Our systems, and our support service, are designed for security. Cezanne HR has been independently certified by BSI to ISO 27001:2013 under certificate number IS 696606, and we have regular penetration testing by an expert third party. It’s important to us that security is independently validated, so you can be assured that we really do meet the high standard of security your sensitive HR data demands.
Learn more about:
As a team, we have a long history of developing and delivering HR software solutions to customers of every size and in virtually every industry sector – including many of the world’s most demanding organisations.
Cezanne HR is designed to enable robust, fast, safe use across the internet, and to protect the security and integrity of your HR data and your HR system. From system architecture and data encryption to advanced options for user permissions, passwords and dual authentication, security is at the heart of what we design and deliver to you.
Cezanne HR is designed around a multi-tiered architecture that is recommended for web-based applications. The architecture partitions application functionality into independent layers: the presentation layer (or browser client), the business logic (application server) and the data layer (database).
The presentation layer never communicates directly with the database layer. All communication is performed via the business logic, which provides its own security checks before permitting access to the data. This prevents requests from a web browser going directly to the database. The application also verifies the user role at every request.
The service makes use of strong encryption to protect customer data (which is stored on an encrypted file system) and communications, including SSL Certification from Network Solutions. SSL (Secure Sockets Layer) is the standard security technology for creating an encrypted link between a web server and a browser. You will know you have created an SSL link when the URL is in green, begins with “https://” and there is a padlock symbol either at the beginning or end of the URL.
Secure mechanisms are used to verify the identity of users attempting to access the system. In order to access the system the user must either enter a username (e-mail address) and password or authenticate through an approved Single Sign-On (SSO) provider. For additional security, customers can also opt to use dual authentication, also known as multi-factor authentication or 2FA.
Passwords are protected using sophisticated hashing and salting techniques; Cezanne HR only ever stores hashes of password, never the passwords themselves.
You can set rules in the system to enforce a strong password policy, including:
- Mandatory inclusion of at least one upper and lowercase letter, one number and one symbol.
- Minimum and maximum password length.
- Expiry dates with reminders.
- Password history to prevent users re-using their passwords within a customer-defined period.
- Maximum number of failed login attempts before the account is temporarily locked.
- You can also choose which, if any, of the SSO options – e.g. Google, Microsoft, Twitter, Facebook and OpenID – are available to your users. Only identifiers that are secured with SSL can be used when the OpenID SSO option is enabled.
Cezanne HR's Information Security Management System (ISMS) for the development, operation and delivery of the Cezanne HR service is ISO 27001 certified by BSI under certificate number IS 696606.
Cezanne HR is also Cyber Essentials Certified. Cyber Essentials is a UK government information assurance scheme operated by the National Cyber Security Centre that encourages organisations to adopt good practice in information security.
Your Cezanne HR software service is hosted within Amazon’s AWS European data centres. AWS is acknowledged as the world-leading Cloud Infrastructure as a Service provider. Its data centres are proven, secure and reliable and their certifications cover ISO27001, SOC 1/SSAE 16 (previously SAS70), SOC 2 and more. The AWS infrastructure also has a number of built-in security features, such as distributed denial of service (DDoS) protection and password brute-force detection on AWS accounts.
In addition, our contract with AWS states that they will not move any content from the European region without first notifying us. If this happens we will, of course, both notify you and take steps to ensure your content remains within the EU. This is especially important in light of the recent changes to data protection legislation.
For further information about AWS EU data protection and GDPR compliance please visit. https://aws.amazon.com/compliance/eu-data-protection/
Inside the AWS environment, the systems are further safeguarded by firewalls between layers, IP and port restrictions, private subnets and network routing restrictions.
Operating system instances are hardened by disabling or removing any non-essential tools, utilities and other system administration options that might provide potential backdoor entry to the system, and by disabling or removing any unnecessary users, protocols, and processes. Our installation and configuration procedures are based on industry-recognised standards and tools.
Cezanne HR does not have physical access to the data centre or physical machines as this is prohibited by Amazon. Cezanne HR can access the virtual machine instances for the purpose of maintenance, applying security updates, monitoring and ensuring backups are running successfully. This is limited to Cezanne HR’s Managed Services team.
When purchasing a Software as a Service (SaaS) solution, it is critical that the service is resilient and reliable. To ensure high availability the Cezanne HR software service includes:
- Installation in multiple EU data centres - your Cezanne HR software will continue to operate if a machine or data centre fails.
- 24-hour monitoring – the availability of the system is monitored continuously and an alert sent to the support team if a problem occurs.
- External monitoring from locations around the globe to alert Cezanne HR to unexpected latency or DNS problems.
- Monitoring of resources including CPU, disk and memory usage so we can scale as and when required.
The GDPR introduces a major overhaul of the European data protection regulation. While the key principles of the GDPR are the same as those that have been in place since the introduction of legislation based on the European Directive of 1995, there is now a much greater emphasis on transparency and accountability.
This section details how Cezanne HR as the data processor complies with specific requirements of the GDPR. To learn how Cezanne HR helps you manage your own compliance obligations, for example in deleting or anonymising data, click here.
