State of the art security by design
Appogee HR develops its applications with security and privacy at the heart of our design. Our applications are designed with distinct security roles to allow you to control access by your staff only to the data they need to access. Appogee HR develops its applications on Google Cloud Platform which provides highly scalable and available application hosting and data center environment which is secured directly by Google’s information, application and network security teams with over 250 security staff working on behalf of Appogee HR and other ISV’s using the Google Cloud Platform.
The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive and strengthens the rights that EU individuals have over their personal data. It places more responsibility on customers of HR software (as data controllers) and on providers of HR SaaS software (as data processors). For many organisations holding your data centralised in a system like Appogee HR can help you meet your GDPR requirements as a data controller. Appogee HR is committed to providing the controls needed to assist our clients to meet their obligations as a data controller under GDPR, and our own as a data processor, as GDPR compliance takes effect on May 25th 2018.
Read about our commitment to GDPR Compliance.
Update regarding Brexit: Appogee HR GDPR and Brexit
CUSTOMER DATA AND ACCESS SECURITY CONTROLS
Appogee HR’s services are designed with distinct security roles (Employee, Manager, HR, Admin) to allow you to control access by your staff only to the data then need to access. This means that employees can see only the data you want them to. Your IT staff can manage the application and configure the application but without having actual access to sensitive HR data which can be restricted to HR, Managers or Employees as you wish. All data access and modifications is logged in audit files.
Appogee HR also provides advanced field-level security controls to provide fine grain access controls for your employees, managers, HR managers and administrators to data based on their security role.
EU DATA-CENTER HOSTING AND CERTIFICATIONS:
Appogee HR uses Google Cloud’s data center operations and security capabilities provide our services with world-class security, performance, and availability for our application services as a fully managed 24×7 service.
Google undergoes several independent third party audits on a regular basis to provide this assurance. This means that an independent auditor has examined the controls present in Google’s data centers, infrastructure and operations. Google has annual audits for the numerous standards including SSAE16/ ISAE 3402 Type II, ISO 27001, ISO 27018 (Cloud Security) and ISO 27108 (Cloud Privacy).
All Appogee HR data is normally held within Google’s European data-centers. Our hosting contract with Google also includes EU Model Contract Clauses. The European Union’s data protection authorities have concluded that Google’s model contract clauses meet EU regulatory expectations, confirming that Google Cloud services provide sufficient commitments to frame international data flows from Europe to the rest of the world.
Read more about our data center security and how these audits provide assurances of Google’s level of information security with regard to confidentiality, integrity and availability.
HOW WE PROTECT YOUR DATA:
Intrusion prevention and penetration testing:
Our application platform and data centre are supported by Google’s advanced security techniques. Google employs multiple layers of network devices and intrusion detection to protect its external attack surface. Google considers potential attack vectors and incorporates appropriate purpose built technologies into external facing systems. Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. Google monitors a variety of communication channels for security incidents, and Google’s security personnel will react promptly to known incidents.
Appogee HR also performs periodic penetration tests at the application level for our services.
Redundancy and Data Backup:
Appogee HR applications and data are held in an infrastructure which offers full redundancy to eliminate single points of failure including server hardware, storage, networks and power. All data is additionally backed up twice daily at the application level to tertiary storage. Customer information is retained for 90 days after trial/licenses expiry and backup data is retained for 90 days.
Appogee HR and Appogee Leave data is automatically encrypted at rest by the Google Cloud Platform. Data is encrypted under 128-bit Advanced Encryption Standard (AES-128), and each encryption key is itself encrypted with a regularly rotated set of master keys.
Data is also encrypted between the Appogee HR user’s browser client and our application servers. All Appogee HR servers are hosted with a 2048 bit SSL certificate, which encrypts the data is transit.
Some customer licensing data is transferred within Google data-centers between Appogee HR’s application and licensing servers and this is also fully encrypted. Google uses perfect forward secrecy (PFS) methods help protect traffic and minimize the impact of a compromised key, or a cryptographic breakthrough. Google controls the keys for encryption at rest and Appogee HR controls the SSL certificates (between user and application) and the keys for server to server encryption.
Appogee HR is Cyber Essentials Plus certified. The Cyber Essentials Plus accreditation has been devised by the National Cyber Security Centre of the UK Government. Accreditation means that verification of our cyber security has been carried out independently by an approved Certification Body.