Security Centre

At HRLocker we know the importance of your company data, that is why we take this responsibility very seriously. We are committed to providing our customers the most up to date security and privacy protections.

HRLocker recognises that through the day-to-day operation of its business, we have an impact on our internal and external environment. Also, we ensure that due consideration is given to the potential impact that Information Security aspects may have on the operation of our core processes. As a result, HRLocker has established this Information Security Policy Statement, to communicate awareness and understanding of Information Security aspects throughout the business.

Information Security Leadership at HRLocker has appointed Phil Byrne of Mentor Consulting to develop and implement company initiatives to help us achieve our Information Security goals. Their role will also involve communicating HRLocker policies to all interested parties through the delivery of internal presentations and promoting awareness externally as appropriate. Information Security aspects are considered at our weekly management meetings.

While HRLocker ensures that all personnel consider process-related Information Security impacts, we also have identified the following aspects for attention;

1) HRLocker ensures that we meet relevant regulatory requirements and minimise any adverse Information Security effects caused as a result of our activities,

2) That we raise awareness, provide knowledge and support to employees on Information Security management,

3) Give training on the importance of protecting business and customer information throughout our business,

4) Promote awareness of Information Security objectives,

5) Regularly review our Information Security practices and policy in accordance with the principles of ISO 27001, to which we are certified

6) Establish performance objectives, targets and management programmes to achieve these.

Risk assessments are carried out with the main objective of all being to manage the Confidentiality, Integrity and Availability of company information and systems.

HRLocker has implemented an Internal Audit Programme to ensure that the ongoing suitability, conformity and continual improvement of the management system is assured. The management system has the full support of all interested parties. All operational and support processes are within the scope of the management system. All personnel participate in regular internal audits of the processes in which they are involved. The resulting document is audited externally as part of our certification for ISO 27001.

Information Security Policy (ISO 27001)

It is the policy of HRLocker to provide products and services that always meet and where possible, exceed our business objectives and customer requirements, based on the following precepts;

1) The requirements of our customers are collected effectively to ensure that HRLocker is capable of achieving customer expectations,

2) The requirements of all interested parties are clearly understood so that our products and services can be delivered in a timely and professional manner,

3) All processes employed by HRLocker to deliver our products and services are determined, resourced appropriately, documented, monitored and measured to ensure conformance to;  Customer requirements,  Business objectives, and Any applicable industry regulations and legislation,

4) All HRLocker employees are competent for their area of work through academic achievement, training and experience, where appropriate,

5) Effective mechanisms are in place to monitor and measure customer satisfaction so that HRLocker achieves its commitment to continual Improvement. To provide for this policy, HRLocker has established a management system in compliance with our certification to the ISO 9001 Standard. The management system is an integral part of our process management and the organization is dedicated to its continual improvement by;

6)Providing clear focus on priorities by establishing business and quality objectives, which are reviewed periodically through the management review process,

7) Making available the necessary resources to ensure that the management system remains effective in achieving business and quality objectives, conforming to the requirements of our ISO 9001 Standard certification,

8) Top management’s participation in the monitoring and measurement of the performance of the management system is focused on providing an effective framework for acting on opportunities for continual improvement. HRLocker has implemented an Internal Audit Programme to ensure that the ongoing suitability, conformity and continual improvement of the management system is assured. The management system has the full support of all interested parties. All operational and support processes are within the scope of the management system.  All personnel participate in regular internal audits of the processes in which they are involved.  The resulting document is audited externally as part of our certification for ISO 27001.

Quality Policy Statement

HRLocker has implemented this policy statement to provide guidance to all interested parties on our approach to managing personal information throughout our organization, with full consideration for our obligation toward relevant data protection legislation, including EU-GDPR.

The company management system has been developed to include appropriate measures determined by the ISO 27001 Standard, to which we are certified.

Where appropriate, HRLocker has determined specific mechanisms to control how personal data is managed throughout operational and support processes, based on the following precepts with consideration for Article 5 of the GDPR directive (Principles relating to the processing of personal data):

1) Personal information is only gathered for the legitimate purposes of our business, including where necessary, legal and regulatory purposes.

2) Only the minimum amount of information necessary for effective operations is processed.

3) HRLocker ensures that we only process relevant and adequate personal information throughout operations.

4) Personal information is processed in a fair and lawful manner.

5) HRLocker maintains an inventory of categories of personal information processed by the organisation.