We are compliant with the provisions of articles 28(1), 32(1) and 32(2), in the sense that we have implemented “appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Regulation”. The measures implemented include, but are not necessarily limited to, the following:
- all data are encrypted both at rest and in transmission;
- all accesses to the system are monitored and logged (both successful logins and attempted logins);
- all modifications of personal data are timestamped and tracked in a log;
- personal data belonging to the controller are only stored in cloud locations within the AWS service that offer high physical and logical access protection, including cybersecurity against viruses, malware and denial-of-service attacks;
- ongoing confidentiality of data is assured by state-of-the-art authentication methods, which the controller can tune as required (in terms of password length, composition and duration);
- ongoing availability of data is assured by constant monitoring of the system in multiple locations world-wide and rapid response processes in case of system stress or other performance issues;
- resilience of processing systems is assured by use of multiple data centres and of mirror copies of databases;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident is assured by an appropriate backup/recovery procedure, which is periodically tested;
- the protection against unauthorised access to personal data is constantly checked through penetration testing performed by a reputable cybersecurity organisation;
- all security measures are regularly reviewed, also in light of the evolution of the technology and the cybersecurity industry.
We are compliant with the provisions of articles 28(2) and 28(3) because we have revised our Terms and Conditions to include all of the provisions that the law requires.
We are compliant for what concerns the physical location of data, as the agreement in place with our hosting provider, AWS guarantees that data will never leave the AWS region of Ireland, and the potential access to data by Cezanne HR’s support personnel is, in any case, limited to access from the UK or from other EEA countries.
We have data processing agreements with all sub-processors are fully consistent with all the commitments we have with customers, including the assurance that no personal data is ever transferred or processed outside the EEA.
We are also compliant with other aspects of the GDPR, such as:
- We have procedures in place to manage potential data breaches;
- We are committed to assisting our customers in case of data subject request;
- We are open to audits and inspections if requested;
- All our personnel that may have access to customers’ personal data is fully trained in data security and protection and is bound by confidentiality agreements;
- We have procedures in place to return and/or erase all personal data of customers that have terminated their subscription to the system.
Although the law doesn’t strictly require it in our case, we maintain the formal records in accordance with article 30(2) of GDPR.
We have appointed a data protection officer in accordance with article 37(1) of GDPR. The appointment has been registered with the ICO.
Although it is not a GDPR requirement but only a facilitator to prove compliance, our Information Security Management System (ISMS) is approved for certification in accordance with ISO27001:2013 standards with the UK's leading accreditation body, BSI.
During the transition period nothing will change
The transition period runs from 1st February 2020 until 31 December 2020. During the transition period, although the UK is no longer a member state of the EU, “all references to EU member states in the provisions of European Union law (which includes the GDPR) shall be understood as including the United Kingdom” (art. 7 of the Withdrawal Agreement).
After the transition period
Starting in 2021, the GDPR (that is European Union law) will no longer apply automatically to the UK, and the UK Data Protection Act, that currently is fully aligned with the GDPR, in theory may diverge, even though the current consensus is that it probably will remain aligned. Regardless of the level of alignment, in legal terms the two laws will no longer be one, and some adjustment to contracts that refer to the GDPR will be required. What adjustments, and how they will be formalised, depends on the agreement reached (or failed to reach) during the new trade negotiations between the UK and the EU.
Current information about using personal data in your business or other organisation from 1 January 2021 can be found on the GOV.UK website.
Cezanne HR hosts and processes customer personal data only in the European Union, specifically in AWS (Amazon Web Services) data centres located in the Republic of Ireland. For data controllers (customers using Cezanne HR as their processor) that are located in the UK, transferring personal data from the UK to an EU country is allowed under the Data Protection Act 2018 and complies with the EU’s GDPR. For controllers located in the EU, data remain in the EU, which raises no question.
This applies during the transition period and will almost certainly apply also after it, unless the UK government enacts a new unexpected law.
Cezanne HR’s customer support operates from within the UK. When, in providing support, a Cezanne person accesses customer personal data, data are transferred from the EU to the UK, albeit temporarily. In order to continue to be able to lawfully access clients’ data or receive files from clients while performing support from the UK, by the end of the transition period we will amend our agreements that currently state that we never transfer data outside of the EU.
To make data transfer to the UK legal, the ICO currently recommends the use of Standard Contractual Clauses, a legal instrument developed by the European Commission for this purpose. While this is not required during the transition period, the Standard Contractual Clauses may or may not become the right tool from 2021, depending on the final agreement reached between the UK and the EU on the subject of personal data flows.
Our commitment to you
Working with our legal advisors, we will continue to monitor the situation closely, and take appropriate action to ensure that we continue to provide you with a robust, secure and law-compliant HR service that you can trust.
If you have any question or doubt please contact our support team, and we will be happy to answer.
In accordance with the terms and conditions of the Cezanne HR subscription agreement, Cezanne HR may modify its security infrastructure. Modules marketed by Cezanne HR may have a different hosting and security architecture. Please contact us if you would like a copy of this agreement or have questions.