PeoplesHR
Trust Portal
At PeoplesHR, your data security and privacy are our top priorities. We comply with global data protection regulations, using encryption, secure infrastructure, and regular third-party audits to safeguard your HR information. Our cloud-based platform ensures 24/7 monitoring, disaster recovery, and customizable access controls to give you full control over your data. With secure development practices and dedicated threat monitoring, we proactively address potential risks, providing a safe and reliable environment so you can focus on growing your business.
Overview
Information Security
Product Security
Enterprise Security Manager
The security of our Human Resource Information System (HRIS) is crucial for protecting sensitive employee data and maintaining operational integrity. The Enterprise Security Manager (ESM) is the primary security tool used within our HRIS product to address various security concerns
Our networked enterprise software suite greatly enhances organizational efficiency by breaking down communication barriers and streamlining processes. However, this interconnected environment also introduces potential risks, such as unauthorized access to confidential information, misuse of system commands, alteration of critical data, and exceeding granted permissions.
The PeopleHR Enterprise Security Manager is specifically designed to tackle these issues effectively. It provides comprehensive protection by safeguarding against hacking attempts, preventing unauthorized actions, and ensuring that all data and system interactions are securely managed. With the ESM in place, we ensure that our HRIS remains robust, secure, and reliable.
Each focus areas are equally important to cover overall objective of the advanced security module.
Controls:
- Capability Groups: Define and manage user access based on specific roles or capabilities.
- Table Base Security: Protects sensitive data in tables by controlling access at a granular level.
Controls:
- Basic Authentication: Requires users to provide a username and password.
- Multi-Factor Authentication (MFA): Enhances security by requiring multiple forms of verification.
- Single Sign-On (SSO): Allows users to access multiple applications with one set of login credentials.
- Bio Metrics
Controls:
- Security Groups: Define and manage permissions for different user groups to ensure appropriate access to resources.
Controls:
- Audit Logs: Track and record changes to data and system activities to verify integrity and detect unauthorized alterations.
Controls:
- Table Encryption: Encrypts data stored in tables to protect it from unauthorized access and ensure confidentiality
Cloud Security
Feature | Description | Shared Cloud | Dedicated VMs | Dedicated Cloud | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Infrastructure Availability | Guaranteed minimum infrastructure availability | 99.50% | 99.50% | 99.50% | |||||||||||||||
Database Backup | Database backups for individual clients are maintained in accordance with the following standard backup and retention policy.
| Yes | Yes | Yes | |||||||||||||||
Disaster recovery - Azure | The Disaster Recovery solution replicates all production workloads in near real-time from the primary site to a geographically separate DR site. In the event of an outage at the primary site, workloads fail over to the secondary location. Once the primary site is restored, the workloads will revert back to it. | Yes | Yes | Yes | |||||||||||||||
Disaster recovery - Huawei | The Disaster Recovery solution backs up all production virtual machines to a geographically separate site every 24 hours. In the event of an outage at the primary site, the respective VMs will be brought up using the backup at the DR site. Once the primary site is restored, the workloads will revert back to it | Yes | Yes | Yes | |||||||||||||||
Recovery time objectives (RTO) - Azure | RTO is the duration of time in which the infrastructure is restored after a disaster | 45 min | 45 min | 45 min | |||||||||||||||
Recovery time objectives (RTO) - Huawei | RTO is the duration of time in which the infrastructure is restored after a disaster | Best effort | Best effort | Best effort | |||||||||||||||
Recovery point objectives (RPO) - Azure | RPO is the maximum acceptable amount of data loss after an unplanned data-loss incident, expressed as an amount of time | 15 min | 15 min | 15 min | |||||||||||||||
Recovery point objectives (RPO) - Huawei | RPO is the maximum acceptable amount of data loss after an unplanned data-loss incident, expressed as an amount of time | 24 hours | 24 hours | 24 hours | |||||||||||||||
Network Security Group (NSG) | Filters network traffic to and from Azure resources in an Azure virtual network. | Yes | Yes | Yes | |||||||||||||||
Site to Site VPN | A permanent connection designed to function as an encrypted link between HBS and Azure cloud VN. | Yes | Yes | Yes | |||||||||||||||
Cloud Monitor | Azure Monitor helps us maximize the availability and performance of our application | Yes | Yes | Yes | |||||||||||||||
Defender for Cloud |
| Yes | Yes | Yes |
FAQ
Information Security
Security Accreditations
Security Governance
Comprehensive framework in place to oversee our security strategy, which includes policies, procedures, and accountability structures. The Information Security Policy covers the followings:
- Asset Management
- Human Resources Security
- Physical and Environmental Security
- Operations Security Management
- Cryptography
- Access Control
- Communications Security Management
- System Acquisiton, Development and Maintenance
- Supplier Relationships Management
- Information Security Incident Management
- Business Continuity Management
- Internet and Social Media Policy
- Cloud Security
- Compliance
You may request the Information Security Policy subjected to a NDA.
