Hey! HR! Where’s my data? 

… and who’s looking after it? 

What if one of your stakeholders asked you that question?  

Could you answer them with any authority?  

Or would you have to point them to your third-party HR software FAQs page, where they might find a list of certification numbers and some vague references to a fourth party Cloud service? Or, worse, would you start doing the ‘lost stapler’ dance—shuffling paperwork, opening draws—while mumbling something about the Cloud? Erm… what… sorry… HR can’t come to phone right now.   

Well, we don’t want that for you. We want our community of HR professionals to have all the answers. So, pull up a pew and put your feet up—you’re in the SenseHR safe space now—so safe that you can throw an asteroid at it. And no, we’re not joking—we never joke about data storage and security.   

Certification 

ISO/IEC 27001 

This one’s nothing new but it’s important. ISO/IEC 27001 certification shows real commitment to international security standards and best practices from both the HR software provider (us) and the Cloud provider (Azure). Each party puts in hundreds of work hours, training, and resources to produce a compliant Information Security Management System (ISMS) and pass a rigorous, multi-stage audit process, which is reviewed annually.  

Any HR software provider worth their security claims, should be able to prove it with ISO 27001 certification. 

ISO/IEC 27701 

While ISO/IEC 27001 is stamped across the pages of every HR software website, you’re less likely to find providers with ISO/IEC 27701 certification. This international standard aims to bridge the gap between information security and data protection and privacy by providing a framework for organisations to protect Personally Identifiable Information (PII). Like ISO/IEC 27001, it requires a Privacy Information Management System (PIMS) and it’s an ongoing process, which ensures adherence to DPA18 and continual investment in keeping your information secure and data private.  

What’s more, unlike most other providers, we never access your data without your explicit permission. Even then, all access to your data is logged and the logs are viewable by your administrators. 

Microsoft Azure 

Our systems are built using Microsoft Azure. Now, that doesn’t mean that we’ve outsourced our security responsibilities to Microsoft—far from it—and more on that later.  

But listen, Microsoft have spent more than $1 billion USD in security R&D and 3,500 cyber security experts. Which means that SenseHR and each one of our customers are getting more than $1 billion USD of security R&D, as well as the security expertise of 3,500 of the best and brightest injected into our systems, and that’s before we’ve even started.  

Essentially, we’re standing on the shoulders of giants and then reaching that little bit higher.  

And we’re in good company. Government funded agencies from here to Australia, as well as leaders in the automotive industry, consumer goods, pharmaceuticals, manufacturing, healthcare, and even Microsoft themselves are using Azure.     

Shared security responsibilities 

According to the cloud security shared responsibility model, the cloud provider (Microsoft Azure), the data processor (us), and the data controller (you) are jointly responsible for data security at different stages. So, there’s no question of us outsourcing security responsibility. 

Instead, your people data essentially has 3 babysitters.  

For example, your organisation and HR department are responsible for devices that you use, accounts and access permissions, and the data that you enter—and we’ll do all we can to help you with that. MS Azure is responsible for physical security at their data centres, and their physical networks and network controls, applications, and infrastructure. While SenseHR are responsible for leveraging the security tools and services offered by Azure, our own systems, and the cream-of-the-cyber-security crop.  

And boy have we leveraged a system to shout about.  

Encryption in transit and at rest 

We store your data at rest—that’s data that isn’t in transit between your systems and the Azure databases–using AES-256 encryption. That’s the absolute gold standard in data encryption—it was developed to fulfil the security needs of the US government after all. To cut to the chase, a hacker would need 2²⁵⁶different combinations just to ensure the right combination was included. For reference, that’s more combinations than the number of atoms in the observable universe. It would take billions of years to brute force using current computing technology. Still not convinced that 2²⁵⁶ is a big number? Well the full number is 115, 792, 089, 237, 316, 195, 423, 570, 985, 008, 687, 907, 853, 269, 984, 665, 640, 564, 039, 457, 584, 007, 913, 129, 639, 936. Need more convincing? Written out, that number is one hundred fifteen quattuorvigintillion, seven hundred ninety-two trevigintillion, eighty-nine duovigintillion, two hundred thirty-seven unvigintillion, three hundred sixteen vigintillion, one hundred ninety-five novemdecillion, four hundred twenty-three octodecillion, five hundred seventy septendecillion, nine hundred eighty-five sexdecillion, eight quindecillion, six hundred eighty-seven quattuordecillion, nine hundred seven tredecillion, eight hundred fifty-three duodecillion, two hundred sixty-nine undecillion, nine hundred eighty-four decillion, six hundred sixty-five nonillion, six hundred forty octillion, five hundred sixty-four septillion, thirty-nine sextillion, four hundred fifty-seven quintillion, five hundred eighty-four quadrillion, seven trillion, nine hundred thirteen billion, one hundred twenty-nine million, six hundred thirty-nine thousand, nine hundred thirty-six! 

