intelliHR treats the protection of customer data as critical. We guarantee the integrity, confidentiality and availability of our customer’s data by implementing best practice security controls and policies.
There are often a number of questions that your team may have further to the data security overview we have previously provided. This article is designed to provide answers to those frequently asked questions.
This article covers:
- Is your data secure?
- What kind of certificates and resources are available to me?
- Who can access my data?
- Is my data backed up?
- Where and how is my data stored and secured?
- What type of security network do you have?
- Tell me about encryption
- Do you provide availability and continuity?
- How do you protect the intelliHR application?
- What other security measures do you have in place?
- Security Awareness?
- What do you do about employee vetting?
Is your data secure?
The answer is of course VERY.
From owning, storing, transferring, accessing, backing up, monitoring, to testing & reviewing our security procedures, every aspect is covered to meet industry best practice standards.
- Compliance Certifications and Memberships: We use best practices and industry standards to comply with industry-accepted general security and privacy frameworks, helping our customers meet their compliance standards.
- Integrating with best security standards practices in the industry: intelliHR consitently invests in protecting your data. We put security measures and maintain policies and procedures in place to comply with required data security standards. We continue to take all the measures needed to improve our information security. intelliHR is ISO 27001:2013, SOC2 Type I certified.
- Complete control over permission-based segregated data: Using our permissions system only the people you identify have access to the data relevant to them. Your data is secure in every stage, end-to-end, throughout the journey.
What is intelliHR doing to meet security standards?
As a Saas company, we work tirelessly to meet ideal security standards to protect our customers from security vulnerabilities.
Security Compliance
- SOC 2 Type 1
We undergo routine audits to receive updated SOC 2 Type I reports, available upon request and subject to a signed NDA. - ISO 27001:2013 certified.
What kind of certificates and resources are available to me?
Our certificates and resources are available upon request. Some of these assets may require an NDA. All options are below:
Resources available:
Resources subject to an NDA
- SOC 2 Type I Report
- Penetration Test Summary
Who can access my data?
There are two types of parties that can get access to your data:
Your team – will have access to the data, using intelliHR credentials that you will manage, or via SSO (SAML 2.0). You can control who can view, edit, upload and download any information or document based on their configured access. We also recommend and support the use of two-factor Authentication.
Our team – a small number of authorized IntelliHR personnel as defined in our security policy can gain access to your data. Any IntelliHR team member doing so will be performing specific (auditable) tasks on your request via our support desk.
Is my data backed up?
Our data centers back up all the data in intelliHR at least once a day. The data is fully restorable for disaster recovery purposes. For further information please review the intelliHR Backup Policy here.
Where and how is my data stored and secured?
Your data is stored in the following ways:
Facilities
intelliHR hosts your data in AWS data centers that have been certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant. We put security measures and maintain policies and procedures to comply with required data security standards our data centers are in alignment with the Tier III+ guidelines, we continue to take all the necessary measures to improve our information security level. Finally, we strictly follow AWS best practice protocols in terms of our approach. Customers can choose which data center their data is stored in based on their location; locations in Asia Pacific (Sydney) and Europe (Dublin) are currently available. Learn more about compliance at AWS here.
On-Site Security
AWS on-site security includes several features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. Learn more about AWS physical security here.
Data Hosting Location
intelliHR uses AWS data centers in Australia and Ireland.
What type of network security do you have?
intelliHR protects your data with a secure network and other multiple security protection and technology measures, including:
Protection
Our network is protected through the use of key AWS security services, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.
Architecture
Our network security architecture consists of multiple security zones. More sensitive systems like database servers are protected in our most trusted zones.
Network Vulnerability Scanning
Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.
Third-Party Penetration Tests
In addition to our extensive internal scanning and testing program, each year intelliHR employs third-party security experts to perform a broad penetration test across the intelliHR Production Networks.
Security Incident Event Management
Our Security Incident Event Management (SIEM) system gathers extensive logs from important network devices and host systems. The SIEM alerts on triggers that notify the Security team based on correlated events for investigation and response.
Intrusion Detection and Prevention
Service ingress and egress points are instrumented and monitored to detect anomalous behavior. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats. This includes 24/7 system monitoring.
Threat Intelligence Program
intelliHR participates in several threat intelligence sharing programs. We monitor threats posted to these threat intelligence networks and take action based on risk.
DDoS Mitigation
intelliHR has designed a multi-layer approach to DDoS mitigation making use of available AWS tools.
Logical Access
Access to the intelliHR Production Network is restricted on an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the intelliHR Production Network are required to use multiple factors of authentication.
Security Incident Response
In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.
Tell me about encryption
Encryption in Transit
All communications with the intelliHR platform and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and intelliHR is secure during transit. Additionally, for email, our product leverages opportunistic TLS by default. Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol. Exceptions for encryption may include any use of third-party apps, integration, or service subscribers may choose to leverage at their own discretion.
Encryption at Rest
Service Data is encrypted at rest in AWS using AES-256 key encryption.
Do you provide availability and continuity?
Uptime
intelliHR maintains a publicly available system-status webpage, which includes system availability details, scheduled maintenance, service incident history, and relevant security events.
Redundancy
intelliHR employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime allows us to deliver a high level of service availability, as Service Data is replicated across availability zones.
Disaster Recovery (DR)
Our Disaster Recovery program ensures that our services remain available and are easily recoverable in case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.
How do you protect the intelliHR application?
Developer Education
We focus on making sure our engineering culture is one where the customer comes first and this includes protecting both their PII and business data at all times. We educate our developers on the top threats and employ rigorous code review practices such that no one developer can introduce changes without others signing off on it.
Code Reviews
Every change before uploaded to production undergoes a review and needs to be approved. Changes are reviewed with security in mind.
Separate Environments
Testing and staging environments are logically separated from the production environment. No intelliHR data is used in our development or test environments.
Vulnerability Management
All production systems must be scanned for vulnerabilities at least annually. All vulnerability findings must be reported, tagged, and tracked to resolution in accordance with the SLAs defined herein. Records of findings must be retained for at least 5 years.
Third-Party Penetration Testing
intelliHR employs third-party security experts to perform detailed penetration tests on different applications within our suite of products.
Vendor Security
intelliHR minimizes risks associated with third-party vendors by performing security reviews on all vendors with any level of access to our systems or data. Click here for our Vendor Management Policy.
What other security measures do you have in place?
Here are some of the additional security measures we use:
Authentication Options
Customers can enable native intelliHR authentication and/or Enterprise SSO for end-user authentication.
Multi-Factor Authentication (MFA)
intelliHR recommends integrating with enterprise SSO multi-factor (MFA) authentication.
Service Credential Storage
intelliHR follows secure credential storage best practices by never storing passwords in human-readable format, and only as the result of a secure, salted, one-way hash.
Permission-Based Access Controls
Access to data within intelliHR is governed by permission-based access controls and can be configured by the inetlliHR admin to define granular access privileges as needed.
Versioning
We have an automated system that ensures that the available system for our users is up to date.
Security Awareness
Policies
intelliHR has developed a comprehensive set of security policies covering a range of topics. These policies are shared with and made available to all employees and contractors with access to intelliHR information assets.
Training
All employees attend Security Awareness Training, which is given upon hire and annually thereafter. All engineers receive annual Secure Code Training. The Security team provides additional security awareness updates via email, blog posts, and presentations during internal events.
What do you do about employee vetting?
Reference Checks
intelliHR performs reference checks on all new employees per local laws. These checks are also required for contractors. The background check includes criminal, education, and employment verification.