Data protection and information security are key elements of Personio’s products and services. Protecting your data and earning your trust is pivotal to us. Therefore, we have implemented and keep on developing technical and organizational measures to ensure secure processing of information.
Our practices are based on the legal framework of the European General Data Protection Regulation (EU GDPR) as well as common standards and guidelines such as ISO/IEC 27001 and the principles of basic IT protection (“IT-Grundschutz”) of the German Federal Office for Information Security (BSI).
General Information on Data Protection
Has Personio appointed a data protection officer?
In data protection matters, we rely on Bitkom Servicegesellschaft mbH, one of the leading consultancy companies in Germany for any issues related to the digital economy, and use their services as in-house data protection officers:
Bitkom Servicegesellschaft mbH, Albrechtstrasse 10, D-10117 Berlin.
For any questions regarding data protection at Personio, please contact firstname.lastname@example.org
How does Personio otherwise ensure that employees handling orders are familiar with the legal requirements on data protection?
For one thing, all Personio employees are bound to data secrecy and data protection in general and are made aware of the consequences of any breach.
For another thing, we run training and awareness programs regarding the handling of personal details, as well as data protection, on a regular basis. These programs also include new legislation such as the European General Data Protection Regulation (EU GDPR).
What else does Personio do at organizational level to ensure that personal data is protected and IT systems are secure?
Personio’s organizational structure is informed by the requirements of ISO/IEC 27001. We strive for continued improvement of the processes and structures ensuring data protection and information security. In addition to appointing a data protection officer and training staff on a regular basis, Personio employs an internal IT security officer in order to ensure that security has the highest priority in all processing and internal processes.
Furthermore, Personio closely cooperates with major decision-makers and bodies in the field of data protection and IT security and is a member, among others, of the German Association for Data Protection and Data Security (GDD), the Alliance for Cyber-security and Bitkom e.V.
What happens if there is a data breach at Personio?
In the unlikely event of a data breach at Personio, if personal data of a customer is affected and the breach is likely to entail a risk to the rights and the freedom of the customer’s staff, Personio will immediately notify the customer concerned, so as to enable them to fulfill their legal obligation to inform the regulatory authority and the individuals concerned.
Has the application been developed in accordance with the stipulations for data protection by design and by default?
Yes, data protection is an integral element of our product strategy. Therefore, even at the development stage of our features we carefully respect principles such as data economy and use state-of-the-art measures to ensure an adequate level of protection. In addition, when preparing for the EU GDPR, we reviewed the default settings of the entire application and adapted them to provide the highest-possible level of data protection while still ensuring user friendliness. Furthermore, the settings are generally all adaptable to the customer’s individual needs. In order to continuously ensure this, we also defined a process for feeding legal requirements into the product development process on an ongoing basis and reviewing the application accordingly at set intervals.
Is the application compliant with the European General Data Protection Regulation (EU GDPR)?
We generally assume that we are compliant with the essential requirements of the EU GDPR already today. This includes, in addition to the stipulations of art. 25 of EU GDPR re data protection by design and by default, supporting the customer in respecting the rights of data subjects such as the right to obtain erasure of personal details as well as the rights of access and data portability (chapter 3 of EU GDPR). This enables the customer to delete applicants’ data either automatically or manually as well as to either block or completely and securely delete employees’ data. Furthermore, due to Personio’s self-service approach, employees are given direct access to their own digital personnel file at all times. In addition, employees can export their own data from the staff list in a machine-readable format as well as download any documents that they personally added. Nevertheless, we make sure that the application, the underlying infrastructure and our organizational structure are suitably equipped at various levels to meet the requirements of the EU GDPR.
What should I do if I found a security vulnerability in Personio?
Web application and APIs:
– URL where the vulnerability was detected
– Account name
– Type of affected
– Information on how vulnerability can be reproduced
– Mobile device and operating system information
– Account name
– Type of affected data
– Information on how vulnerability can be reproduced
Encryption & Pseudonymisation
Is the data encrypted for transmission?
Yes, any personal data that the Personio application transmits to a client or other platforms must be encrypted using Transport Layer Security (TLS), specifically HTTPS. This requires for a secure connection to be established between the two communicating partners (client and server) before any data can be transmitted.
Confidentiality & Integrity
Where is the data stored?
