Security Culture
IT security and data protection is embedded in the culture of PeopleWeek. It is the responsibility of all PeopleWeek employees and ownership starts with the Management Team.
Organisation and People
PeopleWeek has a number of organisational and people practices that are designed to safeguard our customers’ data and maintain the highest standards of data privacy:
- All PeopleWeek employees receive IT security training at the beginning of their employment, as well as an annual refresher training. The training includes a test to ensure that all our team members have understood the content
- Access to client data is limited to team members that need to have access
- PeopleWeek employees that have access to client data can only do so using dual authentication protocols and via our corporate network
- PeopleWeek employees’ computers restrict their ability to use USB ports and print
In addition, PeopleWeek’s client support team has a personal relationship with our customers, who are typically members of the HR team. Our support model is intimate, not a “call-centre” approach. When a customer query cannot be quickly resolved by email, we jump on a video-call. This intimacy minimises any “know your customer” or customer identification risks, e.g. a fraudulent attempt to access client data.
Management Practices
PeopleWeek’s IT Security Committee meets monthly and ensures that the organisation proactively manages risks and has robust policies, procedures, and day-to-day practices. PeopleWeek’s Managing Directors are part of the IT Security Committee, which reflects our commitment to security and our hands-on involvement. PeopleWeek has documented Business Continuity Plans (BCP) and Incident Management processes.
External Assessments and Certifications
PeopleWeek conducts regular cyber security audits and penetration testing of our platform. We comply with data protection legislation, including GDPR and the Swiss Federal Act on Data Protection (FADP). PeopleWeek’s customers can request a summary of our latest external penetration testing results. PeopleWeek’s customers may also request to conduct their own, independent penetration testing of our platform.
In 2022, following an independent audit, PeopleWeek was one of the first companies in the world to receive the Swiss Digital Trust Certificate. The certificate stands for the trustworthiness of a digital service and follows four categories and 35 technical criteria.
Application Security
PeopleWeek’s application architecture has been developed to OWASP® standards. Open Web Application Security Project® is a nonprofit foundation that works to improve the security of software. OWASP outlines more than 80 critical security risks for web application security. PeopleWeek has incorporated these standards into its software design and we self-audit our robustness.
Role-based Security and Data Privacy
Access to PeopleWeek is based on user roles. The role or roles assigned to a user determine the individual’s access rights, in other words the data that the user can see.
Examples of roles are Employee, Manager, Global HR Manager, Entity HR Manager, Department Manager, Training Manager, Compensation Manager, Talent Manager, Recruitment Manager, Expenses Manager, and Compliance Manager. There are many different types of roles in PeopleWeek and they also vary according to the modules purchased by the customer.
These user-roles are hard-coded into the system, as opposed to being customised for different clients. This “in-built privacy” within the design of PeopleWeek minimises the possibility of a configuration error resulting in a user having the wrong level of data access. We believe that this provides an additional level of reassurance to our customers.
Data Encryption
PeopleWeek has encryption on multiple levels: at infrastructure level (i.e. full disk encryption), at database level, and at file level.
System Access (Logging in)
PeopleWeek offers a native login that follows recognised secure password protocols. We also offer dual factor authentication, including a proprietary application for generating time-based one-time passwords (TOTP).
Many PeopleWeek customers have chosen to integrate PeopleWeek with Azure Single Sign-On, which offers their employees a convenient method for accessing the system and can be combined with multi-factor authentication (MFA).
All log-in methods work on the Web version and mobile app version of PeopleWeek.
Physical (Data Centre) Security
All PeopleWeek servers are hosted in top tier data centres are in Switzerland. Both our primary and fall-back data centres are in Switzerland.
Data Back-up and Recovery
PeopleWeek can recover up to 30 days of customer data and archives. It is also possible for clients to have a longer data recovery period (subject to additional fees).
PeopleWeek’s approach to managing client instances enables us to employ horizontally scalable resources. This means that if a hardware or software problem renders the service unavailable for a specific client, PeopleWeek’s infrastructure uses pooled resources to take over the load, thereby providing uninterrupted service. The pooling of server resources also means that client data is continuously replicated to minimise the potential data-loss window in a disaster recovery scenario.
Available Documents
PeopleWeek can make available to our clients and prospective clients the following documents:
- Swiss Digital Trust Certificate
- IT Security, Data Protection & Privacy Policies
- GDPR / Swiss FDPA Compliance Statement
- Network Diagram
- OWASP compliance results
- Business Continuity Policy
- Business Continuity Statement
Contact
PeopleWeek’s Information Security Manager & Data Protection Officer is also available to address security related questions (chris.parker@peopleweek.com).
Q&A
How secure is PeopleWeek ?
PeopleWeek takes data security very seriously. Our aim to not to merely comply with legal and regulatory requirements, but to exceed them to continuously adapt our practices in line with evolving technologies and risks.
