Technical and organisational measures pursuant to Article 32 of the GDPR

Pursuant to Article 32 of the GDPR, the customer as the controller and Personio as the processor must take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, the implementation costs, the nature, scope, circumstances and purposes of the processing, as well as the different probability and severity of the risk to the rights and freedoms of natural persons.

The customer is responsible for identifying and implementing suitable measures in accordance with Article 24 of the GDPR. Personio advises following the recommendations of relevant guidelines and standards such as ISO/IEC 27002 and the German Federal Office for Information Security.

The measures taken by Personio to ensure the security of processing are listed below. Where necessary, appropriate measures of relevant subcontractors – in particular, with regard to physical security at infrastructure-as-a-service providers and data centre operators – are listed and marked or referred to accordingly.

Personio has taken the following technical and organisational measures within the meaning of Article 32 of the GDPR in order to ensure encryption, pseudonymisation, confidentiality, integrity, availability, resilience, recoverability and corresponding audit procedures.

Appropriate technical and organisational measures must be taken to comply with the requirements of the GDPR and to ensure, by appropriate default, that only personal data whose processing is necessary for the respective purpose of processing are processed.

Personio already takes the requirements of Article 25 of the GDPR into account during the conception and development phase of product development. This is ensured by the proactive involvement of the legal department, the data protection officer and the IT security engineers. Processes and functionalities are set up in such a way that data protection principles such as legality, transparency, purpose limitation, data minimisation and the security of processing are taken into account at an early stage.

Confidentiality is the protection against unauthorised disclosure of information. Confidential data and information may only be accessible to authorised persons in a permissible manner.

The aim is to ensure that the internal organisation meets the specific requirements of data protection.

a) Organisational instructions (as per 5 and 6 ISO/IEC 27002/2017)

The objectives of data protection and information security are defined in data protection and information security guidelines and are binding for all Personio employees. In addition, further organisational instructions are implemented to provide employees with specific guidelines for the processing of personal data (e.g. guidelines for home and teleworking or guidelines for the use of IT, internet and email).

b) Appointment of a data protection officer pursuant to Article 37 of the GDPR

The management has appointed a data protection officer. The data protection officer works to ensure compliance with data protection regulations and performs these tasks within the meaning of Article 39 of the GDPR. This includes, among other things, supporting the establishment and further development of a data protection management system, the creation, development and monitoring of relevant guidelines, and the implementation of regular awareness-raising measures.

c) Obligation to maintain confidentiality and data protection

All employees are obliged in writing to maintain confidentiality and data protection as well as to comply with other relevant laws when the employment contract is handed over or at the latest when they start work. The obligation shall continue to apply for the duration of the employment relationship. Freelancers or external service providers are obliged to maintain confidentiality in writing on the basis of non-disclosure agreements (NDAs) and also sign a contract for commissioned data processing if they process personal data on behalf of Personio.

d) Data protection training

Every Personio employee receives information and data protection leaflets and confirms this with their employment contract. In addition, regular training sessions are carried out to raise awareness. Employees from particularly sensitive areas such as HR, product development or customer service also receive special information and training on specific specialist topics if required.

e) Restrictions on personal and business use of communication devices

Personio employees are not permitted to use the company email system for private purposes. Internet and telephone services may only be used privately to a limited extent. Care must be taken to ensure that personal and company data are kept separate. Furthermore, Personio employees are not permitted to process personal data or other data of the customer – in particular from the data processing relationship with the customer’s order – on private communication devices. Personio employees undertake to adhere to the relevant guidelines, the adherence of which is monitored to the extent permissible and necessary.

f) Reliability of staff (as per 7 ISO/IEC 27002:2017)

Personio implements measures before, during and after hiring to ensure the reliability of its employees. This usually includes:

• Verification and confirmation of the stated academic and professional qualifications

• Contractual agreements defining responsibilities and rules of conduct

• Implementation of training, awareness-raising and controlling measures

• Raising awareness and sanctioning procedures in the event of data protection violations

• Implementation of a documented off-boarding process (e.g. taking back keys, revoking access rights, ensuring sufficient documentation, surrendering and passing on data, information and knowledge, etc.) upon termination of employment

It is ensured that personal data is only stored in the system in a manner that prevents third parties from identifying the data subject.

a) Key management (as per 10.1.2 ISO/IEC 27002:2017)

Personio implements a policy on the use of cryptographic methods for the use, protection and lifespan of keys as well as for the use of encryption methods corresponding to the state of the art. The master key is generated under the responsibility of the infrastructure-as-a-service provider, so that neither Personio nor anyone other than responsible AWS staff have access to the key material to greatly reduce the risk of leakage.