6) All personal information is kept accurate and up-to-date.

7) Personal information is only retained for as long as is necessary for legal or regulatory reasons or for legitimate organisational purposes and HRLocker then ensures its timely and appropriate disposal.

8) In all circumstances, the rights of natural persons to their personal information are respected.

9) Adequate resources are allocated to ensuring that all personal information is processed and stored by HRLocker in a secure operational environment.

10) The transfer of personal information outside our national boundary is only done in circumstances where it can be adequately protected.

11) Where we provide our goods and services to EU citizens across national boundaries, HRLocker ensures that appropriate regulatory aspects are addressed.

12) HRLocker does not currently carry out any operations where the application of the various exemptions allowable by data protection legislation is required.

13) We have developed our management system to provide for the formal management of personal information, which provides for all measures documented herein.

14) HRLocker has identified internal and external interested parties and the degree to which they are involved in the governance of the organisation’s management system relevant to personal information.

15) Top management has appointed management representatives with specific responsibility and accountability for personal information within the management system.

16) Appropriate records of processing of personal information are maintained throughout operations. HRLocker has implemented an Internal Audit Programme to ensure that the ongoing suitability, conformity and continual improvement of the management system is assured.  The management system complies with ISO 27001 and is subject to regular external audits in order to maintain our certification to this standard.  The management system has the full support of all interested parties.  All operational and support processes are within the scope of this management system.  All personnel have been provided with a copy of this document.

Data Protection Policy Statement

Some of the most topical questions we are asked at the moment are understandably regarding HR and GDPR (General Data Protection Regulations).

First of all, it’s important to clarify that no HR or recruitment software solution will ensure you’re instantly Compliant on how you handle employee data – or manage consent. Outside of the integrity of the supplier and their security standards and data storage locations, it is your policies, not your system that will ensure Compliance. But, dependent on their infrastructure, many HR systems will assist you greatly in meeting requirements in line with the right policies being defined. HR professionals are obviously concerned about the impact the GDPR will have on People Management and Talent Acquisition. There are plenty of checklists online, official guidelines (UK and Ireland) and infinite pages of advice or legal notes.

So, how will HRLocker help you meet your obligations?

  • EU Data Centres: HRLocker – and HIRELocker, our Applicant Tracking System – are only hosted within the data centres located in the European Union.
  • HRLocker uses the Microsoft Azure platform to securely store your data in Europe (Multiple Data Centre locations for extra backup and redundancy). We are happy to supply further documentation on our Information Security (IS) infrastructure and standards.
  • Wider Information Security Standards: HRLocker is in the process of preparing for an audit of the latest, enhanced ISO 27001 standard. This ensures the highest possible levels of wider data security that both includes and goes beyond the GDPR specifications.
  • Tools for the job: HRLocker does not make you Compliant – but it is an ideal instrument to help you ensure diligence and manage data appropriately.
  • HRLocker Privacy Policy
  • HRLocker Terms and Conditions Inc. Data Agreement and Policy Information

Some extra points to consider:

Think beyond GDPR

You should check in your region about extra legislative requirements on data retention. This might include data retention laws on what information you’re obliged to keep on terminated employees for wider legal reasons that might otherwise contrast or supersede ‘general‘ GDPR commitments that might be more appropriate to marketing or less specific business issues. For example, with HR software systems that have a strong element of employee self-service in how they manage their personal contact details and similar data – is it reasonable to keep next-of-kin records following a team member’s exit from the organisation?

Perhaps it could be if there is a life insurance policy or pension attached to a deceased team member that can benefit their partner or spouse. Another example is construction workers. In some jurisdictions, former workers’ records must be held indefinitely, in case they were ever in contact with Asbestos. So such an organisation needs to retain their records but likely does not have a need to retain its receptionist’s data. Again. This is you meeting your relevant policies and obligations to be widely Compliant, not the system. The system just enables this customisation to your specific case. HRLocker allows you to trim down information retained to just tangible or legal reasons – and demonstrate that in ‘one bucket’. HOW TO CALCULATE ROI FROM HR SOFTWARE

 

Setting your policies

Ultimately it is your policies meeting regulations that will make you Compliant. Let’s take recruitment and retention of data for CVs you receive as an example. How long should you keep applicant details following a job application? What is a realistic and justifiable period to retain this information in line with your recruitment pipeline’s lifecycle? Only you can define this, not the system.

