Security and Trust

Personio has a series of checks and balances implemented along every point of our product’s journey, which we collectively call our Secure Software Development Lifecycle or SSDLC. Our SSDLC helps both proactively and retroactively discover security vulnerabilities, and of course drive them to resolution.

• Secure Software Development Lifecycle (SSDLC)

• Recurring Security Testing

• Secure by Design

• Bug Bounty Program

Personio’s SSDLC follows security industry best practices to implement a series of checks across any services, software components, code and libraries used at Personio.

Some of the SSDLC checks include:

• 4- to 6-eye reviews of production changes

• Software Composition Analysis (SCA)

• Static Application Security Testing (SAST)

• Formal reviews by Security Engineers

In addition to our own internal vulnerability scans, we regularly engage with external security service providers to perform penetration tests, examining our systems and applications for errors and weak spots.

As the security of our systems and our application, as well as the detection of attacks, are of utmost importance to us, we rely on Cobalt, an award-winning IT-security service provider, to perform external penetration tests and security assessments of our products.

All Personio customer accounts are created with industry best practices in mind. There are no default user accounts or setup steps to take to consider the instance “secure” out-of-the-box.

That said, we provide Personio administrators with the controls they need to align Personio settings and with their organization's security policies and compliance needs.

Whether it's setting up Single Sign On (SSO) authentication to integrate with your Identity Provider, enabling 2-Factor Authentication (2FA / MFA), setting a Password Policy or defining Role-based Access Control and Permissions (RBAC) for your employees, we've got you covered.

To ensure our customers are able to stay on top of any and all activity on the application, Personio has logging enabled by default, which is accessible through the Audit Logging feature. The Audit Log displays events for personal information, payroll, access rights, and more. We're continuing to add events to improve the Audit Log. For more information, please visit the Audit Log page in our Help Center.

At Personio we take the security of our platform and customer data very seriously. Therefore, we would like to reward those who help us improve our overall security posture by identifying vulnerabilities in our product.

Our Security Team knows that a solid Bug Bounty Program helps build customer trust in our platform and hold our platform up to the highest of standards, so we have partnered with Intigriti to host and operate our Bug Bounty Program.

In order to participate, head to our Bug Bounty program page.

From there, you may review our bounty terms and scope, and safely share findings with the team.

At its core, Personio processes and manages sensitive information. This includes employee salary data, absence reports, personal documents and internal requests, just to name a few. Personio has been creating its product with data security top of mind, using multiple programs to develop a series of robust security controls.

Controls are designed and implemented at Personio with industry best practice and international standards at top of mind. Personio is ISO 27001 certified and compliance is validated by an independent third-party audit firm on an annual basis. Personio also works closely with key decision-makers and committees from across the Data Protection and IT Security industries, holding memberships with the Society for Data Protection and Data Security eV, the Alliance for Cyber Security and Bitkom eV.

• GDPR

• Data Subprocessors

• Contractual Commitments

• ISO 27001

Personio complies with the essential requirements of the EU GDPR, ensuring data protection is by-design and always-on across Personio’s application, infrastructure, and organisation.

Personio employs the services of Bitkom Servicegesellschaft mbH as our Data Protection Officers. Bitkom, one of the leading consultancies in Germany for the digital economy, regularly audits Personio’s compliance with data privacy requirements.

• Click here for the Reference Letter (DE 🇩🇪) of Bitkom’s appointment as Data Protection Officer

• Click here to see Bitkom’s Audit Report (DE 🇩🇪) of Personio’s Privacy Policy

Personio supports our customers in respecting the rights of data subjects – namely the right to request erasure of personal details, the rights of access and data portability. We allow Personio customers to delete applicants’ data either automatically or on-demand, as well as an option to export, block access to or securely delete employee data.

With Personio’s self-service approach, employees are given direct access to their own digital personnel file at all times. In addition, employees can backup or export their own data from the staff list in a machine-readable format as well as download any documents that they've personally added.

Nevertheless, we make sure that the application, the underlying infrastructure, and our organisational structure are robustly equipped to meet the requirements of the EU GDPR.

Your Personio account provides you with a list of all third-party subprocessors which process personal data. This list includes the subprocessors, as well as categories of data processed and the location in which data is processed. Note that each Personio account may have a different list, depending on which integrations are enabled. Refer to our Help Center for more information on accessing the list of your subprocessors.

You can also refer to Personio’s general Privacy Policy for a list of 3rd party processors which Personio uses:

• Privacy Policy | Personio (EN 🇬🇧)

• Datenschutzerklärung | Personio (DE 🇩🇪)

Personio has published a set of Technical and Organisational Measures or TOMs, which lay out the binding commitments made to customers in regards to the security of their data. See our Help Center for more information on downloading our TOMs.

Personio maintains a Data Processing Agreement or DPA in relation to customer data which defines the categories of data processed, its retention, and deletion. See our Help Center for more information on downloading your DPA.

