Security at Humaans
At Humaans we are committed to offering world class data protection standards to ensure your data is safe and your compliance requirements are met.
The goal of Humaans is to provide a core building block of your HR tech stack. A place where you can store all your employee records and documents, follow company growth and accelerate your day to day people operations. This mission can’t be fulfilled without us implementing strict technical measures and following the highest security standards to build up trust with our customers.
Here you’ll find more information on how we approach security, and if you have additional questions feel free to get in touch at email@example.com.
Data centre security
Our hosting environment is fully-redundant with disaster recovery procedures. Our cloud hosting providers maintain multiple certifications for its data centers, including ISO 27001 compliance, PCI certification, and SOC. For more information about their certification and compliance, please visit the Google Cloud Platform security site.
EU hosted infrastructure
Humaans infrastructure is hosted on servers in the European Union. This allows us to meet specific regulatory and compliance requirements of organisations in Europe. Our data center provider Google Cloud Platform maintains multiple certifications, including SOC 1, SOC 2, SOC 3 and ISO27001. In addition all data is encrypted both in transit and at rest using strong encryption.
All user data is transported securely, as all traffic is encrypted in transit via SSL. Encrypting data in transit protects it from unauthorised snooping, modification, and man-in-the-middle attacks. We use 256-bit SSL/TLS.1.2 encryption, utilising both the ECDSA and RSA algorithms.
In addition to the industry standard in transit and at rest encryption of the data, we also utilise at-work encryption in our database, which ensures that sensitive bits of data are encrypted while database is working. This allows us to introspect, service, and operate Humaans without having programmers and administrators inadvertently exposed to private data during the course of their work.
Humaans does not store any credit card information. We have partnered with Stripe for credit card processing which allows us to leverage AES-256 encryption at rest, with PCI Service Provider Level 1 standards in the storage and handling of credit card information. This is the most stringent level of certification available to the payments industry.
Employee access is limited and audited
Only the people who need access to improve or operate the system have access. We make sure there are several layers of controls that individuals must go through to access customer data. And when they do their routine maintenance, debugging, or servicing of the system, they’re led through an auditing access path that requires them to state the valid consent or justification for the specific access session.
In the event of a data breach involving personal data, we will promptly report to the local authority and to the people (data subjects) involved.
Processing of Company Personal Data
Humaans will comply with all applicable Data Protection Laws in the Processing of Company Personal Data and not Process Company Personal Data other than on the relevant Company’s documented instructions.
3rd party Sub-Processors
Humaans is commited to compliance with the General Data Protection Regulation, and meeting our legal obligation by helping our customers become compliant.
We run automated backups of our databases every day to ensure your data stays safe and highly available.
We collect detailed logs to ensure we have a high-resolution trail of the actions performed across the platform for any incident investigation if so required.
We have automated systems in place that monitor the versions and vulnerabilities in all of the code that powers Humaans and our infrastructure is continously updated to the latest and most secure versions of software.
We run an extensive suite of automated tests after each code change to verify correctness of Humaans features, including authentication and the permission system.
HTTP strict transport security
Our application forces all requests over HTTPS, ensuring all traffic is secured in transit and protecting against protocol downgrade attacks.
Our application uses a series of security headers, including X-Frame-Options, X-XSS-Protection and Content-Security-Policy to mitigate a wide range of common security issues.