Advanced security, independently validated

Our systems, and our support service, are designed for security. Cezanne HR has been independently certified by BSI to ISO 27001:2013 under certificate number IS 696606, and we have regular penetration testing by an expert third party. It’s important to us that security is independently validated, so you can be assured that we really do meet the high standard of security that your sensitive HR data demands.

Cyber Essentials LogoAmazon Web Services logoCezanne HR ISO logo number

Learn more about:

Architecture HostingGDPR & Brexit

Robust product architecture

Security at every level

As a team, we have a long history of developing and delivering HR software solutions to customers of every size and in virtually every industry sector – including many of the world’s most demanding organisations.

Cezanne HR is designed to enable robust, fast, safe use across the internet, and to protect the security and integrity of your HR data and your HR system. From system architecture and data encryption to advanced options for user permissions, passwords and dual authentication, security is at the heart of what we design and deliver to you.

Application Architecture

Cezanne HR is designed around a multi-tiered architecture that is recommended for web-based applications. The architecture partitions application functionality into independent layers: the presentation layer (or browser client), the business logic (application server) and the data layer (database).

The presentation layer never communicates directly with the database layer. All communication is performed via the business logic, which provides its own security checks before permitting access to the data. This prevents requests from a web browser from going directly to the database. The application also verifies the user role at every request.

Data Encryption

The system encrypts customer data both at rest and in transmission using Transport Layer Security (TLS), which provides end-to-end security for communication between layers and across the internet and AES 256 for data encryption at rest.

User Authentication

Secure mechanisms are used to verify the identity of users attempting to access the system. In order to access the system, the user must either enter a username (e-mail address) and password or authenticate through an approved Single Sign-On (SSO) provider. For additional security, customers can also opt to use dual authentication, also known as multi-factor authentication or 2FA.

Passwords are protected using sophisticated hashing and salting techniques; Cezanne HR only ever stores hashes of password, never the passwords themselves.

You can set rules in the system to enforce a strong password policy, including:
- Mandatory inclusion of at least one upper and lowercase letter, one number and one symbol.
- Minimum and maximum password length.
- Expiry dates with reminders.
- Password history to prevent users from re-using their passwords within a customer-defined period.
- Maximum number of failed login attempts before the account is temporarily locked.
- You can also choose which, if any, of the Single Sign-On options – e.g. Google, Microsoft, Twitter, Facebook and OpenID – are available to your users. Only identifiers that are secured with SSL can be used when the OpenID SSO option is enabled.

User Authorisation

User authorisation is controlled through dynamic role-based security. Employees are allocated to roles, such as HR administrator, restricted HR administrator, line manager or self-service employee. The system then dynamically allocates permissions to individual users to view, change or delete information, or access different areas of functionality, based on their responsibilities in the company. For example, line managers can see more information about the employees that report to them than those employees who do not.

Importantly, Cezanne HR has been developed with embedded business intelligence functionality. This means that access to dashboards, queries and data exports are controlled by the same rules as those that govern access to features or information in the database.

ISO27001:2013

Cezanne HR's Information Security Management System (ISMS) for the development, operation and delivery of the Cezanne HR service is ISO 27001 certified by BSI under certificate number IS 696606.

Cezanne HR is also Cyber Essentials Certified. Cyber Essentials is a UK government information assurance scheme operated by the National Cyber Security Centre that encourages organisations to adopt good practice in information security.

Top Cloud Computing Infrastructure

World-leading service

Your Cezanne HR software service is hosted within Amazon’s AWS European data centres. AWS is acknowledged as the world-leading Cloud Infrastructure as a Service provider. Its data centres are proven, secure and reliable and their certifications cover ISO27001, SOC 1/SSAE 16 (previously SAS70), SOC 2 and more. The AWS infrastructure also has a number of built-in security features, such as distributed denial of service (DDoS) protection and password brute-force detection on AWS accounts.

In addition, our contract with AWS states that they will not move any content from the European region without first notifying us. If this happens we will, of course, both notify you and take steps to ensure your content remains within the EU. This is especially important in the light of the recent changes to data protection legislation.

For further information about AWS EU data protection and GDPR compliance please visit. https://aws.amazon.com/compliance/eu-data-protection/

Internal System Security

Inside the AWS environment, the systems are further safeguarded by firewalls between layers, IP and port restrictions, private subnets and network routing restrictions.

