Security at Humaans

At Humaans we are committed to offering world class data protection standards to ensure your data is safe and your compliance requirements are met.

The goal of Humaans is to provide a core building block of your HR tech stack. A place where you can store all your employee records and documents, follow company growth and accelerate your day to day people operations. This mission can’t be fulfilled without us implementing strict technical measures and following the highest security standards to build up trust with our customers.

Here you’ll find more information on how we approach security, and if you have additional questions feel free to get in touch at team@humaans.io.

Data centre security

Our hosting environment is fully-redundant with disaster recovery procedures. Our cloud hosting providers maintain multiple certifications for its data centers, including ISO27001 compliance, PCI certification, and SOC. For more information about their certification and compliance, please visit the Google Cloud Platform security site.

EU hosted infrastructure

Humaans infrastructure is hosted on servers in the European Union. This allows us to meet specific regulatory and compliance requirements of organisations in Europe. Our data center provider Google Cloud Platform maintains multiple certifications, including SOC 1, SOC 2, SOC 3 and ISO27001. In addition all data is encrypted both in transit and at rest using strong encryption (AES256).

Data in transit encryption

All user data is transported securely, as all traffic is encrypted in transit via SSL. Encrypting data in transit protects it from unauthorised snooping, modification, and man-in-the-middle attacks. We use 256-bit SSL/TLS.1.3 encryption, utilising both the ECDSA and RSA algorithms.

Data at rest encryption

All data is stored in Google Cloud Platform and is automatically encrypted at rest using AES256 encryption, with Google managing the encryption keys. In addition to the industry standard in transit and at rest encryption of the data, we also utilise at-work encryption in our database (AES256), which ensures that sensitive bits of data are encrypted while the database is working. This allows us to introspect, service, and operate Humaans without having programmers and administrators inadvertently exposed to private data during the course of their work.

SOC2 Type 2 certified

The most comprehensive attestation that our system is designed to keep our customers’ sensitive data secure. Through rigorous auditing procedures and continuous monitoring, we ensure comprehensive protection of customer data and maintain the highest security standards. Our SOC2 Type 2 report is available for download in our Trust Center.

ISO27001:2022 certified

We proudly maintain an ISO27001:2022 certification, validating the robustness of our security processes and controls. Our approach to product design and architecture, automated monitoring and formal policies allow us to stay up to date on our security posture at all times. You can download our ISO27001 certification in our Trust Center.

GDPR commitment

Humaans is commited to compliance with the General Data Protection Regulation, and meeting our legal obligation by helping our customers become compliant.

SSO enforcement

Leverage your existing SSO setup to enforce secure authentication across your organization. Humaans supports Single Sign-On via Google Workspace, Microsoft Entra, and SAML 2.0 providers, allowing you to eliminate passwords entirely for employee access. By enforcing SSO, all employees authenticate through your trusted identity provider, ensuring consistent security policies and simplified access management.

Permissions & access control

Humaans provides fine-grained access controls that enable you to create custom roles tailored to your organization's unique structure and security requirements. Build role-based permission sets that precisely define what each team member can view, edit, or manage within the platform. Configure granular controls down to individual data fields, ensuring that every employee sees exactly what they need to do their job effectively while maintaining strict data confidentiality across your organization.

AI security

Our AI features are built with security as a fundamental principle. We implement strict context filtering computed based on your platform permissions to prevent prompt injection attacks and ensure AI interactions remain within authorized boundaries. This means AI features only have access to data that the requesting user is permitted to view, maintaining the same security standards across both traditional and AI-powered functionality.

Audit logs

We maintain comprehensive audit logging across the entire Humaans platform, capturing security events and data changes. Actions performed in the system - from user logins to data modifications - is logged with detailed metadata including who performed the action, what was changed, when it occurred, and from where. These audit logs provide complete visibility into all platform activity, enabling security teams to investigate incidents, ensure compliance, and maintain accountability. Our audit logs are immutable, searchable, and retained according to industry best practices.

Employee access is limited and audited

Only the people who need access to improve or operate the system have access. We make sure there are several layers of controls that individuals must go through to access customer data. And when they do their routine maintenance, debugging, or servicing of the system, they’re led through an auditing access path that requires them to state the valid consent or justification for the specific access session.

Penetration testing

We partner with world leading security providers to perform regular security penetration testing of our systems and platform. You can download our Letter of Attestation in our Trust Center.

Data breach disclosure

In the event of a data breach involving personal data, we will promptly report to the local authority and to the people (data subjects) involved.

Processing of Company Personal Data

Humaans will comply with all applicable Data Protection Laws in the Processing of Company Personal Data and not Process Company Personal Data other than on the relevant Company’s documented instructions.

3rd party Sub-Processors

Our sub-processors are leaders in their space and have security as top priority. You can find the list of our sub-processors in our Data Processing Addendum page.

Credit cards

Humaans does not store any credit card information. We have partnered with Stripe for credit card processing which allows us to leverage AES256 encryption at rest, with PCI Service Provider Level 1 standards in the storage and handling of credit card information. This is the most stringent level of certification available to the payments industry.

Data backups

We run automated backups of our databases every day to ensure your data stays safe and highly available.

Log collection

We collect detailed logs to ensure we have a high-resolution trail of the actions performed across the platform for any incident investigation if so required.

Software updates

We have automated systems in place that monitor the versions and vulnerabilities in all of the code that powers Humaans and our infrastructure is continously updated to the latest and most secure versions of software.

Automated tests

We run an extensive suite of automated tests after each code change to verify correctness of Humaans features, including authentication and the permission system.

HTTP strict transport security

Our application forces all requests over HTTPS, ensuring all traffic is secured in transit and protecting against protocol downgrade attacks.

Security headers

Our application uses a series of security headers, including X-Frame-Options, X-XSS-Protection and Content-Security-Policy to mitigate a wide range of common security issues.

Reporting security issues

If you believe you have discovered a vulnerability in Humaans product or have a security incident to report, please contact security@humaans.io. By providing a submission, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties without Humaans' prior written approval. Detailed and quality reporting is important to Humaans. You must include a working Proof of Concept.