Personio is ISO/IEC 27001:2013 certified and independent compliance audits are carried out on an annual basis.

Personio’s ISMS encompasses business activities relating to the provision, operation, maintenance and management of the Personio SaaS HR Platform and defines requirements for all Personio personnel (employees, contractors, freelancers), third party suppliers and systems that create, maintain, store, access, process or transmit information within:

• Personio’s product and development department (PTech), and

• Limited to the main product development locations Munich (HQ), Madrid and Dublin.

Please click here to see our certificate.

Personio actively maintains a collection of data security and privacy policies, which help drive every step we take, keeping our customers first and foremost in our minds. We live and breath these policies, so our customers can rest assured that their most sensitive data is trusted here at Personio.

These policies are shared with each and every staff member who joins Personio, as open and transparent communication are part of our Personio Code, driving who we are as a company and how we work together. We also take steps to regularly refresh our policies and share those updates across Personio. We work day in and day out to safely enable new ways of working, such as PersonioFlex, while remaining in line with industry standards and best practices, and to confront an ever-evolving threat landscape.

All policies here are owned by the Security Team and stakeholders in IT, Legal, and Engineering departments are informed, to ensure alignment across the business. These policies collectively ensure Personio’s hold themselves to the highest standards, namely the EU’s General Data Protection Regulation or GDPR, as well as compliance with ISO 27001 certification.

Like any modern SaaS app, Personio runs in the cloud. We know that Personio also hosts your business’s most sensitive data. As such, the team develops and enforces a Cloud Security Standard and implements a suite of controls across our infrastructure, ensuring those standards are enforced at all times and keeping your data secure.

• Perimeter Security

• Data Encryption

• Tenant Isolation

• Disaster Recovery

Personio's Security Team implements a diverse stack of Intrusion Detection technologies and methods to safeguard all our infrastructure, including our customers' data. We base our Intrusion Detection and Prevention capabilities on a combination of Web Application Firewalls, Cloud Threat Detection platforms, Endpoint Protection agents, and custom monitoring tools deployed across our infrastructure and server fleet. These tools are operated and monitored by the Security Engineering team, which uses both automated and manual analysis of event data to provide end-to-end monitoring of all Personio infrastructure.

All data that is transferred via insecure networks is encrypted during the transfer using Transport Layer Security (TLS) with strong cipher suites. We also use methods such as HTTP Strict Transport Security (HSTS) to further ensure the integrity of encrypted channels are maintained. You may use freely available tools like Qualys' SSL Labs and Security Headers to verify the TLS ciphers and algorithms offered by Personio sites and services.

All Personio customer data is encrypted at rest using AWS KMS encryption for S3 storage, production databases, and database backups. The encryption algorithm used is AES 256. All passwords are specifically encrypted using strong encryption algorithms and methods such as salting to further protect against offline attacks.

Personio ensures the separate processing and storage of data from different clients via a logical client separation based on a multi-tenancy architecture. The assignment and identification of the data takes place via the assignment of a unique identifier for each client (e.g. customer number or "Company ID").

Personio has documented Disaster Recovery Plans or DRP in place, to ensure your data is always available, even following the most severe of outages. You may refer to our Technical and Organizational Measures (TOMs) for more information about our DRP.

You can also gain insights into how our systems are deployed to safeguard your data with our AWS Data Security Brochure:

• IT Infrastructure and use of AWS at Personio (EN 🇬🇧)

• IT-Infrastruktur und Einsatz von AWS bei Personio (DE 🇩🇪)

• Product Security Questions

• Security Incidents

• Security Vulnerabilities

If you are an existing Personio customer, or simply giving Personio a try, we are here for all your security-related questions and concerns. Personio’s Security Team knows the drill and we are prepared to help answer any questions your IT, Security, and Privacy teams might have about our products.

In order to request more information, Personio customers can raise a request using Personio Support Q&A, including the details of how we can assist.

If you are in the process of becoming a new Personio Customer and you are in contact with a sales person already, please reach out to them directly. We’ll be happy to support.

If you haven’t been in contact with our Sales Team yet, you may reach out to our Personio pre-sales team (sales@personio.com) to get in touch with us.

To report a suspected or confirmed Security Incident regarding a Personio account, please use Support Q&A with a summary of what’s occurred.

Please include as much detail as you can, so our team can dive right in to start investigating. Our Security Team loves the details – dates and times, user IDs, URLs, and screenshots are all really helpful to us.

Our Customer Experience team will work with us to resolve the matter for you swiftly.

Our Security Team knows that a solid Bug Bounty Program helps build customer trust in our platform and hold our platform up to the highest of standards, so we have partnered with Intigriti to create our Bug Bounty Program.

In order to participate, head to our Bug Bounty program page.

From there, you may review our bounty terms and scope, and safely share findings with the team.