Do you inform applicants what your policies are – and why? (E.g., you might state in an automated response to applicants that you like to keep CVs for future or alternative opportunities you may have – and request their consent.) HIRELocker is secure and will satisfy auditors relating to security standards. But you will only be GDPR Compliant if you have the right policy – for appropriate reason and purpose – on how long you store the data. (If you are concerned about policy setting and Best Practices, please note that HRLocker offers First-Call HR Support on Professional price plans upwards. We are happy to assist you with setting up processes and are always interested to hear your business case The HRLocker system is fit for purpose, but you have to define the policy template for retention periods – and why they are set to whatever period you agree and declare. So, if you have a request to delete data, it’s easy to manage and demonstrate diligent handling and purging of data with a cloud solution like HIRELocker or HRLocker. If you have disparate records in multiple systems and/or cannot refer to a supplier’s Information Security Standards then you are leaving yourself – and your data subject’s personal details – subject to vulnerability.

How HRLocker handles data

During a customer’s lifetime as an HRLocker client, HRLocker will act responsibly as both a data controller and processor. HRLocker will never delete the client’s data – until an account is terminated – and then all data is deleted permanently from the system (although we will retain information such as that customer account’s financials to meet our own record-keeping duties). Therefore it’s your responsibility to manage the data held within the system. And to remove it and manage it responsibly once you have extracted it.

In summary

HRLocker will not make you Compliant. Only you can do that by setting the appropriate policies. But HRLocker gives you all the tools to manage data responsibly and demonstrate your levels of accountability and our integrity as a supplier. All data is stored in the EU.

Microsoft Azure has the most comprehensive compliance coverage of any cloud provider.

1) More certificates than any other cloud provider.

2) Industry leader for customer advocacy and privacy protection.

3) Unique data residency guarantees.

Data is stored in the EU or the UK. (per customer’s request) Microsoft Azure cloud data centres in the Republic of Ireland or in the UK.

Yes of course – firstly Microsoft conducts regular penetration testing to improve Windows Azure security controls and processes. We also conduct our own penetration testing in sync with this.

General Data Protection Regulation (GDPR) is the most significant change to European Union (EU) privacy law in two decades. 

This replaced the Data Protection Directive (DPD) that came into force in 1995 when web technology was in its infancy, before the arrival of cloud services and the proliferation of mobile devices.

In the UK the 1998 Data Protection Act (DPA) is in similar need of replacement as technology has evolved.

Many aspects of the DPD (and DPA) are now obsolete so new legislation is being passed to protect EU citizens and their data from being exploited.

GDPR requires organisations to respect and protect personal data – no matter where it is sent, processed or stored.

It imposes new rules on companies, non-profits, government agencies and other organisations that offer goods and services to people in the EU.

This is an important step forward for individual privacy rights by giving EU residents greater control over their personal data and removing ambiguity about the definition of personal data.

GDPR will impact all organisations and each industry will face its own unique challenges with regards to data protection.

The costs of non-compliance are significant in terms of reputation damage and financial penalties that could be as much as 4% of annual turnover or €20m.

While there is currently uncertainty surrounding some of the detail and the implications of GDPR, this much we do know:

GDPR was first adopted in May 2016 with a 2 year transition period to give organisations time to bring themselves into compliance.

This applies to all organisations handling the data of EU citizens and GDPR regulation will apply from 25 May 2018.

Given the ramifications of this directive, organisations are urged to begin reviewing their privacy and data management practices now.

Controlling who has access to personal data has always been crucial and is now even more of a priority in the context of GDPR compliance.

HRLocker controls include granting users access permissions making it easy to control who has access to information.

HRLocker prevents unauthorised access by controlling the permissions and also the ease of revoking privileges.

Using HRLocker is a significant step towards being GDPR compliant. Each organisation is responsible for managing its own data, but more will depend on the capability of organisations to manage their own information and which systems they use to do this.

Being ISO 27001 certified means HRLocker has established and adheres to internationally recognised standards for implementing, maintaining, and continuously improving an information security management system, ensuring the confidentiality, integrity, and availability of sensitive data.

HRLocker ISO 27001 (NSAI) HRLocker ISO 27001 (IQNET)

Being ISO 9001 certified signifies that HRLocker follows globally accepted standards for establishing and upholding a quality management system, focusing on consistent processes, continuous improvement, and meeting customer expectations to deliver high-quality products or services.

