The security of your data is our top priority. HR Acuity's servers are hosted in geographically distributed Tier IV Microsoft Azure data centers that comply with SSAE-16 and ISO 27001 standards.
Security processes are an integral part of our application development cycle ensuring the safety of your data. In addition to our own internal processes, HR Acuity retains third-party security experts to perform detailed penetration tests on a regular basis.
All customer data stored in HR Acuity is encrypted at rest using Transport Data Encryption (TDE). In addition, any communications with HR Acuity servers over public networks are secured via industry best practices HTTPS and Transport Layer Security (TLS).
Role- and user-based permissions ensure that access to case information is available when needed while still maintaining the confidentiality required for sensitive data. Configurable criteria ensure your company remains in compliance with GDPR regulations.
HR Acuity partners with Microsoft Azure to provide our data hosting infrastructure at its Tier IV SSAE-16 and ISO 27001 compliant facilities. Data center facilities are powered by redundant power, each with UPS and backup generators.
The Microsoft data center facilities feature a secured perimeter with multilevel security zones, 24/7 manned security, video surveillance, multifactor identification with biometric access control, physical locks, and security breach alarms.
HR Acuity currently leverages Microsoft Azure data centers in the United States.
Control over our software development process is key to producing quality software. Security is a critical subset of that quality. That is why all development is done using the HR Acuity Secure Software Development Lifecycle (S-SDLC) that has been designed and adopted to ensure the software HR Acuity produces meets compliance requirements and is free of software security defects (to the greatest extent possible) that may expose sensitive data.
Our system engineers participate in secure code training covering OWASP Top 10 security flaws, common attack vectors, and HR Acuity security controls.
QA engineers review and test our code base. Test cases to identify security vulnerabilities in code must pass before the HR Acuity application hits production servers.
Testing and UAT environments are separated physically and logically from the production environment. No actual client data is used in the development or test environments.
HR Acuity's S-SDLC uses an Agile/Scrum process for managing system development activity and has implemented change management and version control software to ensure that all system development changes are sourced from authorized requesters, validated, and prioritized based on business, technical, and security impact. In addition, all changes deployed are tracked for revision control.
Our network is protected by redundant firewalls, best-in-class router technology, secure HTTPS transport over public networks, regular audits, and network intrusion detection and/or prevention technologies (IDS/IPS) that monitor and/or block malicious traffic and network attacks.
Our network security architecture consists of multiple security zones. DMZs are used between the internet, and internally between the different zones of trust.
At appropriate stages in the life cycle, vulnerability scans are performed for identification of noncompliance or potential vulnerabilities. At higher-level milestones (the lesser of annually or with any major release), penetration tests are performed at the application level with a qualified third-party information security expert using both automated and manual testing techniques.
Access to the HR Acuity database is restricted by an explicit need-to-know basis, utilizes least privilege, and is frequently audited and monitored. In addition, employees with such access privileges are required to use multiple factors of authentication.
Our globally distributed security team is on call 24/7 to respond to security alerts and events. In case of a system alert, employees are trained on security incident response processes, including communication channels and escalation paths.
Communications between users and HR Acuity are encrypted via industry best-practices HTTPS and Transport Layer Security (TLS) over public networks.
All client data stored in HR Acuity is encrypted at rest using Transit Data Encryption (TDE)/AD.
HR Acuity has put in place network redundancies to eliminate single points of failure. Client data is actively replicated across primary and secondary DR systems and facilities.
Our Disaster Recovery (DR) program ensures that our services remain available or are easily recoverable in the case of a disaster.
Users can sign into HR Acuity application using authenticated credentials or SSO login. User provisioning and permissioning is managed by our clients.
Single sign-on (SSO) allows you to authenticate users in HR Acuity without requiring them to enter additional login credentials. We partner with Ping One to enable SSO login for our clients via Security Assertion Markup Language (SAML).
HR Acuity provides clients the option to define their password change frequency and repeat policy. Password length and password strength are defined based upon industry best practices. In addition, all password reset links are time based and expire after one use or a certain length of time.
HR Acuity user credentials are stored in the database using Bcrypt algorithms.
Authorized HR Acuity Users are provided with multi-level permissions based upon user and role credentials. The flexible role-based authorization process is governed by each client to ensure data is secure and only made available to those who require access to it.