Access to key management is logged and automated and, in the event of specific suspicion, checked for irregularities by authorised Personio staff. The corresponding keys are automatically changed once a year. In addition, the keys are strictly separated by environment (e.g. production encryption keys cannot be used by the staging environment to encrypt or decrypt data).

b) Database and storage encryption

All customer data is encrypted ‘in standby’ in accordance with current industry standards. Only the systems intended to process the data may use the encryption keys on the basis of the principle of least principle. Backups are only stored in encrypted form.

c) Data transmission via encrypted data networks or tunnel connections (data in transit)

All personal data transmitted by the Personio application to a customer or other platforms via an insecure or public network is transmitted exclusively in encrypted form. This applies in particular to access to the customer and administration system. Personio ensures that a state-of-the-art encryption method is used depending on the encryption algorithm that is compatible on the customer’s side (currently HTTPS connections or Transport Layer Security [TLS], keyword ‘backward compatibility’: the customer is responsible for using state-of-the-art devices/browsers). 

Administrative access to Personio’s server systems and the transmission of backups only takes place via encrypted connections (e.g. Secure Shell (SSH) or Virtual Private Network (VPN)). A VPN connection is used to access customer systems in the context of working from home and teleworking. Only VPN servers that are under the direct control of Personio are used. The use of public VPN providers is not permitted.

d) Encryption of mobile storage media

Mobile storage media on which Personio data is used or processed are only used in encrypted form. This applies in particular to the use of USB sticks, external hard drives, etc. However, the use of private mobile storage media to store customer data is not permitted.

e) Encryption of storage devices on laptops

All employee laptops are equipped with modern hard drive encryption.

f) Encrypted sharing of information and files.

The exchange of information and files between the customer and Personio is always directly encrypted via the Personio application (see c.). If personal data or confidential information pertaining to the customer has to be transferred to servers that cannot be sent via TLS-encrypted HTTPS uploads, it shall be transferred using Secure File Transfer Protocol (SFTP) or another state-of-the-art encrypted mechanism. The customer is responsible for requesting or providing such secure data transport as required.

g) Email encryption

In principle, all emails sent by Personio employees or within the Personio application are encrypted with TLS. Exceptions may be made if the receiving mail server does not support TLS. The customer must ensure that the mail server used for the order supports TLS encryption. On request, Personio offers the option of sending content in encrypted form (e.g. S/MIME).

Access by unauthorised persons to the IT system and processing facilities with which the processing is carried out is prohibited.

a) Electronic door locks

The entrance doors to Personio’s offices are always locked and electronically secured. The doors are opened with a personal electronic key.

b) Controlled key distribution

Keys are distributed centrally and documented to Personio employees. These electronic keys can be deactivated centrally by management or HR.

c) Supervision and accompaniment of strangers

Individuals who do not work for Personio, such as external service providers or other third parties, may only enter the offices with prior permission and accompanied by a Personio employee. A list of visitors is kept up to date.

d) Securing rooms with an increased need for protection

Rooms or cabinets requiring increased protection, such as router rooms, HR offices, cabinets with contract documents, etc., are always closed after leaving or using them. Access to these premises shall be granted only to authorised staff. In the non-technical areas, the increased need for protection is determined by a representative from management or jointly by the office IT and the IT security and legal team. 

e) Closed doors and windows

Personio ensures that all windows and doors are closed or locked outside of office hours.

f) Physical and environmental security of server systems in data centres

Personio only uses server systems from data centre operators that are certified in accordance with ISO/IEC 27001 and therefore implement appropriate technical and organisational measures for physical and environmental security, such as:

• The data centre and the systems used there are housed in inconspicuous buildings that are not immediately recognisable as a data centre from the outside.