HRLocker ISO 9001 (NSAI) HRLocker ISO 9001 (IQNET)

To ensure no inconsistent or additional terms are imposed on us beyond that reflected in our standard DPA and model clauses, we cannot agree to sign customers’ DPAs.

As a small team, we also can’t make individual changes to our DPA since we don’t have a legal team on staff. Any changes to the standard DPA would require legal counsel and a lot of back-and-forth discussion that would be cost-prohibitive for our team.

We must ensure that we are properly flowing down our obligations to our subprocessors and so compliance must be a tightly managed routine, which we are unable to deviate from.

Please download our DPA below.
Data Protection Agreement

A Service Level Agreement (SLA) is a formal agreement that outlines the specific expectations, responsibilities, and performance metrics between a service provider and their customer, ensuring clear communication and accountability for the quality and delivery of services.

Please download our SLA below.

Service Level Agreement

At HRLocker, we work with trusted partners to provide secure and efficient services to our customers. Below is a list of subprocessors who may process customer data on our behalf:

1. Microsoft Azure

  • Purpose: Hosting and storage of HRLocker’s platform and customer data.
  • Data Location: EU-based data centres.

2. HubSpot

  • Purpose: CRM and marketing automation to manage customer relationships and communications.
  • Data Location: EU or US, depending on customer configuration (HRLocker uses EU hosting).

3. Lead Forensics

  • Purpose: Website analytics to track visitor behaviour and provide insights into potential customer interactions.
  • Data Location: Processes IP addresses and behavioural data, with GDPR-compliant safeguards.

At HRLocker, protecting your data is our priority. We are committed to maintaining the highest standards of data protection and information security. Our practices are designed to comply with the General Data Protection Regulation (GDPR) and align with ISO 27001 standards. Below is an overview of the Technical and Organisational Measures (TOMs) we implement to safeguard personal and business data.

1. Access Control

  • Role-based access controls ensure only authorised personnel can access systems and data.
  • Multi-factor authentication (MFA) adds an extra layer of protection.
  • Access rights are regularly reviewed and monitored.

2. Data Encryption

  • All sensitive data is encrypted at rest and in transit using industry-standard methods.
  • Backups are securely stored in EU-based data centres.

3. Network and Systems Security

  • Firewalls and intrusion detection systems are in place to protect our network.
  • Anti-malware tools are deployed and updated regularly.
  • Regular vulnerability scans and system updates are conducted.

4. Data Minimisation and Retention

  • We only collect data that is necessary for specific business purposes.
  • Data is securely deleted after it is no longer required, in line with retention policies.

5. Physical Security

  • Restricted access to secure locations such as server rooms and offices.
  • Surveillance systems monitor access to physical premises.

6. Data Breach Response

  • Incident response plans are in place to detect, contain, and mitigate breaches.
  • Breaches are escalated internally to the Incident Response Team, which assesses the impact and implements corrective actions.
  • Affected parties and regulators are notified within 72 hours, as required by GDPR.

7. Data Breach Communication

  • Notifications to affected parties include:
    • Nature of the breach.
    • Types of data affected.
    • Mitigation steps taken.
    • Contact details for further inquiries.
  • Notifications are sent via email or phone, depending on the urgency and impact of the breach.

8. Employee Awareness and Training

  • Employees receive regular training on GDPR, data privacy, and security best practices.
  • Confidentiality agreements are signed by all staff.

9. Subprocessor Management

  • We use trusted partners like Microsoft Azure (EU data centres) and HubSpot, ensuring their compliance with GDPR.
  • Subprocessor practices are regularly audited.

10. Monitoring and Audit

  • Continuous monitoring of systems and activity logs ensures proactive risk management.
  • Internal and external audits are conducted in line with ISO 27001 standards.

11. Data Protection Impact Assessments (DPIAs)

  • DPIAs are conducted for high-risk processing activities to identify and mitigate risks.

12. Business Continuity and Disaster Recovery

  • Comprehensive backup and disaster recovery plans are tested regularly.
  • Systems include redundancy and failover mechanisms to ensure availability.

Commitment to Data Protection

HRLocker ensures all subprocessors comply with GDPR and other relevant data protection laws. We continuously review our partnerships to maintain the highest standards of security and privacy. These measures are continuously reviewed and improved to adapt to evolving security challenges and regulations.

For more information, please contact our Data Protection Officer at support@hrlocker.com.

Download our Data Protection Impact Assessment Below

Data Protection Impact Assessment

Ensuring Operational Resilience
HRLocker has implemented comprehensive business continuity and disaster recovery measures to ensure uninterrupted service and data protection.

