STATE OF THE ART SECURITY BY DESIGN
Appogee HR develops its applications with security and privacy at the heart of our design. Our applications are designed with distinct security roles to allow you to control access by your staff only to the data then need to access. Appogee HR develops its applications on Google App Engine which is a highly scalable and available application hosting and data center environment which is secured directly by Google’s information, application and network security teams with over 250 security staff working on behalf of Appogee HR and other ISV’s using the Google Cloud Platform.
The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive and strengthens the rights that EU individuals have over their personal data. It places more responsibility on customers of HR software (as data controllers) and on providers of HR SaaS software (as data processors). For many organisations holding your data centralized in a system like Appogee HR can help you meet your GDPR requirements as a data controller. Appogee HR is committed to providing the controls needed to assist our clients to meet their obligations as a data controller under GDPR, and our own as a data processor, as GDPR compliance takes effect on May 25th 2018. Read about our commitment to GDPR Compliance.
APPLICATION LEVEL CONTROLS
Appogee HR’s services are designed with distinct security roles (Employee, Manager, HR, Admin) to allow you to control access by your staff only to the data then need to access. This means that employees can see only the data you want them to. Your IT staff can manage the application and configure the application but without having actual access to sensitive HR data which can be restricted to HR, Managers or Employees as you wish. All data access and modifications is logged in audit files.
Appogee HR also provides advanced field-level security controls to provide fine grain access controls by security role.
DATA-CENTER HOSTING AND CERTIFICATIONS:
Google’s data center operations and security capabilities provide Appogee HR with world-class security, performance, and availability for our application services as a fully managed 24×7 service.
Google undergoes several independent third party audits on a regular basis to provide this assurance. This means that an independent auditor has examined the controls present in Google’s data centers, infrastructure and operations. Google has annual audits for the numerous standards including SSAE16/ ISAE 3402 Type II, ISO 27001, ISO 27018 (Cloud Security) and ISO 27108 (Cloud Privacy).
Although all Appogee HR data is held within Google’s European data-centers. Our hosting contract with Google also includes EU Model Contract Clauses. The European Union’s data protection authorities have concluded that Google’s model contract clauses meet EU regulatory expectations, confirming that Google Cloud services provide sufficient commitments to frame international data flows from Europe to the rest of the world.
Read more about our data center security and how these audits provide assurances of Google’s level of information security with regard to confidentiality, integrity and availability.
HOW WE PROTECT YOUR DATA:
Intrusion prevention and penetration testing:
Our application platform and data centre are supported by Google’s advanced security techniques. Google employs multiple layers of network devices and intrusion detection to protect its external attack surface. Google considers potential attack vectors and incorporates appropriate purpose built technologies into external facing systems. Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. Google monitors a variety of communication channels for security incidents, and Google’s security personnel will react promptly to known incidents.
Appogee HR also performs periodic penetration tests at the application level for our services.
Redundancy and Data Backup:
Appogee HR applications and data are held in an infrastructure which offers full redundancy to eliminate single points of failure including server hardware, storage, networks and power. All data is additionally backed up daily at the application level to tertiary storage.
Appogee HR and Appogee Leave data is automatically encrypted at rest by the Google Cloud Platform. Data is encrypted under 128-bit Advanced Encryption Standard (AES-128), and each encryption key is itself encrypted with a regularly rotated set of master keys.
Data is also encrypted between the Appogee HR user’s browser client and our application servers. All Appogee HR servers are hosted with a 2048 bit SSL certificate, which encrypts the data is transit.
Some customer licensing data is transferred within Google data-centers between Appogee HR’s application and licensing servers and this is also fully encrypted. Google uses perfect forward secrecy (PFS) methods help protect traffic and minimize the impact of a compromised key, or a cryptographic breakthrough. Google controls the keys for encryption at rest and Appogee HR controls the SSL certificates (between user and application) and the keys for server to server encryption.