Operating System Security

Operating system instances are hardened by disabling or removing any non-essential tools, utilities and other system administration options that might provide potential backdoor entry to the system, and by disabling or removing any unnecessary users, protocols, and processes. Our installation and configuration procedures are based on industry-recognised standards and tools.

Server Management Security

Cezanne HR does not have physical access to the data centre or physical machines as this is prohibited by Amazon. Cezanne HR can access the virtual machine instances for the purpose of maintenance, applying security updates, monitoring and ensuring backups are running successfully. This is limited to Cezanne HR’s Managed Services team.

Resilience

When purchasing a Software as a Service (SaaS) solution, it is critical that the service is resilient and reliable. To ensure high availability the Cezanne HR software service includes:
- Installation in multiple EU data centres - your Cezanne HR software will continue to operate if a machine or data centre fails.
- 24-hour monitoring – the availability of the system is monitored continuously and an alert sent to the support team if a problem occurs.
- External monitoring from locations around the globe to alert Cezanne HR to unexpected latency or DNS problems.
- Monitoring of resources including CPU, disk and memory usage so we can scale as and when required.

Brexit & your Cezanne HR service

Transition period and beyond

During the transition period nothing will change

The transition period runs from 1st February 2020 until 31 December 2020. During the transition period, although the UK is no longer a member state of the EU, “all references to EU member states in the provisions of European Union law (which includes the GDPR) shall be understood as including the United Kingdom” (art. 7 of the Withdrawal Agreement).

After the transition period

Starting in 2021, the GDPR (that is European Union law) will no longer apply automatically to the UK, and the UK Data Protection Act, that currently is fully aligned with the GDPR, in theory may diverge, even though the current consensus is that it probably will remain aligned. Regardless of the level of alignment, in legal terms the two laws will no longer be one, and some adjustment to contracts that refer to the GDPR will be required. What adjustments, and how they will be formalised, depends on the agreement reached (or failed to reach) during the new trade negotiations between the UK and the EU.

Hosting and processing of Customer Personal Data

Cezanne HR hosts and processes customer personal data only in the European Union, specifically in AWS (Amazon Web Services) data centres located in the Republic of Ireland. For data controllers (customers using Cezanne HR as their processor) that are located in the UK, transferring personal data from the UK to an EU country is allowed under the Data Protection Act 2018 and complies with the EU’s GDPR. For controllers located in the EU, data remain in the EU, which raises no question.
This applies during the transition period and will almost certainly apply also after it, unless the UK government enacts a new unexpected law.

Customer support operates from within the UK

Operating system instances are hardened by disabling or removing any non-essential tools, utilities and other system administration options that might provide potential backdoor entry to the system, and by disabling or removing any unnecessary users, protocols, and processes. Our installation and configuration procedures are based on industry-recognised standards and tools.

Registration with the supervisory authority in charge of monitoring the application of GDPR

Cezanne HR is registered with the ICO, which is the supervisory authority for personal data privacy in the UK. During the transition period this remains sufficient for GDPR compliance in all EU countries as well as in the UK. By the end of the transition period Cezanne HR will also register, through an appointed representative, with the equivalent supervisory authority in one of the EU member states.

VAT on invoices to customers in the EU

During the transition period, invoices to customers in the EU will continue to be subject to VAT, but no VAT is added to the invoiced amount because VAT is managed under the ‘reverse charge’ regime for intra-EU service sales (except for customers that are treated as consumers, for which VAT is added to invoices). After the transition period, unless the final agreement reached between the UK and the EU provides differently, the invoices to customers in the EU will no longer be subject to VAT.

Our commitment to you

Working with our legal advisors, we will continue to monitor the situation closely, and take appropriate action to ensure that we continue to provide you with a robust, secure and law-compliant HR service that you can trust.

If you have any question or doubt please contact our support team, and we will be happy to answer.

Please note: The information on this page relates to the modules developed by Cezanne HR. It does not cover third-party modules marketed by Cezanne HR that may have a different hosting and security architecture.

The use of Cezanne HR’s software service is subject to the terms and conditions of the Cezanne HR subscription agreement. Cezanne HR reserves the right to modify its security infrastructure in accordance with this agreement. Please contact us if you would like a copy of this agreement.