Security

PeopleWeek IT Security, Data Management, and Hosting

 

Security Culture

IT security and data protection is embedded in the culture of PeopleWeek. It is the responsibility of all PeopleWeek employees and ownership starts with the Management Team.

Organisation and People

PeopleWeek has a number of organisational and people practices that are designed to safeguard our customers’ data and maintain the highest standards of data privacy:

  • All PeopleWeek employees receive IT security training at the beginning of their employment, as well as an annual refresher training. The training includes a test to ensure that all our team members have understood the content
  • Access to client data is limited to team members that need to have access
  • PeopleWeek employees that have access to client data can only do so using dual authentication protocols and via our corporate network
  • PeopleWeek employees’ computers restrict their ability to use USB ports and print

In addition, PeopleWeek’s client support team has a personal relationship with our customers, who are typically members of the HR team. Our support model is intimate, not a “call-centre” approach. When a customer query cannot be quickly resolved by email, we jump on a video-call. This intimacy minimises any “know your customer” or customer identification risks, e.g. a fraudulent attempt to access client data.

Management Practices

PeopleWeek’s IT Security Committee meets monthly and ensures that the organisation proactively manages risks and has robust policies, procedures, and day-to-day practices.
PeopleWeek’s Managing Directors are part of the IT Security Committee, which reflects our commitment to security and our hands-on involvement.
PeopleWeek has documented Business Continuity Plans (BCP) and Incident Management processes.

External Assessments and Certifications

PeopleWeek conducts regular cyber security audits and penetration testing of our platform. We comply with data protection legislation, including GDPR and the Swiss Federal Act on Data Protection (FDPA). PeopleWeek’s customers can request a summary of our latest external penetration testing results. PeopleWeek’s customers may also request to conduct their own, independent penetration testing of our platform.

In 2022, following an independent audit, PeopleWeek was one of the first companies in the world to receive the Swiss Digital Trust Certificate. The certificate stands for the trustworthiness of a digital service and follows four categories and 35 technical criteria.

Application Security

PeopleWeek’s application architecture has been developed to OWASP® standards. Open Web Application Security Project® is a nonprofit foundation that works to improve the security of software. OWASP outlines more than 80 critical security risks for web application security. PeopleWeek has incorporated these standards into its software design and we self-audit our robustness.

Role-based Security and Data Privacy

Access to PeopleWeek is based on user roles. The role or roles assigned to a user determine the individual’s access rights, in other words the data that the user can see.

Examples of roles are Employee, Manager, Global HR Manager, Entity HR Manager, Department Manager, Training Manager, Compensation Manager, Talent Manager, Recruitment Manager, Expenses Manager, and Compliance Manager. There are many different types of roles in PeopleWeek and they also vary according to the modules purchased by the customer.

These user-roles are hard-coded into the system, as opposed to being customised for different clients. This “in-built privacy” within the design of PeopleWeek minimises the possibility of a configuration error resulting in a user having the wrong level of data access. We believe that this provides an additional level of reassurance to our customers.

Data Encryption

PeopleWeek has full disk level encryption of client data.

System Access (Logging in)

PeopleWeek offers a native login that follows recognised secure password protocols. We also offer dual factor authentication, including a proprietary application for generating time-based one-time passwords (TOTP).
Many PeopleWeek customers have chosen to integrate PeopleWeek with Azure Single Sign-On, which offers their employees a convenient method for accessing the system and can be combined with multi-factor authentication (MFA).
All log-in methods work on the Web version and mobile app version of PeopleWeek.

Physical (Data Centre) Security

All customer data is hosted in Switzerland at STACK Infrastructure (formerly known as SafeHost), one of Switzerland’s largest (5,300sqm), most reputable, stable, and secure data centers. PeopleWeek’s primary (GEN01) and fall-back data centres at STACK are both based in Switzerland (the fall-back is in Gland, Vaud).

As a market-leading data centre, STACK has physical segregation and robust access controls, including biometric authentication, camera surveillance, and monitoring by security professionals.

STACK’s primary data centre (GEN01), based in Geneva, is powered by 100% hydro generated electricity, has 4.3MW of commissioned capacity and powered shell. It offers hyperscalers and both reliable and sustainable power in the heart of Europe.

STACK’s compliance certifications include ISO 9001, ISO 14001, ISO 27001, ISO 45001, ISO 50001, ISAE 3402, and PCI/DSS Compliant.

