Security protocol

We take the protection of your data seriously. And we do everything we can to protect it.

Access Control

Do you offer or support SAML/SSO capabilities for authentication?

• We do provide SSO only for Google Workspace and Microsoft Active Directory

What types of multifactor authentication are supported?

• We do not currently support multiparty authentication at the time but have it in the development pipeline.

How are customer data or processes protected from unauthorized access?

• Customer data are stored at encrypted servers where there is no access from the outside world. We are using VPC (Virtual Private Cloud) where only parts of the application that are in the same network (VPC) have access to them.

What measures do you have in place to prevent unauthorized viewing of information?

• We are using JWT token (with 1-minute expiration) for authentication & authorization purposes. We are using RBAC (Role Based Access Control) in order to be able to provide customers with granularity of authorization

Who at your company can see customer data?

• Only the customer support Admins under direct and personal request granted by customer her /himself

Do you use a multi-tenant server model?

• Yes

What measures do you have to isolate individual tenant systems and data?

• Everything is mapped on an entity called “Company” and every data is associated with it via Foreign keys.

Data protection

What does your data security protocol look like? (Data security protocols, defined as “the software and behavioral rules that guide how employees handle and access data”, provide clear guidelines that demonstrate an organization’s approach to data security. This might include things like SSL certificates, virtual private networks (VPNs), multi-factor authentication (MFA), and more.)

• Customer data are stored at encrypted servers where there is no access from the outside world. We are using VPC (Virtual Private Cloud) where only parts of the application that are in the same network (VPC) have access to them.
• We are using SSL connection for all components of our application

Is your platform externally audited?

• Yes, ISO 27001 Audited at June 2023

Do you work with other third parties to deliver your SaaS solution? If so (and if they have access to your data) then what do their security protocols look like?

• Amazon - Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg, cloud infrastructure service provider. The data centres are located in Frankfurt am Main, Federal Republic of Germany.
• HubSpot Ireland Ltd, Ground Floor, Two Dockland Central, Guild Street, Dublin 1, Co. Dublin, Ireland(VAT: IE9849471F), Hubspot service for sending mass messages, notifications and customer support (https://legal.hubspot.com/privacy-policy).
• Userflow, Inc. 548 Market St PMB 69598, San Francisco, California 94104-5401, United States, služba UserFlow for sending mass communications, notifications and customer support services (https://userflow.com/policies/privacy, https://userflow.com/policies/userflow-gdpr-dpa.pdf).

1. Smartlook.com, s.r.o. Šumavská 524/31, Brno, CZ 60200, Czech Republic, Reg. no.: 09508830, VAT ID: CZ09508830, Smartlook for analysing user behaviour in the application. (https://help.smartlook.com/en/articles/3244452-privacy-policy)
2. Stripe Technology Europe, Ltd., 25/28 North Wall Quay, Dublin 1, D01H104, ID: 0599050 Služba Stripe for payment gateway services. ( https://stripe.com/en-cz/privacy)
3. Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irsko (Registrační číslo: 368047 / DIČ: IE6388047V) - statistics services Google Analytics a Google Tag Manager. (https://policies.google.com/privacy/partners?hl=en).

Do You Store Credit Card Information On Your Server?

• We do not store credit card information on our server. We use Stripe as a payment processor.

What happens in the event of data corruption?

• We restore them from the daily backup automatically (daily backup has isolated storage outside the application itself)

Who Owns This Data if We Stop Using You as a Vendor

• The customer owns the data

What actions do you do to destroy data after it is released by a customer?

• We delete them permanently

When was your last third-party pentest done?

• each month by the 1. day

Disaster recovery

What is/are your disaster recovery plans?

• We have automated recovery plan in comply with https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/plan-for-disaster-recovery-dr.html

Do you perform routine disaster recovery tests?

• Yes

How often are incremental backups made?

• Every 24 hours

How many copies of data do you store and where are they stored?

• We use Amazon Web Services for backups. They are replicating back-ups to be able to achieve 100% recovery rates (https://aws.amazon.com/rds/?p=ft&c=db&z=3)

How far back do the backup copies go?

• 1 month

Have You Ever Had a Security Breach?

• No

How often and how do you test your backup and recovery infrastructure?

• Once half a year

What are your methods for backing up our data? What are offerings to back up data?

• We are backing up recurrently on daily bases all data from our databases & storage. We are using automated back-ups from https://aws.amazon.com/rds/?p=ft&c=db&z=3 to do so

Incident Response

Do you have an incident response plan?

• We have automated recovery plan in comply with https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/plan-for-disaster-recovery-dr.html

Do you include customers in the incident response process?

• Yes

Do you provide reports of attempted or successful breaches of systems, impacts, and actions taken?

• If requested by the customer

Which tasks and incidents remain under the responsibility of the customer?

• If the incident of losing data is caused by the customer itself, it’s the responsibility of the customer. All application is covered by an Audit-Login, which stores details such as:
  • IP address of the executor (person who executes an action)
  • Action name
  • Unique identifier of logged-in person (email)
  • Timestamp of an action
  • Which version of the application has been deployed at the time of the action
  • Which data has been changed and eventually even the diff, what’s been changed to what

Physical Security

How do you assess your employees’ security understanding?

• We don’t have physical servers

Where is your data center, and what physical security measures are in place?

• We use datacenters located in Frankfurt provided by Amazon Web Services. We don’t have access to them

What countries is data stored in - both on your infrastructure and for backups?

• Frankfurt datacenters provided by Amazon Web Services

Regulatory Compliance

Do you comply or plan to comply with privacy regulations (e.g. Privacy Shield, GDPR)?

YES, fully comply.

GDPR

How do you collect personal data?

The subject collecting personal data is the customer (company), which collects and processes personal date of their respective employees.

Why do you collect personal data?

Personal data that are collected by subjects specified above are collected for the sole purpose of managing Human Resources agenda of the employer (company).

What are you using personal data for?

Collected personal data enables employers to plan vacations, schedule shifts, distribute internal documents and process other internal agendas.

How long will you keep the personal data?

As the owner of the data is the employer, the data will be kept in the application storage as long as the customer keeps them. In case of the customer stopping using the application, all data will be erased within 1 month after expiration of the commercial licence.

Do I have any rights?

All users, whose personal data is collected, are guaranteed all the right based on the GDPR regulation, specifically the right to observe, update, and forget.