Risk Management
Incident Response Plan
We have a structured Incident Response Plan, outlined in our Information Security Policy, to manage security incidents effectively.
Security Incidents can be logged in the Helpdesk or through an email to infoseccompliance@peopleshr.com
Employee Training
Access Control Policies
Security Audits and Reviews
Supplier Security Reviews
HR Security Reviews
Business Continuity and Disaster Recovery
Vulnerability and Patch Management
Physical Security
Intellectual Property
Change Management Process
Either service related or organizational related changes follow through a change management process. The process is initiated upon the requirement, or an update. Then the change is subjected to approval process and once permission granted the change is made to effect.
A changelog is maintained by system owners. If the change is related to a project, the assigned project manager maintains the change management log.
Product Security
Secure Development Lifecycle
Environment Segregation
Code Reviews
Security Testing
We conduct Security Testing on our applications and ensure they are tested for OWASP Top 10 vulnerabilities.
Vulnerability Management
Vulnerability Assessment and Penetration Testing (VAPT) are conducted annually. VAPT reports can be shared with external parties only under a Non-Disclosure Agreement (NDA). Identified vulnerabilities are addressed according to the Service Level Agreements (SLAs) of HBS.
Vulnerability Assessment and Penetration Testing Reports can be provided subjected to a NDA.
Encryption and Data Protection
Authentication and Authorization
Cloud Security
Cloud Configuration Management
Data Security in Cloud
Cloud Security Monitoring
Compliance with Cloud Security Standards
Backup Process
Recovery Point Objective (RPO)
Recovery Time Objective (RTO)
Data Security
Data Security Compliances
- Personal data protection act no: 09 of 2022
- Kenya Data Protection Act
- Phillipines Data Protection Act
Data Security Policy
- Lawful, fair and transparent
- Limited for its purpose
- Data minimization
- Up-to-date
- Retention
- Integrity and confidentiality
- Consent: Where hSenid holds recent, clear, explicit, and defined consent for the client’s data to be processed for a specific purpose.
- Contract: Where the processing is necessary to fulfil or prepare a contract for the client (for which purpose hSenid would generally execute a Nondisclosure Agreement with the client)
- Legal Obligation: Where hSenid has a legal obligation to process the data determined by the contract.
- Vital Interests: Where methods of processing the data is necessary to protect the client’s sensitive data.
- Ethical Publicity: Where prior consent is sought from the data owner with respect to use of information for publicity, business development or any other activity resulting in data being exposed to the public
Special Categories of Personal Data
Data about a client that is more sensitive, due to which it requires added protection. This type of data could create higher significant risks to a person’s fundamental rights and freedoms, for example by putting them at risk of discrimination.
- Dependent data
- Emergency data
- Qualifications
- Bank details
- Passport details
- Attachments
- Permanent Address
- Contact address
- Date of birth
- NIC & Issue date
- Race
- Nationality
- Blood Group
- Civil Status
- Gender
- Married date
- Divorced date
- Details of compensation
- Any User Defined Function (UDF marked as Privacy Data)
Data Security in Cloud
We enforce strict access controls aligned with our Information Security Policy (ISP). Server access is provided to the support and implementation teams through a request and approval process. Employees access servers via VPN solutions. Data in transit is secured with HTTPS using the latest TLS 1.2 protocol, and data at rest is encrypted with the AES 256 Encryption Algorithm.
These Q&A entries will help users of your trust portal understand the security measures and policies related to cloud services, while also providing clarity on the processes and standards your company adheres to.
When Indicators of Data Breach is detected, an incident management procedure will be initiated.
Within 24 Hours of breach, the data breach notification will be sent to relevant stakeholders if that stakeholders data is impacted during the data breach.
The Data Protection Officer will formally communicate via an email during a data breach.
📁Documents
Documents
CSP SOC Reports 2023
Azure + Dynamics 365
Public & Government - SOC Bridge Letter (October – December 2023)
CSP SOC Reports 2023
Azure + Dynamics 365 + Online Services
Public & Government - SOC 1 Type II Report (04-01-2022 to 03-31-2023) 1
CSP SOC Reports 2023
Azure + Dynamics 365 + Online Services
Public & Government - SOC Bridge Letter (April - June 2023) 1
CSP SOC Reports 2023
Azure + Dynamics 365 + Online Services
Public & Government - SOC Bridge Letter (July - September 2023) 1
Our Achievements
Significant milestones and awards that showcase our growth and success over the years.
hSenidBiz first to get ISO 27017 certification from Bureau Veritas for Cloud Security Control
Winning the ISV Partner of the Year
Winning the ISV Partner of the Year for Sri Lanka and Maldives once again! Securing this prestigious award for the third time is a testament to our enduring commitment to innovation and collaboration.