Key highlights:

  • Data Backups:
    • Incremental backups occur every 15 minutes to capture changes in real time.
    • Full backups are conducted daily and stored securely in ISO 27001-certified Microsoft Azure EU data centres.
    • Backup retention policies comply with GDPR, with data retained for 30 days for disaster recovery purposes.
  • Redundancy Systems:
    • Geographically distributed servers within the EU ensure high availability and eliminate single points of failure.
  • Disaster Recovery Testing:
    • Recovery procedures are tested periodically to validate recovery time objectives (RTOs) and recovery point objectives (RPOs).
  • Client Notification:
    • In the event of a major disruption, HRLocker promptly informs clients through email and platform updates, including estimated resolution times.

Protecting Data with Advanced Encryption
HRLocker employs robust encryption to safeguard client data:

  • Data in Transit: Encrypted using HTTPS with TLS 1.2/1.3 protocols, preventing interception during transmission.
  • Data at Rest: Protected with AES-256 encryption, a widely recognized standard for safeguarding stored data.
  • Encryption Key Management: Encryption keys are securely managed, stored, and rotated in compliance with industry best practices.

Proactively Identifying and Mitigating Risks
HRLocker regularly conducts penetration testing to identify and remediate potential vulnerabilities:

  • Frequency: Annual penetration tests and additional tests following significant system updates.
  • Scope: Includes application layers, APIs, and infrastructure.
  • Remediation: Vulnerabilities are assessed, prioritized, and resolved promptly.

Empowering Clients with Security Controls
HRLocker’s platform provides tools for clients to manage security and compliance effectively:

  • Role-Based Access Control (RBAC): Granular permissions ensure users access only the data they are authorized to view.
  • Audit Trails: Comprehensive logs track user activity and changes to data, supporting accountability and transparency.
  • Session Management: Automatic session timeouts enhance access security.

These tools allow clients to align the use of HRLocker with their internal security and compliance requirements.

Data Stored Exclusively in the EU
HRLocker processes and stores all client data within the EU, ensuring compliance with GDPR data residency requirements.

  • No Transfers Outside the EU: All data is securely hosted in ISO 27001-certified Microsoft Azure EU data centres.
  • Vendor Compliance: HRLocker works only with GDPR-compliant third-party vendors, such as Microsoft Azure.

Building a Culture of Security and Quality
HRLocker prioritizes continuous training to ensure employees uphold security and quality standards:

  • Annual Training: Covers GDPR principles, ISO 27001 requirements, and secure data handling practices.
  • Role-Specific Training: Technical teams receive specialized training on incident response, secure coding, and encryption protocols.
  • Simulated Threat Testing: Regular phishing simulations test and improve staff awareness of evolving security risks.

Proven Commitment to Security and Quality
HRLocker is certified under:

  • ISO 27001: Demonstrating adherence to global standards for information security management.
  • ISO 9001: Ensuring consistent delivery of high-quality services.

Certifications are regularly audited by accredited external assessors to maintain compliance and drive continuous improvement.

Rapid Detection and Resolution
HRLocker’s Incident Response Plan (IRP) is designed to minimize the impact of security incidents on clients.

Key highlights:

  • 24/7 Monitoring: Automated systems track activity and detect potential threats in real time.
  • Incident Escalation: Incidents are triaged based on severity and escalated to a dedicated response team for immediate resolution.
  • Breach Notification:
    • HRLocker notifies affected clients within 72 hours of detecting a personal data breach, as required by GDPR.
    • Notifications include details about the breach, data affected, actions taken, and client recommendations.
  • Post-Incident Review: Following resolution, HRLocker conducts a root cause analysis to prevent recurrence and integrates lessons learned into security practices.

Ensuring Security and Quality Through Regular Reviews
HRLocker undergoes regular internal and external audits to ensure compliance with ISO 27001 and ISO 9001:

  • Internal Audits: Conducted quarterly to evaluate adherence to internal controls and policies.
  • External Audits: Annual reviews by external auditors validate compliance with ISO standards and drive improvements.

Empowering Clients with Confidence
HRLocker believes in transparency and provides clients with:

  • Comprehensive Documentation: Access to security policies, terms of service, and data processing agreements.
  • Knowledge Sharing: Educational resources and updates on security best practices.
  • Dedicated Support: A security team available to address client concerns and provide guidance.