People® has been independently audited, and meets the requirements for BS EN ISO 27001:2013 registration. The scope covers how we manage information security in providing online Human Resource Management software and services to our customers. This means that the way we own, store, transfer, access, back up, monitor, test and review our security procedures, has been independently verified to an internationally recognised standard.
BS EN 27001:2013 Certificate Number: 16/5077
People® is registered with the Information Comissioner’s Office (ICO). This means we are contractually committed to delivering our services in compliance with the Data Protection Act (DPA). We are also committing to complying with all requirements of GDPR.
ICO Registration Number: ZA185401
As a customer you are automatically enrolled onto our People Managed Security Service. Actively searching for threats is important for keeping your business safe. That's why we ensure we have a team that monitors and manages our environment 24x7x365, using advanced technology and analytics.
Our environment is looked after by a 24x7x365 Customer Security Operations Center (CSOC), staffed by best-in-breed, GCIA- and GCIH-certified security analysts, whose credentials meet or surpass industry standards.
Using People Managed Security Service means we don't just detect threats, but we also rapidly respond to them - performing appropriate remediation based on pre-approved actions.
Our partnership with Rackspace means we actively counteract threat activity through industry-leading host and network protection, threat intelligence and security analytics, log management and vulnerability management technologies including Alert Logic.
We commission regular independent penetration testing of our infrastructure, to ensure we keep our system free from vulnerabilities. With many high profile customers in the financial sector, we recognise the need for tight security at a very technical level. We therefore use a highly-respected penetration testing provider, to ensure we do everything possible to protect your data.
People is GDPR ready. Our data protection officer is Sukhjinder Singh, who is a General Data Protection Regulation (GDPR) Practitioner.
The General Data Protection Regulation expands and standardises data protection across the whole of the EU and was prior to Brexit due to come into force in May 2018.
We store your data securely using RackSpace – one of the world’s most trusted cloud-computing platforms.
Our Information Security team is responsible for ensuring our InfoSec policies are compliant, and properly implemented. They also handle many of the InfoSec questions raised by our clients. To help you find key answers quickly, we have compiled and consolidated some of the most frequently asked questions below:
Who owns our data? Your data belongs to you. As our customer, you are classed as the ‘data controller’. As your supplier, we are classed as the ‘data processor’.
What happens to our data when we leave? We provide you with an export of all your data, and then remove it from our systems within 45 days. Any documents you uploaded will be returned in their original format. Anything else is sent in CSV format.
How often is our data backed up? Your data is backed up per transaction (each time you do something), per hour, and per night. In the event of a total failure, our infrastructure within the data centre means we can recover your data quickly and reliably (see Rackspace.co.uk below). If you have particular governance rules, you may also create your own backups using our offline backup tool.
Where is our data stored – and is it safe? We store your data in Rackspace’s state-of-the-art data centre in London, UK. Rackspace protects the servers where your data is stored and managed, through biometric access controls, constant surveillance, redundant power feeds and generators, robust fire suppression, and carefully monitored climate control. In keeping with Data Protection Act requirements, we guarantee that your data will never be moved outside of the EEA (European Economic Area). Your data is also encrypted using TLS and AES.
Who can access my data? Only you, and a small number of vetted and authorised People® personnel, can access your data. Any member of this specialist People® team, will only ever access your data to perform specific tasks on your request via our support desk – and any action they take is logged and easily auditable. Access to any sensitive data is extensively logged, and requires fixed IP addresses and two-factor authentication.
What type of Firewalls do you use? The People® application, and any data you store within it, is protected by Cisco-powered firewalls.
Check our uptime or downtime, anytime (in real-time). When it comes to our System Status, we have nothing to hide and want you to know whatever we do. Get an update now:Check System Status
People supports 2FA using the Google Authenticator application on a smartphone. Once activated only authorised devices can be used to login.