What is PeopleWeek’s GDPR policy?
PeopleWeek complies with GDPR and Swiss Federal Act on Data Protection (FADP). We ensure that our employees are well trained and have the required tools to be able to respect data privacy and protection requirements. Our IT Security Committee meets monthly to ensure that senior management remains very focused on all aspects of IT security, and that security and data protection are embedded in our working practices and culture.
Where can I find the PeopleWeek IT security policy?
PeopleWeek’s IT security, data protection and data privacy policies can be shared with clients and prospects on demand.
Where is PeopleWeek’s data stored?
All client data and files are hosted in top tier data centres in Switzerland.
Does PeopleWeek have back-up servers?
PeopleWeek has a 30-day data retention practice. Clients can request longer retention periods (subject to additional fees). All client databases and files, as well as back-up servers, are hosted in Switzerland.
Does PeopleWeek have encryption at rest?
PeopleWeek has encryption on multiple levels: at infrastructure level (i.e. full disk encryption), at database level, and at file level.
Does PeopleWeek use encryption?
PeopleWeek uses encryption in transit, encryption at rest. Encryption is at the level of the disk, database, and files.
Does PeopleWeek store logs?
PeopleWeek stores and monitors various application and system level logs. Furthermore, PeopleWeek stores a detailed audit log of the business transactions taking place in the application that can be made available to clients upon request.
Who is PeopleWeek’s data protection officer?
chris.parker@peopleweek.com (Chief Information Security Officer and Data Protection Officer)
Does PeopleWeek have a business continuity plan (BCP)?
PeopleWeek’s BCP can be shared with clients and prospects on demand.
Does PeopleWeek offer an integration with Azure SSO?
Yes
Do updates to PeopleWeek ’s production environments follow a documented change process?
PeopleWeek follows a strict change management process for all system updates. All changes are captured in change logs.
Have you conducted any 3rd party audits recently?
In May 2022, PeopleWeek was certified by the Digital Trust Label following an extensive independent audit. The DTL is a certification of digital responsibility. The audit criteria and certificate can be shared on request. The certification requires an annual audit. PeopleWeek also undergoes an annual penetration testing with reputable third party cyber security companies.
Does PeopleWeek carry out vulnerability scans or penetration testing?
PeopleWeek performs internal vulnerability scans at regular intervals to test our application and infrastructure. In addition, independent penetration testing is performed by a Swiss external cyber security company annually to identify any vulnerabilities.
Can PeopleWeek share its penenetration testing results?
A summary report can be shared with clients and prospects on demand.
How do I report a security concern to PeopleWeek ?
Send an email to admin@PeopleWeek .com
How does PeopleWeek manage incidents?
PeopleWeek’s incident management policy can be shared with clients and prospects on demand.
Who at PeopleWeek has access to customer data?
Access to client data is limited to individual’s whose roles require them to have access in order to deliver the agreed services and support to the client. PeopleWeek uses a number of security protocols to ensure the access is secure, including limiting access via a corporate network and using multi-factor authentication.
How does PeopleWeek ensure that its employees respect legal requirements on data protection?
PeopleWeek regularly trains its employees on information security and data protection topics.
What happens if there is a data breach at PeopleWeek ?
In the unlikely event of a data breach or potential data breach, PeopleWeek follows its incident management policy. Our incident management policy includes protocols on communication with clients and any regulatory authorities.
How does user authentication work?
PeopleWeek offers two different types of user authentication:
1) Login using PeopleWeek native login, which complies with security protocols such as unique user names, complex passwords and support for enabling or mandating built in two-factor authentication using “Time-based One-Time Passwords” (TOTP). PeopleWeek has its own TOTP application
2) Azure Single Sign-On (SSO).
Who has access to data on the customer side and how is it segregated?
PeopleWeek is designed based on role-based access, meaning that different data is visible based on the role of the user, e.g. Employee, Manager, Global HR, Entity HR, Department HR, Expense Manager, Training Manager, Compliance Manager, Recruitment Manager, etc.
How does PeopleWeek ensure availability of the system?
PeopleWeek’s infrastructure has been designed to optimise performance, reliability, and durability for all clients. We have in-built redundancy and replication capabilities through the design of our database, files, and server architecture. This is underpinned by our application and infrastructure security, as well as mature working practices.
What happens to customer data in the event of a total failure of the system (e.g. force majeure)?
In the unlikely event of a total failure of PeopleWeek, 30 days’ of backed-up data can be restored. As client data is continuously replicated using our pooled resources, the window for possible data-loss is minimised in a disaster recovery scenario.
Who owns client data in PeopleWeek ?
The customer is the owner and controller of its data stored in PeopleWeek.
What happens in the event that a customer terminates their contract with PeopleWeek ?
Upon termination of the contractual relationship, within 30 days PeopleWeek will deliver to the customer their data in a machine-readable format. The data is then be irrecoverably deleted by PeopleWeek.