• The data centre itself is protected by physical security measures against unauthorised access both from the outside (e.g. fences, walls) and inside the buildings.

• Access to the data centre is managed by electronic access controls and secured by alarm systems that trigger an alarm when the door is opened or kept open.

• Access authorisation is issued by an authorised person and revoked within 24 hours of deactivation of an employee or supplier record.

• All visitors must identify themselves and register and are always accompanied by authorised personnel.

• Access to these sensitive areas is additionally monitored via video surveillance.

• Trained security staff monitor the data centre and its immediate surroundings 24 hours a day, seven days a week.

g) Deployment of security staff

An external security service is deployed to secure the premises of the company’s headquarters in Munich. This ensures that no unauthorised persons are on Personio’s premises after the end of regular working hours and that all windows and doors are locked.

The use and processing of data protected under data protection law by unauthorised persons is prevented.

a) Use of authentication methods

Personal data is always accessed via encrypted protocols: SSH, SSL/TLS, HTTPS or similar protocols.

i) Authentication procedure for IT system/laptop

• Authentication with username and password is the minimum security requirement.

• Depending on the capabilities of the laptop, alternative and secure authentication methods can be activated.

ii) Authentication procedure for customer system

(Customer system = access for administrators and users of the customer)

• Authentication with an email address

• Self-selected password (eight characters, numbers, letters and special characters; storage via Bcyrpt hash, compliance is technically enforced)

• Password reset via a reset link sent by email

• Account blocked after five failed login attempts

• Two-factor authentication possible and recommended

• In addition, the customer can control authentication and password security by integrating OAuth2

iii) Authentication procedure for admin system

(Admin system = access to customer systems via a user interface for customer service and product development by Personio, if approved by the customer for support purposes)

• Authentication with email address

• Two-factor authentication forced:

  • Password of your choice (eight characters, numbers, letters and special characters; storage via Bcrypt hash, compliance is technically enforced, password change is ordered by the team leader every three months)

  • Token generator for authentication

• Blocking of the admin account after five failed login attempts

iv) Authentication with server/database system

(Server/database system = access to the stored data by the supplier’s product development department)

• Administrative access via VPN, SSH or AWS API

• Authentication with SSO (forced MFA)

b) Determination of persons authorised to support and issue instructions 

The customer can use the system settings to determine who is authorised to issue instructions. Individuals authorised to support and issue instructions are assigned using the contact details provided by Personio (e.g. name, email address, telephone number, user ID). Personio’s customer service team is obliged to accept orders or provide and review information only from the persons named. For telephone enquiries, the personal telephone PIN stored in Personio must be verified in advance.

c) Use of secure passwords

When assigning and regularly updating secure passwords, the requirements of BSI IT baseline protection or other equivalent, recognised security standards for the Personio account as well as for laptops, computers or other mobile devices must be taken into account (i.e. special characters, minimum length, regular password changes). Personio users are required to take similar measures to block them in the event of inactivity. The customer is responsible for this.

d) Prohibition of sharing passwords and use of shared accounts

Both Personio users and employees are prohibited from sharing passwords for the use of Personio and using shared accounts for access to customer and administrative systems (i.e. the exclusive use of personal and individual user logins when logging in to the system).

e) Automatic lockout in the event of inactivity

Personio employees are advised to lock their laptops at all times when they are not in use. In addition, an automatic screen lock after three minutes of inactivity is set up. Unlocking requires the authentication procedure described under ‘Authentication procedure for IT system/laptop’.

f) Use of antivirus software

Personio employee laptops are equipped with state-of-the-art and up-to-date antivirus software on all company or company IT systems. In principle, computers may not be operated without resident virus protection unless other equivalent security measures have been taken in accordance with the state of the art or there is no risk. Preset security settings must not be deactivated or circumvented.

g) Clean desk policy

Personio employees are instructed not to print out or store personal data of customers, not to leave work materials lying around uncovered and to store them properly. Documents containing personal data must either be stored in lockable cupboards or drawers after use or disposed of in accordance with data protection regulations.

h) Public wireless networks and connection to company network

Public wireless networks are only used over a VPN connection provided by Personio.