Personio uses the services of Amazon Web Services (AWS) in Frankfurt (https://aws.amazon.com/compliance/gdpr-center) for hosting its software. The data centers used are ISO/IEC 27001 certified and thus meet our high requirements for the physical security of our customers’ data.
Who at Personio and its service providers has access to customer data?
As a general rule, neither staff at the data centers nor at AWS employees have access to your data. As far as Personio is concerned, only our DevOps Team (in charge of servers) and our Product Team as well as the Customer Success Team (in charge of customers’ systems) will access data as and when necessary. This will be necessary to assist with the initial creation of an account as well as the processing of service enquiries. Access rights are granted on a need-to-know basis and documented. In addition, access to customers’ systems is logged.
What does Personio do to prevent unauthorized access to customers’ systems?
On the server side, Personio uses a host-based intrusion detection system to monitor parameters such as suspicious log entries, signatures of known rootkits and trojans, anomalies in the Device File System or classic brute force attacks. These parameters are scanned for anomalies on a regular basis. In case an anomaly is detected, the operations and development staff in charge are notified immediately so that they can take counteraction. In addition, on the application side, all essential activities (in particular change, delete and update operations) are logged to be able to prove upon request unauthorized access and changes to data.
How does user authentication work?
Access is granted purely via personalized user accounts, each of which is clearly assigned to an individual. Registration is with a user name and password, with the latter having to be modified during initial login in accordance with the secure-password guideline implemented in the application. In addition, we advise our customers to use two-factor authentication to achieve a higher level of protection.
Who has access to which data on the customer side?
Access rights are generally designed to fulfill the requirements of art. 24 of EU GDPR regarding data protection by default. This means that all employees with newly created user accounts have by default no rights beyond editing their own profile. You as the customer, however, can manage the granting of access rights according to your individual authorization protocol.
Availability & Capacity
What does Personio do to ensure availability of the system?
Personio focuses in particular on the geo-redundant design of the server infrastructure in relation to productive data and backups as well as the physical security of the data centers (e.g. uninterrupted power supply, alarm system, fire-detection systems etc.) and also operates a continuous capacity management for monitoring resources in use and distributing free ones as needed
Are backups done on a regular basis or do we have to back up our own data?
Personio has implemented a backup concept for customer data and documents stored on its data centers according to the state of the art in order to guarantee adequate availability. The backups of the database systems are stored exclusively in encrypted form. This means that it is not necessary for the customer to carry out own backups. Regular restore tests are carried out to ensure that the backups have been stored properly and can be restored if necessary.
What happens to the customer data in case of a total failure of our system, e.g. by force majeure or similar events?
In the unlikely event of a total failure of the system, the redundant structure of the data centers (productive and backup data) ensures that your data is not lost. In this case, we will ensure fastest-possible recovery in accordance with our disaster recovery concept.
Who owns the data?
The customer is and remains the owner and controller of the data within the meaning of art. 24 EU GDPR. In particular, this means that the customer is responsible for respecting the rights of data subjects (chapter 3 of EU GDPR). Personio is the order processor and in this capacity processes your data exclusively at your instruction and for the purposes laid down in the data processing agreement.
What happens to the data if a customer terminates the agreement or Personio goes out of business?
Upon termination of the business relationship, individuals authorized accordingly by the customer can request delivery of the data in a machine-readable format. 30 days after termination of the agreement, the data shall then be irrecoverably deleted. In the unlikely event of Personio going out of business, this procedure remains on principle unchanged, as the customer is the owner of the data and Personio is merely an order processor and can/ will thus not dispose of the personal data in any other way.
Procedure for Verifying Security
How often and by whom is secure processing verified?
For one thing, we run audits of our procedures and our product at regular intervals, generally once a year, in keeping with the legal data protection requirements. The results of these audits are then used to take specific action to further develop our documentation, processes, structures and/ or functionalities, as well as our technical and organizational processes.
Does Personio carry out vulnerability scans or penetration tests?
For another thing, we perform internal vulnerability scans at regular intervals to test our application and infrastructure. In addition, we hire an external service provider on a regular basis to perform penetration tests to examine our systems and applications for errors and weak spots. As the security of our systems and our application as well as the detection of attacks is of utmost importance to us, we rely on secuvera GmbH, an IT-security service provider that is certified by the Federal Office for Information Security (BSI).