Data Safety in HRnest
When it comes to data security, there’s no room for mistakes or half-measures.
Data Centers are located within the European Economic Area (EEA). Entrusted personal data is processed in Poland, the Netherlands (MS Azure Data Center) and Ireland (MS Azure Data Center).
We encrypt data at the level of application interfaces with other systems using SSL TLS 1.2.
We encrypt databases using TDE (AES 256), Dynamic data masking.
Each user has insight into the scope of their processed data. During the contract, the client has the possibility to export all data at any time. After termination of the contract, the data is deleted by us.
We use technical and network security measures to prevent data interception. The security of the system is based on logical authentication and authorization mechanisms.
To ensure a high level of security, we use various monitoring tools, which serve to detect and prevent malicious events, threats, and attempted break-ins.
Learn more about the physical protection offered by Azure
GDPR Compliance
As HRnest, we’re proud of the fact that security is our top priority, and our system offers solutions that protect personal data privacy, such as encryption, data minimization policies, and user data management.
We are convinced that, thanks to our efforts, our platform is one of the best solutions on the market for companies that value data security.
All of our employees undergo training in
Principles of personal data processing in accordance with GDPR, including security principles.
Requirements of personal data protection law and information security principles.
Reporting and handling of incidents, including quick response procedures, root cause analysis and effective remediation methods.
Securing access to mobile devices and protection against malicious software.
Safe remote work (from a distance), learning how to apply best practices related to Wi-Fi networks and using VPN.
Using IT infrastructure for work tasks, including computer equipment.
Only authorized persons are allowed to process data in HRnest, who are obliged to keep data confidentiality and comply with our security measures.
We use accesses, compatible with the functions performed, on closed and secure VPN networks.
Before starting cooperation with technology providers, we conduct thorough verification to ensure they meet our requirements. We have implemented data protection breach and information security incident management procedures. Our approach to security and data protection is transparent, so every client can be sure that their data is safe with us.
We have appointed a Data Protection Officer. We have implemented a number of procedures and policies required by GDPR. Among others: we have created a personal data protection policy from scratch, we keep a register of processing activities (and categories), and we have recorded and implemented a risk assessment methodology, and the assessment itself is carried out periodically. The methodology we use is consistent with the guidelines published by ENISA (European Union Agency for Cybersecurity).
Data Protection from Start to Finish
System Design
We apply the principles of privacy by design and privacy by default in design and development processes, ensuring that changes and releases of our software are carried out in a safe and controlled manner.
We have implemented safeguards against malicious software (each workstation has installed antivirus software with automatic updates turned on) and a vulnerability management process (patch management).
Penetration tests of the system are regularly carried out by an external auditing company. In addition, we conduct IT security audits to test our procedures against best practices in the field of security.
We have separated production environments from testing and development ones, which means that entrusted personal data is not used in testing and development environments.
To ensure security, users working in the HRnest system do not have direct access to the base business logic and database layers.
User and role permissions are precisely defined and managed. Reading, writing, updating, and deleting are assigned at the user or role level, which allows for precise management.
Infrastructure, operating systems, and applications used for processing personal data are regularly updated (in terms of existing gaps and vulnerabilities). When introducing changes in IT systems, security requirements are considered and the impact of the change on the functioning of the safeguards is examined. Systems and applications in which entrusted personal data will be processed are regularly tested for information security (conducted tests).
System Login Security
- Set password creation policies i.e. minimum length, frequency of change, and related notifications.
- Activate external logins using Microsoft or Google accounts and enable forced login using these accounts.
- Enforce the use of two-factor authentication (2FA) by users.
Creating backups and data recovery after a failure
- We create full backups of our clients' databases every 24 hours, and incremental backups every 5 minutes . We test the data recovery procedure every two months.
- Clients have the option to create their own backups at any time by exporting data from the system.
- Backups are stored in a location different from the main server.
