Security features

Hosted in the EU
ISO27001 compliant
GDPR compliant
OpenID Connect SSO
SAML
Multi-layer encryption
Full range of user permissions
Audit log

Security at Humaans

At Humaans we are committed to offering world class data protection standards to ensure your data is safe and your compliance requirements are met.

The goal of Humaans is to provide a core building block of your HR tech stack. A place where you can store all your employee records and documents, follow company growth and accelerate your day to day people operations. This mission can’t be fulfilled without us implementing strict technical measures and following the highest security standards to build up trust with our customers.

Here you’ll find more information on how we approach security, and if you have additional questions feel free to get in touch at team@humaans.io.

Data centre security

Our hosting environment is fully-redundant with disaster recovery procedures. Our cloud hosting providers maintain multiple certifications for its data centers, including ISO 27001 compliance, PCI certification, and SOC. For more information about their certification and compliance, please visit the Google Cloud Platform security site.

EU hosted infrastructure

Humaans infrastructure is hosted on servers in the European Union. This allows us to meet specific regulatory and compliance requirements of organisations in Europe. Our data center provider Google Cloud Platform maintains multiple certifications, including SOC 1, SOC 2, SOC 3 and ISO27001. In addition all data is encrypted both in transit and at rest using strong encryption (AES256).

Communication

All user data is transported securely, as all traffic is encrypted in transit via SSL. Encrypting data in transit protects it from unauthorised snooping, modification, and man-in-the-middle attacks. We use 256-bit SSL/TLS.1.3 encryption, utilising both the ECDSA and RSA algorithms.

Multi-layer encryption

In addition to the industry standard in transit and at rest encryption of the data (AES256), we also utilise at-work encryption in our database, which ensures that sensitive bits of data are encrypted while the database is working (also using AES256). This allows us to introspect, service, and operate Humaans without having programmers and administrators inadvertently exposed to private data during the course of their work.

ISO27001:2022 compliance

We proudly maintain an ISO27001:2022 certification, validating the robustness of our security processes and controls. Our approach to product design and architecture, automated monitoring and formal policies allow us to stay up to date on our security posture at all times. You can download our ISO27001 certification in our Trust Center.

Credit cards

Humaans does not store any credit card information. We have partnered with Stripe for credit card processing which allows us to leverage AES256 encryption at rest, with PCI Service Provider Level 1 standards in the storage and handling of credit card information. This is the most stringent level of certification available to the payments industry.

Employee access is limited and audited

Only the people who need access to improve or operate the system have access. We make sure there are several layers of controls that individuals must go through to access customer data. And when they do their routine maintenance, debugging, or servicing of the system, they’re led through an auditing access path that requires them to state the valid consent or justification for the specific access session.

Penetration testing

We partner with world leading security providers to perform regular security penetration testing of our systems and platform. You can download our Letter of Attestation in our Trust Center.

Data breach disclosure

In the event of a data breach involving personal data, we will promptly report to the local authority and to the people (data subjects) involved.

Processing of Company Personal Data

Humaans will comply with all applicable Data Protection Laws in the Processing of Company Personal Data and not Process Company Personal Data other than on the relevant Company’s documented instructions.

3rd party Sub-Processors

Our sub-processors are leaders in their space and have security as top priority. You can find the list of our sub-processors in our Data Processing Addendum page.

GDPR commitment

Humaans is commited to compliance with the General Data Protection Regulation, and meeting our legal obligation by helping our customers become compliant.

Data backups

We run automated backups of our databases every day to ensure your data stays safe and highly available.

Log collection

We collect detailed logs to ensure we have a high-resolution trail of the actions performed across the platform for any incident investigation if so required.

Software updates

We have automated systems in place that monitor the versions and vulnerabilities in all of the code that powers Humaans and our infrastructure is continously updated to the latest and most secure versions of software.

Automated tests

We run an extensive suite of automated tests after each code change to verify correctness of Humaans features, including authentication and the permission system.

HTTP strict transport security

Our application forces all requests over HTTPS, ensuring all traffic is secured in transit and protecting against protocol downgrade attacks.

Security headers

Our application uses a series of security headers, including X-Frame-Options, X-XSS-Protection and Content-Security-Policy to mitigate a wide range of common security issues.

Reporting security issues

If you believe you have discovered a vulnerability in Humaans product or have a security incident to report, please contact security@humaans.io. By providing a submission, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties without Humaans' prior written approval. Detailed and quality reporting is important to Humaans. You must include a working Proof of Concept.