Data Security

How we keep your HR data safe

As a team, we have a long history of developing and delivering HR software solutions to customers worldwide – including many of the world’s leading organizations. We know what it takes to provide software that meets your demanding standards, and the challenge of delivering robust, secure business software across the Internet.

Security at every level

Application Architecture

Cezanne HR is designed around a multi-tiered architecture that is recommended for web-based applications. The architecture partitions application functionality into independent layers: the presentation layer (or browser client), the business logic (application server) and the data layer (database).

The presentation layer never communicates directly with the database layer. All communication is performed via the business logic, which provides its own security checks before permitting access to the data. This prevents requests from a web browser going directly to the database. The application also verifies the user role at every request.

Data Encryption

The service makes use of strong encryption to protect customer data (which is stored on an encrypted file system) and communications, including SSL Certification from Network Solutions. SSL (Secure Sockets Layer) is the standard security technology for creating an encrypted link between a web server and a browser. You will know you have created an SSL link when the URL is in green, begins with “https://” and there is a padlock symbol either at the beginning or end of the URL.

User Authentication

Secure mechanisms are used to verify the identity of users attempting to access the system. In order to access the system the user must either enter a username (email address) and password or authenticate through an approved Single Sign-On (SSO) provider. Cezanne HR also gives our clients the option of dual-authentication, should you require.

Passwords are protected using sophisticated hashing and salting techniques; Cezanne HR only ever stores hashes of password, never the passwords themselves.

You can set rules in the system to enforce a strong password policy, including:

  • Mandatory inclusion of at least one upper and lowercase letter, one number and one symbol.
  • Minimum and maximum password length.
  • Expiry dates with reminders.
  • Password history to prevent users re-using their passwords within a customer-defined period.
  • Maximum number of failed login attempts before the account is temporarily locked.
  • You can also choose which, if any, of the SSO options – e.g. Google, Microsoft, Twitter, Facebook and OpenID – are available to your users. Only identifiers that are secured with SSL can be used when the OpenID SSO option is enabled.

User Authorization

User authorization is controlled through dynamic roles-based security. Employees are allocated to roles, such as HR administrator, restricted HR administrator, line manager or self service employee. The system then dynamically allocates permissions to individual users to view, change or delete information, or access different areas of functionality, based on their responsibilities in the company. For example, line managers can see more information about the employees that report to them than those employees who do not.

Importantly, Cezanne HR has been developed with embedded business intelligence functionality. This means that access to dashboards, queries and data exports are controlled by the same rules as those that govern access to features or information in the database.

Why secure software design matters

When selecting any HR software system, it’s important to consider not only the hosting environment, but the design of the software application too. A software vendor can choose to host their system in one of the many world-class hosting facilities available today, and benefit from all of the advanced infrastructure security on offer. However, if their software application hasn’t been designed with security at its heart, their system is still going to be vulnerable.

State-of-the-art hosting

We have chosen to host your Cezanne HR software service within Amazon’s AWS European data centers. AWS is acknowledged as a world-leading Cloud Infrastructure as a Service provider. It’s data centers are proven, secure and reliable and their global certifications cover ISO27001, SOC 1/SSAE 16 (previously SAS70), SOC 2 and more. The AWS infrastructure also has a number of built-in security features, such as distributed denial of service (DDoS) protection and password brute-force detection on AWS accounts.

If you have an international workforce — and especially with locations in Europe — security has become slightly more complicated due to the cancellation of the US-EU Safe Harbor framework on October 6th, 2015. That’s why we have a contract with AWS states that they will not move any content from the European region without first notifying us. If this happens we will, of course, both notify you and take steps to ensure your content remains within the EU.

For further information about AWS EU data protection compliance please visit.

Internal System Security

Inside the AWS environment the systems are further safeguarded by firewalls between layers, IP and port restrictions, private subnets and network routing restrictions.

Operating System Security

Operating system instances are hardened by disabling or removing any non-essential tools, utilities and other system administration options that might provide potential backdoor entry to the system, and by disabling or removing any unnecessary users, protocols, and processes. Our installation and configuration procedures are based on industry-recognized standards and tools.

Server Management Security

Cezanne HR does not have physical access to the data center or physical machines as this is prohibited by Amazon. Cezanne HR can access the virtual machine instances for the purpose of maintenance, applying security updates, monitoring and ensuring backups are running successfully. This is limited to Cezanne HR’s Managed Services team.


When purchasing a Software as a Service (SaaS) solution, it is critical that the service is resilient and reliable. To ensure high availability the Cezanne HR software service includes:

  • Installation in multiple EU data centers – your Cezanne HR software will continue to operate if a machine or data center fails.
  • 24 hour monitoring – the availability of the system is monitored continuously and an alert sent to the support team if a problem occurs.
  • External monitoring from locations around the globe to alert Cezanne HR to unexpected latency or DNS problems.
  • Monitoring of resources including CPU, disk and memory usage so we can scale as and when required.

Additional reading

Why you need to know who hosts your HR software.

Please note: The information on this page relates to Cezanne HR’s modules for People, Absence, Time and Performance. It does not cover third-party modules marketed by Cezanne HR that may have a different hosting and security architecture.

Use of Cezanne HR’a software services are subject to the terms and conditions of the Cezanne HR subscription agreement. Cezanne HR reserves the right to modify its security infrastructure in accordance with this agreement. Please contact us if you would like a copy of this agreement.