It shall be ensured that persons authorised to use an automated processing system only have access to the personal data for which they have access authorisation.

a) Role and authorisation concept

i) Role and authorisation concept in the customer system

The contracting entity’s administrators can individually configure a multilevel role concept for assigning rights, differentiating between viewing, suggestion and editing rights for each function or area within Personio for individual users.

ii)  Role and authorisation concept in the admin system

Access to the admin system is generally limited to trained employees in customer service and product development. Employees from the sales and finance team only have access via the admin system to customer systems during the free trial phase or to corresponding billing data and are therefore unable to view customer data.

iii)  Role and authorisation concept for server/database systems

Access to the server/database system is generally restricted to a limited number of trained employees in product development and infrastructure.

b) Contracting entity’s control of access authorisation for Personio to customer systems

The contracting entity can use the system settings in the customer’s system to decide whether Personio can access the customer’s system. Access authorisation is deactivated by default and can be activated or deactivated at any time by authorised employees of the contracting entity.

c) Assignment of access rights

At Personio, access rights are generally assigned according to the need-to-know principle. This means that access is only given to people who clearly need it and for as long as they need it. The applicant must provide a conclusive justification for the need when submitting the application. The authorisation concept is role-based. In principle, each employee is assigned a specific role. Authorisations deviating from this role must be justified. Access rights are documented centrally and withdrawn by the administrator immediately after the need for access has expired. Access is limited to the minimum necessary privileges. Access to the admin system or server/database system is approved by the management, the management of the infrastructure department or the information security manager and is generally carried out according to the dual-control principle. The administrators and/or the information security manager regularly check whether granted permissions are still required. Superiors are also obliged to apply to IT Administration for a corresponding correction of authorisations if employees change their duties. In the event of employees leaving the company, HR managers immediately inform the administrators or HR of upcoming changes so that the corresponding authorisations can be revoked. If possible, entitlements are revoked within 24 hours of the departure of an employee.

d) Host-based intrusion detection system (IDS)

Personio uses an Intrusion Detection System (IDS). It monitors minimum parameters such as suspicious log entries, signatures of known rootkits and Trojans, anomalies in the device file system or brute force attacks. All parameters except file system changes are evaluated in real time. File systems are checked at least once a day. In the event of any anomalies, the responsible employees (Operational and Product Development) are notified immediately by email.

e) Grid security

Personio’s servers and databases are only used in private subnets without public IPs, which ensures that no services are directly accessible from the internet. Publicly available services are routed via load balancers or bastion hosts, which allow only the protocols and ports required for the respective service. Public resources such as images, JavaScript or CSS files can be deployed via a CDN such as AWS CloudFront. In addition, a web firewall is used to protect against common web exploits and bots that may impair availability or jeopardise security.

f) Logging of processes relating to logging in and logging out

All attempted or successful access to administration systems, infrastructure and customer systems are logged. The log entries shall contain at least: timestamp, user ID, IP address and authentication result. The logs are currently stored for up to one year and made available on request.

It is ensured that personal data collected for different purposes can be processed separately and separated from other data and systems in such a way as to prevent unplanned use of such data for other purposes.

a) Separation of development, test and operating environments (as per 12.1.4 ISO/IEC 27002:2017)

Data from the operating environment may only be transferred to test or development environments if it has been completely anonymised prior to transfer. The transmission of the anonymised data must be encrypted or via a trustworthy network. Software to be transferred to the operating environment must first be tested in an identical test environment (staging). Programs for error analysis or for creating/compiling software may only be used in the operating environment if this is unavoidable. This is particularly the case when error situations depend on data that would be falsified due to the requirements for anonymisation when transferring to test environments.

b) Separation in networks (as per 13.1.3 ISO/IEC 27002:2017)

Personio separates its networks by tasks. The following networks are permanently used for this purpose: operating environment (production), test environment (staging), office IT employees, office IT guests. In addition to these networks, additional separate networks are created if necessary (e.g. for restore tests and penetration tests). Networks are separated, depending on technical possibilities, either physically or via virtual networks.

c) Client separation on the software side

Personio ensures that data from different contracting entities is processed and stored separately by means of a logical client separation on the basis of a multi-tenancy architecture. Data is allocated and identified by assigning a unique identifier for each contracting entity (e.g. customer number/company ID). The architecture is safeguarded by implementing integration tests, which ensure that no database queries are carried out without query and assignment to this identifier and that the risk of circumventing customer separation due to programming errors is minimised. Regular security audits and binding code reviews (four- to six-eye principle) also safeguard the architecture.

