Security and Trust
Personio Trust Center
Data protection and information security are at the core of Personio’s products and services. Protecting your data and earning your trust is pivotal for us.
It is with our customers in mind that we implement a comprehensive security program and a wide array of controls, policies and third party assurance, including ISO 27001 certification, to keep your most sensitive data safe and sound. It also means that we continually work on enforcing these measures, keeping us in line with the latest industry standards, European data processing regulations, and global security threats.
Personio's Trust Center provides you with all the latest information on the security, reliability, privacy, and compliance of our products and services.
1. Product Security
Personio has a series of checks and balances implemented along every point of our product’s journey, which we collectively call our Secure Software Development Lifecycle or SSDLC. Our SSDLC helps both proactively and retroactively discover security vulnerabilities, and of course drive them to resolution.
1.1 Secure Software Development Lifecycle (SSDLC)
Personio’s SSDLC follows security industry best practices to implement a series of checks across any services, software components, code and libraries used at Personio.
Some of the SSDLC checks include:
4- to 6-eye reviews of production changes
Software Composition Analysis (SCA)
Static Application Security Testing (SAST)
Formal reviews by Security Engineers
1.2. Recurring Security Testing
In addition to our own internal vulnerability scans, we regularly engage with external security service providers to perform penetration tests, examining our systems and applications for errors and weak spots.
As the security of our systems and our application, as well as the detection of attacks, are of utmost importance to us, we rely on Cobalt, an award-winning IT-security service provider, to perform external penetration tests and security assessments of our products.
1.3 Secure by Design
All Personio customer accounts are created with industry best practices in mind. There are no default user accounts or setup steps to take to consider the instance “secure” out-of-the-box.
That said, we provide Personio administrators with the controls they need to align Personio settings and with their organization's security policies and compliance needs.
Whether it's setting up Single Sign On (SSO) authentication to integrate with your Identity Provider, enabling 2-Factor Authentication (2FA / MFA), setting a Password Policy or defining Role-based Access Control and Permissions (RBAC) for your employees, we've got you covered.
1.4 Bug Bounty Program
At Personio we take the security of our platform and customer data very seriously. Therefore, we would like to reward those who help us improve our overall security posture by identifying vulnerabilities in our product.
Our Security Team knows that a solid Bug Bounty Program helps build customer trust in our platform and hold our platform up to the highest of standards, so we have partnered with Intigriti to host and operate our Bug Bounty Program.
In order to participate, head to our Bug Bounty program page.
From there, you may review our bounty terms and scope, and safely share findings with the team.
2. Compliance
At its core, Personio processes and manages sensitive information. This includes employee salary data, absence reports, personal documents and internal requests, just to name a few. Personio has been creating its product with data security top of mind, using multiple programs to develop a series of robust security controls.
Controls are designed and implemented at Personio with industry best practice and international standards at top of mind. Personio is ISO 27001 certified and compliance is validated by an independent third-party audit firm on an annual basis. Personio also works closely with key decision-makers and committees from across the Data Protection and IT Security industries, holding memberships with the Society for Data Protection and Data Security eV, the Alliance for Cyber Security and Bitkom eV.
2.1 GDPR
Personio complies with the essential requirements of the EU GDPR, ensuring data protection is by-design and always-on across Personio’s application, infrastructure, and organisation.
Privacy and Data Protection
Personio employs the services of Bitkom Servicegesellschaft mbH as our Data Protection Officers. Bitkom, one of the leading consultancies in Germany for the digital economy, regularly audits Personio’s compliance with data privacy requirements.
Click here for the Reference Letter (DE 🇩🇪) of Bitkom’s appointment as Data Protection Officer
Click here to see Bitkom’s Audit Report (DE 🇩🇪) of Personio’s Privacy Policy
Data Subject Rights
Personio supports our customers in respecting the rights of data subjects – namely the right to request erasure of personal details, the rights of access and data portability. We allow Personio customers to delete applicants’ data either automatically or on-demand, as well as an option to export, block access to or securely delete employee data.
With Personio’s self-service approach, employees are given direct access to their own digital personnel file at all times. In addition, employees can backup or export their own data from the staff list in a machine-readable format as well as download any documents that they've personally added.
Nevertheless, we make sure that the application, the underlying infrastructure, and our organisational structure are robustly equipped to meet the requirements of the EU GDPR.
2.2 Data Subprocessors
Your Personio account provides you with a list of all third-party subprocessors which process personal data. This list includes the subprocessors, as well as categories of data processed and the location in which data is processed. Note that each Personio account may have a different list, depending on which integrations are enabled. Refer to our Help Center for more information on accessing the list of your subprocessors.
You can also refer to Personio’s general Privacy Policy for a list of 3rd party processors which Personio uses:
Privacy Policy | Personio (EN 🇬🇧)
Datenschutzerklärung | Personio (DE 🇩🇪)
2.3 Contractual Commitments
Technical and Organisational Measures (TOMs)
Personio has published a set of Technical and Organisational Measures or TOMs, which lay out the binding commitments made to customers in regards to the security of their data. See our Help Center for more information on downloading our TOMs.
Data Processing Agreement
Personio maintains a Data Processing Agreement or DPA in relation to customer data which defines the categories of data processed, its retention, and deletion. See our Help Center for more information on downloading your DPA.
2.4 ISO/IEC 27001
Personio is ISO/IEC 27001:2013 certified and independent compliance audits are carried out on an annual basis.
Personio’s ISMS encompasses business activities relating to the provision, operation, maintenance and management of the Personio SaaS HR Platform and defines requirements for all Personio personnel (employees, contractors, freelancers), third party suppliers and systems that create, maintain, store, access, process or transmit information within:
Personio’s product and development department (PTech), and
Limited to the main product development locations Munich (HQ), Madrid and Dublin.
