Keeping your system and your data safe
Cezanne HR has been independently certified by BSI to ISO 27001:2013 under certificate number IS 696606, and we have regular penetration testing by an expert third party. It’s important to us that security is independently validated, so you can be assured that we really do meet the high standard of security your sensitive HR data demands.
As a team, we have a long history of developing and delivering HR software solutions to customers of every size and in virtually every industry sector – including many of the world’s most demanding organisations.
Cezanne HR is designed to enable robust, fast, safe use across the internet, and to protect the security and integrity of your HR data and your HR system. From system architecture and data encryption to advanced options for user permissions, passwords and dual authentication, security is at the heart of what we design and deliver to you.
Cezanne HR is designed around a multi-tiered architecture that is recommended for web-based applications. The architecture partitions application functionality into independent layers: the presentation layer (or browser client), the business logic (application server) and the data layer (database).
The presentation layer never communicates directly with the database layer. All communication is performed via the business logic, which provides its own security checks before permitting access to the data. This prevents requests from a web browser from going directly to the database. The application also verifies the user role at every request.
The system encrypts customer data both at rest and in transmission using Transport Layer Security (TLS), which provides end-to-end security for communication between layers and across the internet and AES 256 for data encryption at rest.
Secure mechanisms are used to verify the identity of users attempting to access the system. In order to access the system, the user must either enter a username (e-mail address) and password or authenticate through an approved Single Sign-On (SSO) provider. For additional security, customers can also opt to use dual authentication, also known as multi-factor authentication or 2FA.
Passwords are protected using sophisticated hashing and salting techniques; Cezanne HR only ever stores hashes of password, never the passwords themselves.
You can set rules in the system to enforce a strong password policy, including:
- Mandatory inclusion of at least one upper and lowercase letter, one number and one symbol.
- Minimum and maximum password length.
- Expiry dates with reminders.
- Password history to prevent users from re-using their passwords within a customer-defined period.
- Maximum number of failed login attempts before the account is temporarily locked.
- You can also choose which, if any, of the Single Sign-On options – e.g. Google, Microsoft, Twitter, Facebook and OpenID – are available to your users. Only identifiers that are secured with SSL can be used when the OpenID SSO option is enabled.
Cezanne HR's Information Security Management System (ISMS) for the development, operation and delivery of the Cezanne HR service is ISO 27001 certified by BSI under certificate number IS 696606.
Cezanne HR is also Cyber Essentials Certified. Cyber Essentials is a UK government information assurance scheme operated by the National Cyber Security Centre that encourages organisations to adopt good practice in information security.
Your Cezanne HR software service is hosted within Amazon’s AWS European Union data centres. AWS is acknowledged as the world-leading Cloud Infrastructure as a Service provider. Its data centres are proven, secure and reliable and their certifications cover ISO27001, SOC 1/SSAE 16 (previously SAS70), SOC 2 and more. The AWS infrastructure also has a number of built-in security features, such as distributed denial of service (DDoS) protection and password brute-force detection on AWS accounts.
In addition, we have selected to host data in AWS data centres in the European Union exclusively. Our contract with AWS states that they will not move any content from the selected region. This is especially important for compliance with both the UK and the EU data protection legislations.
For further information about AWS EU and UK GDPR compliance please visit:
Inside the AWS environment, the systems are further safeguarded by firewalls between layers, IP and port restrictions, private subnets and network routing restrictions.
Operating system instances are hardened by disabling or removing any non-essential tools, utilities and other system administration options that might provide potential backdoor entry to the system, and by disabling or removing any unnecessary users, protocols, and processes. Our installation and configuration procedures are based on industry-recognised standards and tools.
Cezanne HR does not have physical access to the data centre or physical machines as this is prohibited by Amazon. Cezanne HR can access the virtual machine instances for the purpose of maintenance, applying security updates, monitoring and ensuring backups are running successfully. This is limited to Cezanne HR’s Managed Services team.
When purchasing a Software as a Service (SaaS) solution, it is critical that the service is resilient and reliable. To ensure high availability the Cezanne HR software service includes:
- Installation in multiple EU data centres - your Cezanne HR software will continue to operate if a machine or data centre fails.
- 24-hour monitoring – the availability of the system is monitored continuously and an alert sent to the support team if a problem occurs.
- External monitoring from locations around the globe to alert Cezanne HR to unexpected latency or DNS problems.
- Monitoring of resources including CPU, disk and memory usage so we can scale as and when required.
Data protection regulations / GDPR compliance
This section details how Cezanne HR as the data processor complies with specific requirements of the EU and UK GDPR regimes. To learn how Cezanne HR helps you manage your own compliance obligations, for example in deleting or anonymising data, click here.
We are compliant with the provisions of articles 28(1), 32(1) and 32(2), in the sense that we have implemented “appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Regulation”. The measures implemented include, but are not necessarily limited to, the following:
- all data are encrypted both at rest and in transmission;
- all accesses to the system are monitored and logged (both successful logins and attempted logins);
- all modifications of personal data are timestamped and tracked in a log;
- personal data belonging to the controller are only stored in cloud locations within the AWS service that offer high physical and logical access protection, including cybersecurity against viruses, malware and denial-of-service attacks;
- ongoing confidentiality of data is assured by state-of-the-art authentication methods, which the controller can tune as required (in terms of password length, composition and duration);
- ongoing availability of data is assured by constant monitoring of the system in multiple locations world-wide and rapid response processes in case of system stress or other performance issues;
- resilience of processing systems is assured by use of multiple data centres and of mirror copies of databases;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident is assured by an appropriate backup/recovery procedure, which is periodically tested;
- the protection against unauthorised access to personal data is constantly checked through penetration testing performed by a reputable cybersecurity organisation;
- all security measures are regularly reviewed, also in light of the evolution of the technology and the cybersecurity industry.
We are compliant with the provisions of articles 28(2) and 28(3) because we have revised our Terms and Conditions to include all of the provisions that the law requires.
We are compliant for what concerns the physical location of data, as the agreement in place with our hosting provider, AWS guarantees that data will never leave the AWS region of Ireland, and the potential access to data by Cezanne HR’s support personnel is, in any case, limited to access from the UK or from other EEA countries.
We have data processing agreements with all sub-processors are fully consistent with all the commitments we have with customers, including the assurance that no personal data is ever transferred or processed outside the EEA.
We are also compliant with other aspects of the GDPR, such as:
- We have procedures in place to manage potential data breaches;
- We are committed to assisting our customers in case of data subject request;
- We are open to audits and inspections if requested;
- All our personnel that may have access to customers’ personal data is fully trained in data security and protection and is bound by confidentiality agreements;
- We have procedures in place to return and/or erase all personal data of customers that have terminated their subscription to the system.
Although the law doesn’t strictly require it in our case, we maintain the formal records in accordance with article 30(2) of GDPR.
We have appointed a data protection officer in accordance with article 37(1) of GDPR. The appointment has been registered with the ICO.
Although it is not a GDPR requirement but only a facilitator to prove compliance, our Information Security Management System (ISMS) is approved for certification in accordance with ISO27001:2013 standards with the UK's leading accreditation body, BSI.
In accordance with the terms and conditions of the Cezanne HR subscription agreement, Cezanne HR may modify its security infrastructure. Modules marketed by Cezanne HR may have a different hosting and security architecture. Please contact us if you would like a copy of this agreement or have questions.