Integrity means ensuring the correctness/authenticity of the data and the proper functioning of the systems.

It is ensured that the confidentiality and integrity of private data are protected during the transmission and transport of the storage media.

a) Transport encryption (data in transit)

See ‘Encryption and pseudonymisation of personal data’, ensuring data integrity during transport by calculating checksums.

b) Prohibition of disclosure to unauthorised third parties

Personal data on behalf of the contracting entity may only be passed on to the extent of the instructions and insofar as this is necessary for the performance of the contractual services for the contracting entity. In particular, the transfer of personal data from the contract to unauthorised third parties (e.g. by storing it in another cloud storage) is not permitted.

The aim is to ensure that it is possible to subsequently check and determine which personal data has been entered or changed into automated processing systems at what time and by whom.

Logging of system activities in admin and customer systems as well as evaluation

All key system activities are logged. The log entries shall contain at least: timestamp, user ID, access role, IP address, system component or function, activities performed. Activities logged include all input, modification and deletion actions related to data, users, permissions or system settings. The logs are currently stored for up to one year and made available on request.

The availability of services, functions of an IT system, IT applications or IT networks as well as information is given if they can be used for the intended purpose by the users at any time.

Ensure personal data is protected against accidental destruction or loss.

a) Data backup procedures/backups

Personio implements a state-of-the-art backup concept for the database with the customer’s data stored on it as well as the storage medium with the corresponding stored documents in order to ensure sufficient availability.

b) Geo-redundancy with respect to the server infrastructure of productive data and backups

In order to ensure geo-redundancy in the event of an unforeseen event, such as a natural disaster, Personio ensures that appropriate spatial separation requirements are met with regard to the server infrastructure of the productive data and backups. This can be ensured by using different data centres at a sufficient distance or data centres with different availability zones. The backup system is designed in such a way that, in the unlikely event of a failure of an AWS region, the data is not endangered by backup replication across several AWS EU regions.

c) Capacity management

Capacity management is in place with monitoring and automatic scaling in case of capacity bottlenecks.

d) Warning systems to monitor the availability and condition of server systems

A warning system is in place to monitor the availability and status of the server systems. In the event of outages, the infrastructure department is automatically notified to take immediate action to resolve the problem. An on-call service is in place to ensure availability of critical components outside business hours.

e) IT incident response management (as per 16 ISO/IEC 27002:2017)

Concepts and documented procedures are in place for dealing with malfunctions and safety-relevant incidents. This includes, in particular, planning and preparing responses to incidents, procedures for monitoring, identifying and analysing security-relevant incidents, and defining appropriate responsibilities and reporting channels in the event of a personal data breach within the framework of statutory requirements.

f) Further measures to ensure availability in the data centres

An automatic fire detection and firefighting system is installed in the data centre. The fire alarm system uses smoke sensors throughout the data centre environment, in the mechanical and electrical areas of the infrastructure, in the cold stores and in the rooms where the generators are located.

All power supply systems are designed to be redundant. In the event of a power failure, an uninterruptible power supply (UPS) ensures that critical areas of the system continue to be supplied with power. The data centre also has generators that can supply the entire system with emergency power. The data centre is air-conditioned and temperature-controlled. Preventive maintenance is carried out to ensure continuous operation.

It is ensured that systems can be reliably recovered in the event of a physical or technical failure.

Disaster recovery concept

There is a concept for dealing with emergencies/disasters and a corresponding contingency plan. Personio ensures the recovery of all systems based on data backups, usually within 24 hours (recovery time objective – RTO). The recovery point objective (RPO) is set at 24 hours.