Please click here to see our certificate.
3. Security Policies
Personio actively maintains a collection of data security and privacy policies, which help drive every step we take, keeping our customers first and foremost in our minds. We live and breath these policies, so our customers can rest assured that their most sensitive data is trusted here at Personio.
These policies are shared with each and every staff member who joins Personio, as open and transparent communication are part of our Personio Code, driving who we are as a company and how we work together. We also take steps to regularly refresh our policies and share those updates across Personio. We work day in and day out to safely enable new ways of working such as PersonioFlex, remain in line with industry standards and best practices, and to confront an ever-evolving threat landscape.
All policies here are owned by the Security Team and reviewed by stakeholders in IT, Legal, and Engineering departments to ensure alignment across the business. These policies collectively ensure Personio’s hold themselves to the highest standards, namely the EU’s General Data Protection Regulation or GDPR.
Policy | Information |
---|---|
Data Protection Policy | Personio’s Data Protection Policy is at the core of our company DNA. All staff are trained on our policies during onboarding. This policy includes several components which help staff know how to safely handle and process sensitive data. |
Acceptable Use Policy | As part of our Data Protection Policy, Personio guides its staff on how to safely and securely use our systems, networks, and devices. |
Bring Your Own Device (BYOD) Policy | As part of the Data Protection Policy, Personio employees may use their own devices in certain situations, but all customer-facing operations are conducted with Personio-managed devices. All devices and accesses are tracked, regardless of type, as part of a “zero trust” approach to protecting our customer data. |
Remote Work Policy | We have specific guidelines on how to safely work at home or while traveling, as part of PersonioFlex. This enables our colleagues to safely do their best work – whether or not they are in a Personio office – without sacrificing any of our security or privacy controls. |
Incident Response Plan | Personio has a well-oiled Incident Response plan which informs how our company responds to unexpected events of all shapes and sizes. It is of the utmost importance for us to respond swiftly and thoroughly, especially where customer data may be concerned. Our Security Incident Response Plan kicks in when customer data has been or may be compromised. The Security Team provides our investigative expertise and additional oversight to the Incident Response team, to ensure Industry Best Practices are always followed and all regulatory obligations are met. In case of a data breach, Personio will immediately notify and support the Data Controller in accordance with our GDPR obligations and defined Technical and Organizational Measures (TOMs). |
4. Infrastructure Security
Like any modern SaaS app, Personio runs in the cloud. We know that Personio also hosts your business’s most sensitive data. As such, the team develops and enforces a Cloud Security Standard and implements a suite of controls across our infrastructure, ensuring those standards are enforced at all times and keeping your data secure.
4.1 Perimeter Security
Personio's Security Team implements a diverse stack of Intrusion Detection technologies and methods to safeguard all our infrastructure, including our customers' data. We base our Intrusion Detection and Prevention capabilities on a combination of Web Application Firewalls, Cloud Threat Detection platforms, Endpoint Protection agents, and custom monitoring tools deployed across our infrastructure and server fleet. These tools are operated and monitored by the Security Engineering team, which uses both automated and manual analysis of event data to provide end-to-end monitoring of all Personio infrastructure.
4.2 Data Encryption
Encryption in Transit
All data that is transferred via insecure networks is encrypted during the transfer using Transport Layer Security (TLS) with strong cipher suites. We also use methods such as HTTP Strict Transport Security (HSTS) to further ensure the integrity of encrypted channels are maintained. You may use freely available tools like Qualys' SSL Labs and Security Headers to verify the TLS ciphers and algorithms offered by Personio sites and services.
Encryption at Rest
All Personio customer data is encrypted at rest using AWS KMS encryption for S3 storage, production databases, and database backups. The encryption algorithm used is AES 256. All passwords are specifically encrypted using strong encryption algorithms and methods such as salting to further protect against offline attacks.
4.3 Tenant Isolation
Personio ensures the separate processing and storage of data from different clients via a logical client separation based on a multi-tenancy architecture. The assignment and identification of the data takes place via the assignment of a unique identifier for each client (e.g. customer number or "Company ID").
4.4 Disaster Recovery
Personio has documented Disaster Recovery Plans or DRP in place, to ensure your data is always available, even following the most severe of outages. You may refer to our Technical and Organizational Measures (TOMs) for more information about our DRP.
Further Reading
You can also gain insights into how our systems are deployed to safeguard your data with our AWS Data Security Brochure:
5. Getting in Touch
5.1 Product Security Questions
If you are an existing Personio customer, or simply giving Personio a try, we are here for all your security-related questions and concerns. Personio’s Security Team knows the drill and we are prepared to help answer any questions your IT, Security, and Privacy teams might have about our products.
In order to request more information, Personio customers can raise a request using Personio Support Q&A, including the details of how we can assist.
If you are in the process of becoming a new Personio Customer and you are in contact with a sales person already, please reach out to them directly. We’ll be happy to support.
If you haven’t been in contact with our Sales Team yet, you may reach out to our Personio pre-sales team (sales@personio.com) to get in touch with us.
5.2 Security Incidents
To report a suspected or confirmed Security Incident regarding a Personio account, please use Support Q&A with a summary of what’s occurred.
Please include as much detail as you can, so our team can dive right in to start investigating. Our Security Team loves the details – dates and times, user IDs, URLs, and screenshots are all really helpful to us.
Our Customer Experience team will work with us to resolve the matter for you swiftly.
5.3 Security Vulnerabilities
Our Security Team knows that a solid Bug Bounty Program helps build customer trust in our platform and hold our platform up to the highest of standards, so we have partnered with Intigriti to create our Bug Bounty Program.
In order to participate, head to our Bug Bounty program page.
From there, you may review our bounty terms and scope, and safely share findings with the team.