organisation's ISMS implementation and identify areas for improvement.

6.4 How do you handle employee screening?

Reference Verification. PeopleForce conducts reference checks for all new employees in compliance with local regulations.

Agreement for Maintaining Confidentiality. Every newly hired individual and contractor is obligated to read our Privacy Policy and to sign Non-Disclosure Agreements.

7. GDPR Compliance

GDPR - PeopleForce's Response. At PeopleForce, we've long been committed to safeguarding your data privacy and security, often going above and beyond industry standards. We collect only the essential personal information needed to make our product work for you, and that's not changing. Our team has always prioritized privacy, and GDPR just gives us another way to reinforce these values.

7.1 What is GDPR?

GDPR stands for General Data Protection Regulation, and it's a comprehensive privacy and data protection law applicable across the European Union. It governs how companies handle and safeguard the data of EU residents, giving EU residents greater control over their personal information.

Importantly, GDPR isn't limited to EU-based businesses or EU residents; it's relevant to any company with a global presence. We value our customers' data, regardless of their location, which is why we've adopted GDPR controls as the standard for all our global operations. GDPR became enforceable on May 25, 2018.

7.2 What is considered as personal data?

Personal data encompasses any information that pertains to an identifiable or identified individual. Under GDPR, it encompasses a wide range of data that, either on its own or when combined with other information, can be used to identify a person. Personal data goes beyond just a person's name or email address; it can include financial details, political beliefs, genetic information, biometrics, IP addresses, physical addresses, sexual orientation, and ethnicity, among other things.

7.3 Data Inventory Map

We have developed this registry to provide up-to-date and detailed information on data classified by module, name, category, sensitivity level and retention period.

7.4 Access Control Management & Access Matrix

We have developed and implemented an Access Management Policy, which contains high-level requirements that define how access is managed and who can access company information and assets and under what circumstances.

7.5 We implemented regular audits:

• Annual Internal Audit GDPR Compliance
• Annual External Audit GDPR Compliance

Audit GDPR Compliance refers to the process of systematically reviewing and evaluating an company's practices, policies, and procedures to ensure that they align with the requirements of the General Data Protection Regulation (GDPR). This audit involves assessing how the company collects, processes, stores, and manages personal data, as well as verifying that the necessary safeguards and measures are in place to protect individuals' data privacy rights as outlined in the GDPR. The goal of the audit is to identify any areas of non-compliance and take corrective actions to ensure that the company adheres to the GDPR's principles and obligations related to data protection and privacy.

7.6 Incidents notify

For incidents specific to an individual user or a company, we will always notify the concerned party through email or Slack.

7.7 Employee background checks

Each employee goes through the process of checking biographical and social data at the onboarding stage. The screening of additional candidates is carried out by specialists from our HR department.

7.8 Remote

We have developed and implemented a Mobile policy and Password Policy for employees working remotely, ensuring the highest level of confidentiality and data security. All employees work exclusively on company laptops. Mobile devices used for business purposes are registered in the mobile device management system to ensure that they meet our security standards, all mobile devices have 2-factor authentication and passwords.

7.9 Physical security at workplace

Our office is equipped with fire safety, alarms, and round-the-clock video surveillance.
Access to the premises is strictly limited and controlled. Outsiders are not allowed to enter the office. Only registered employees of the company are allowed.

7.10 Data security

Data retention and disposal. We keep all customer data for 90 calendar days after the termination of the service. After 90 days, we delete all data or the data may be deleted earlier upon a separate written request from the customer.

7.11 Identity and Access control

Single Sign-On (SSO). Whenever you log in to any service, it exclusively occurs through our integrated Identity and Access Management (IAM) system.

7.12 Operational security

Malware and spam protection. Malware and spam protection involves taking measures to prevent, detect and mitigate the risks caused by malicious software (malware) and unwanted or harmful email messages (spam). We use security tools, technologies and practices to protect systems, networks and users from the negative effects of malware infections and spam threats, to maintain the integrity of digital environments and protect sensitive data.

7.13 Identification of Phishing and Spam Activities

Phishing and spam detection encompass the procedure of differentiating and identifying suspicious or deceptive efforts aimed at luring individuals into revealing sensitive data or participating in harmful behavior. The detection methods we employ often include analysing content, URLs, sender information, and the use of various security technologies to prevent victims from falling victim to such fraudulent schemes.