Description of the procedures for regularly reviewing, assessing and evaluating the effectiveness of technical and organisational measures.

a) Data Protection and Information Security Team

A Data Protection and Information Security Team (DST) has been established to plan, implement, evaluate and adapt measures in the area of data protection and data security.

b) Risk management

As part of Personio’s data protection and information security management system, there is a process for analysing, evaluating and assigning risks, for deriving measures based on these risks, and for regularly evaluating the effectiveness of these measures.

c) Independent review of information security (as per 18.2.1 ISO/IEC 27002:2017)

i)  Conducting audits

Internal audits on data protection and information security are carried out on a regular basis, whereby the auditor’s independence (e.g. from another area or externally) is ensured. The audits are carried out on the basis of common inspection criteria/schemes (in particular, statutory requirements of the GDPR, security standards, etc.) and, in particular, check the completeness and correctness of policies and concepts as well as the documentation and adherence to corresponding processes.

ii)  Verification of compliance with security policies and standards (as per 18.2.2 ISO/IEC 27002:2017) 

Compliance with applicable security policies, standards and other security requirements is regularly monitored when processing personal data. As far as possible, this is done randomly and unexpectedly.

iii)  Verification of compliance with technical specifications (as per 18.2.3 ISO/IEC 27002:2017)

The IT security manager or other qualified members of staff routinely perform automated and manual vulnerability scans to verify the security of applications and infrastructure and the periodic development of the product. If necessary, detailed penetration tests are carried out by an external service provider in order to examine applications and infrastructure specifically for vulnerabilities.

iv)  Procedures for continuously improving the data protection and information security management system

The data protection and information security processes also include a regular review and evaluation of the technical and organisational measures taken. There is also an improvement and suggestion system in which employees can participate. In this way, Personio continuously improves the processes involved in handling personal data.

d) Contract monitoring

It is ensured that personal data processed on behalf of the customer can only be processed in accordance with the customer’s instructions.

i)  Data processing

Personio employees are instructed to use the contracting entity’s personal data only on documented instructions within the scope of the Data Processing Agreement and the User Agreement. Pursuant to the Data Processing Agreement, Personio shall receive instructions from the contracting entity both in writing and in electronic formats offered by the supplier. Verbal instructions are only permissible in urgent cases and must be confirmed by the contracting entity without delay in writing or in an electronic format offered by Personio.

ii)  Careful selection of suppliers

In the event of outsourcing, suppliers/third parties are engaged on the basis of a careful selection process in cooperation with the Information Security Officer, the Data Protection Officer and the Legal Department in accordance with defined criteria, particularly regarding data protection and IT security, and in particular:

• Verification of documentation and compliance with technical and organisational measures pursuant to Article 32 of the GDPR

• Depending on the level of protection and scope of personal data, only ISO/IEC 27001-certified companies are commissioned (in all cases, this applies to data centres)

To prevent risks, the process also performs a risk assessment for the respective suppliers if the third party regularly works with personal data.

iii)  Data processing pursuant to Article 28 of the GDPR

A subcontractor shall only be engaged and engaged in accordance with the Data Processing Agreement between Personio and the customer, the statutory provisions and the conclusion of a corresponding Data Processing Agreement between Personio and the subcontractor pursuant to Article 28 of the GDPR. This agreement shall, as far as possible, regularly take into account at least the following aspects:

• Agreement on effective control rights (corresponding to the rights of the contracting entity, possibly including on-the-spot checks)

• Agreement on corresponding control and information rights when engaging further subcontractors

• Agreement on contractual penalties for violations, if necessary and possible

• Exclusive processing according to documented instructions

• Exclusion of impermissible processing steps

• Prohibition of making copies of personal data (except backup copies)

• Obligation of the employees of the subcontractor to maintain confidentiality

• Participation in safeguarding the rights of data subjects

• Appointment of a data protection officer if required by law

• Duty to provide information in the event of reportable breaches of the protection of personal data pursuant to Article 33 and Article 34 of the GDPR, in the event of operational disruptions and other irregularities in the handling of personal data

• Ensuring deletion/destruction of data after completion of the order

iv)  Carrying out regular checks/requesting evidence

Personio shall verify or obtain evidence of compliance with the technical and organisational measures of its subcontractors prior to the start of the assignment and regularly thereafter.

Version 09-2022