Our relational databases, graph databases, and blob storage (which is used for data like your documents, images and video) are all secured with AES-256 encryption.  

Data in transit needs to be encrypted too. It also needs to travel light and travel fast. For that, we use Transport Layer Security 1.2+ (TLS). It’s the same standard as you use for online banking, your data never leaves the data centre without it! 

Training 

Because brute force isn’t much of an option—unless you’re an immortal hacker with a billion years to waste—one of the biggest security threats to your people data is human error. Ransomware, business email compromise (BEC) and phishing are currently amongst the most common threats.  

Of course, all our people attend security awareness training during onboarding and then monthly after that. And our engineers and data security teams undergo even more rigorous training. But we also offer training and guidance to you too. Which means you can use our system effectively, including leveraging all the security measures on offer.   

Protecting your accounts 

We’re not just going to leave our customers to fend for themselves when it comes to securing access to their systems. That’s why we’re using the industry leading Microsoft Azure’s Active Directory to keep your access credentials safe. You can secure your system access with email and password, of course, but we also offer multi-factor authentications using authenticator apps, SMS, telephone call, or even Security Keys and SAML SSO. 

We also have built-in systems for role-based access controls, so HR managers can limit access to sensitive data. By identifying key stakeholders, you can apply appropriate and consistent access permissions depending on policies, level of training, and roles. And after that access records are always logged. 

DevSecOps 

… Ahem, that’s development, security, and operations to the rest of us (…a friendly note from your editor) 

Our world-class engineers use the latest techniques to keep SenseHR secure and reliable. Every line of code that they write is peer reviewed by another engineer and scanned with industry leading tools, including Sonar Cloud. If any issues are found during these processes, the code cannot be deployed and is returned for further review. 

Security Monitoring 

Engineers monitor our platform 365 days a year, 7 days a week, and 24 hours a day. All logs and metrics are sent to Azure Sentinel, which can detect malicious activity or incidents in real time. As soon as anything risky is detected according to predetermined threat thresholds, our engineers will declare an incident and raise a system alert. And our highly trained security incident response team takeover from there. 

Penetration testing and Bug Bounty 

Most HR platforms run a short pen test once a year. We have people testing the security of our platform constantly.  

In fact, we’re so invested in our security, that we’ve teamed up with a leading bug bounty program. That means the most skilled security researchers in the world—and even our own customers—have a safe and official avenue for testing and letting us know of any vulnerabilities they find. Find one and we’ll pay you a bounty.  

1 tenant, 1 database 

Most HR software providers store their customer data in shared database servers. Yup, if you and your greatest rival are using the same HR software, it’s likely that you’re sharing databases too. Unless you’re using SenseHR that is. We give each of our customer organisations their own databases. Not only does that make things faster for everyone but it eliminates any risk of data leaking into that rival database.  

And where’s that database? 

As standard we store your data in the Azure UK South datacentre in London. But that’s because most of our customers are UK based, so it delivers a faster service. If, for any reason, you want your data to be stored in any one of the 200+ physical Azure datacentres around the world—for your new Paris office, for example—all you need to do is ask. We can move data wherever you want within the Azure infrastructure to support speed or regional data protection regulations.  

Also, don’t you mean databases (plural)? 

Yup, our data redundancy measures means that your data is backed up across multiple servers. And those backups happen a lot. To be specific we perform: 

• Full backups each week 
• Differential backups every 12 hours 

• Transactional logs for every transaction, which are then backed up every 10 minutes. 

Aaaand didn’t you mean datacentres (plural)?

Yes, that too. Most HR providers claim adequate data redundancy by having two servers in the same datacentre. But we weren’t happy with adequate. Fire, outage, disaster… or an asteroid could easily take out both. We make sure that your data is simultaneously backed up to an alternate site at least 300 miles away, the default being Azure’s UK West Data Centre.  

That’s geo-redundancy.  

And that’s security that you could throw an asteroid at.  

So, you now know enough about where your people data is—and who’s looking after it—to impress even the most cynical Chief Technology Officer. 

… but only if you’re using SenseHR’s HR software. If you’re using some other HR software then, sorry, we’re not sure where your data is either.