SECURITY

Data & Security

Encryption in Transit

Every connection between you, our users, and HRplus, is encrypted using Transport Layer Security (TLS - the successor to Secure Sockets Layer, or SSL). We use the TLS 1.2 protocol, 256-bit RSA key exchange and a 128 bit AES encryption cipher. This also includes all traffic between our smartphone apps and HRplus servers and all of our APIs.

If you or your colleagues accidentally enter a URL without encryption, we automatically switch it over to SSL by force using a redirect before responding.

The effect of this is it makes it very difficult for someone sitting in the network to inspect your data - if you were to be sitting in a coffee shop on an open/unsecure WiFi network, your traffic to HRplus would be just a scrambled mess to someone "eavesdropping".

Additionally, all of the points at which HRplus synchronizes with other services, including Talent LMS and SendGrid, are encrypted using TLS.

 

Encryption at Rest

In addition to encrypting the data between you and HRplus in transit, we also encrypt all databases and backups of your data at rest. This Encryption at Rest uses the industry standard AES-256 encryption algorithm to encrypt data on the server that hosts your data.

This ensures that the content on our servers is only accessible in our controlled systems environment and should someone get their hands on a hard drive or other data source they wouldn't be able to unlock it without the key.

All the hosting providers used by HRplus are SSAE 16/18 & SAS 70, HIPAA, PCI DSS and SOX compliant.

 

Backups

Our systems work with two forms of backup - hot failover of real time systems (so, if a primary should fail, the secondary is ready to go instantly) and backups of data (so that mistakes like deleting critical data can be "undone").  Backup snapshots are taken daily, and a weekly backup of data which we keep for a much longer period.

Access Controls

With support for Two Factor Authentication, Strong Password Policies, and Automated Account Lockout, you're able to control how you and your team access your data and the HRplus system.

  • Two Factor Authentication: this involves the combination of something you know (your password) and something you have (usually your smartphone) to make it a lot harder for someone to get into your account even if they have/guess your password.

  • Strong Password Policies: HRplus also makes it easy for administrators to set strong password policies. These include enforcing minimum password lengths, character combinations, that they aren't the same as recently used passwords, can't be changed too frequently or too infrequently.

  • Automated Account Lockout: All HRplus accounts are protected by automated account lockout - if a user's account has the incorrect password entered more than 5 times in 30 minutes, their account remains locked for 30 minutes and can only be unlocked in the interim by an administrator (or via password reset email). This is designed to thwart dictionary attacks - where a bot tries to guess a user's password.

 

People & Processes

Like your business, our business depends on the integrity and capabilities of our people, operating with the support and coordination of our processes.

Personnel

When it comes to your business data stored in our cloud infrastructure, access is tightly controlled. Only a very small subset of HRplus' engineers have access to production systems at the engineering level, and access is controlled by complex passwords that are centrally managed in a digital Vault.

Operationally, the development environments are completely separated from the production systems, ensuring tight control on access to your data and ensuring work by developers can't touch or interact with your production data. The development environments are still actively managed by our devops team, ensuring consistency and control over even development environments is tightly managed too.

 

Policies

The only access to a client's account for our support staff to use is via the HRplus application itself, and all accesses are requested, logged and video recorded, showing the user and the timestamp of their login/use. We have strong policies that this is only undertaken to replicate or confirm a specific bug/issue when alerted by a client, and all of our team members must sign onto stringent confidentiality agreements before starting with the company. Any abuse of this monitored/logged access is grounds for instant termination.

 

Continuous Monitoring

Servers, websites and applications are continuously monitored by sophisticated monitoring software, and from time to time bugs and vulnerabilities are discovered in the underlying software platforms that power HRplus. We rely on proprietary software from world class vendors such as SAP, MICROSOFT, and others, and we ensure we use supported and maintained versions of these products. Because these vendors are pro-active, we receive patches that are applied on a timely basis when vulnerabilities are discovered.