Visit STACK’s website here.

Data Back-up and Recovery

PeopleWeek’s customers’ instances and data are backed-up daily and we can recover up to 30 days of customer data and archives.

In addition, STACK takes a physical back-up on tape of every customer’s data weekly. The tape is stored in a secure vault in Switzerland.

Available Documents

PeopleWeek can make available to our clients and prospective clients the following documents:

  • Swiss Digital Trust Certificate
  • IT Security, Data Protection & Privacy Policies
  • GDPR / Swiss FDPA Compliance Statement
  • OWASP compliance results
  • Business Continuity Policy
  • Business Continuity Statement
  • Network Diagram

Contact

PeopleWeek’s Information Security Manager & Data Protection Officer is also available to address security related questions (chris.parker@peopleweek.com).

Q&A

PeopleWeek takes data security very seriously. Our aim to not to merely comply with legal and regulatory requirements, but to exceed them to continuously adapt our practices in line with evolving technologies and risks.

PeopleWeek complies with GDPR and Swiss Federal Act on Data Protection (FADP). We ensure that our employees are well trainined and havethe required tools to be able to respect data privacy and protection requirements. Our IT Security Committee meets monthly to ensure that senior management remains very focused on all aspects of IT security, and that security and data protection are embedded in our working practices and culture.

PeopleWeek’s IT security, data protection and data privacy policies can be shared with clients and prospects on demand.

We host all data at STACK in Switzerland. STACK is a top tier data centre and is certified in line with industry best practices.

PeopleWeek backs-up client data daily and has a 30 day data retenion practice. The back-up data centre is also in Switzerland. This means that it is not necessary for customer to carry out their own backups.

PeopleWeek has full disk level encryption of client data.

PeopleWeek uses encryption in transit and encryption at rest.

PeopleWeek stores and monitors various application and system level logs. Furthermore, PeopleWeek stores a detailed audit log of the business transactions taking place in the application that can be made available to clients upon request.

chris.parker@peopleweek.com (Chief Information Security Officer and Data Protection Officer)

PeopleWeek’s BCP can be shared with clients and prospects on demand.

PeopleWeek follows a strict change management process for all system updates. All changes are captured in change logs.

In May 2022, PeopleWeek was certified by the Digital Trust Label following an extensive independent audit. The DTL is a certification of digital respsonsibility. The audit criteria and certificate can be shared on request. The certification requires an annual audit. PeopleWeek also undergoes an annual penetration testing with reputable third party cyber security companies.

PeopleWeek performs internal vulnerability scans at regular intervals to test our application and infrastructure. In addition, independent penetration testing is performed by a Swiss external cyber security company annually to identify any vulnerabilities.

A summary report can be shared with clients and prospects on demand.

Send an email to admin@peopleweek.com

PeopleWeek’s incident management policy can be shared with clients and prospects on demand.

Access to client data is limited to individual’s whose roles require them to have access in order to deliver the agreed services and support to the client. PeopleWeek uses a number of security protocols to ensure the access is secure, including limiting access via a corporate network and using multi-factor authentication.

PeopleWeek regularly trains its employees on information security and data protection topics.

In the unlikely event of a data breach or potential data breach, PeopleWeek follows its incident management policy. Our incident management policy includes protocols on communication with clients and any regulatory authorities.

PeopleWeek offers two different types of user authentication:
1) Login using PeopleWeek native login, which complies with security protocols such as unique user names, complex passwords and support for enabling or mandating built in two-factor authentication using “Time-based One-Time Passwords” (TOTP). PeopleWeek has its own TOTP application
2) Azure Single Sign-On (SSO).

PeopleWeek is designed based on role-based access, meaning that different data is visible based on the role of the user, e.g. Employee, Manager, Global HR, Entity HR, Department HR, Expense Manager, Training Manager, Compliance Manager, Recruitment Manager, etc.

PeopleWeek has a geo-redundant design of the server infrastructure in relation to production data and backups, as well as the physical security of the data centers used (e.g. uninterrupted power supply, alarm system, fire-detection systems etc.).

In the unlikely event of a total failure of PeopleWeek, 30 days’ of backed-up data can be restored.

The customer is the owner and controller of its data stored in PeopleWeek.

Upon termination of the contractual relationship, within 30 days PeopleWeek will deliver to the customer their data in a machine-readable format. The data is then be irrecoverably deleted by PeopleWeek.