EmployeeConnect | Trust Center
EmployeeConnect Trust Centre
Our Trust Centre is a clear expression of our commitment to security, offering you a transparent lens into the stringent measures we implement to protect your information. We recognise that the confidentiality, integrity, and availability of your data are essential, particularly in the ever-evolving landscape of HR technology. In this dedicated space, you will find comprehensive information on how we handle your data, the sophisticated security protocols we employ to defend it, and our strict adherence to relevant legal, and industry-specific regulations and ISO compliance standards. Our commitment to ISO standards reflects our dedication to establishing systematic and technologically advanced approaches to information security management, thereby ensuring the highest level of data protection. The Trust Centre serves as more than just a repository of information; it stands as a testament to our unwavering dedication to earning and retaining your trust in our solutions. We invite you to explore this page to gain a deeper understanding of our commitment to securing your data, ensuring its integrity, and supporting the triumph of your HR endeavours with top-tier security standards.
Certifiications

Compliance

ISO 27001

Resources

PenTest Report

Acceptable Use Policy

Security Incident Policy

BYOD Policy

BYOD Policy

Encryption and Key Management Policy

Remote Work Policy

Risk Assessment and Treatment Policy

Information Security Policy

Physical Security Policy

View all

Monitoring

Continuously monitored by Secureframe
View all

FAQs

EmployeeConnect's approach to data storage is region-specific, ensuring compliance with local data residency and sovereignty laws. For our Australian clients, all data is securely stored within Azure's Australia regions, aligning with the Australian Privacy Principles (APPs) and the Privacy Act 1988 (Cth). This commitment to regional compliance is mirrored for our clients in Hong Kong, where their data is stored in Azure's Hong Kong regions, adhering to the respective local data protection regulations. By utilizing Azure data centers located in these specific regions, we guarantee that our data storage practices meet the highest standards of legal and regulatory compliance, providing our clients with the assurance that their personal information is managed with utmost care and security.
EmployeeConnect conducts a rigorous data backup routine, which includes hourly backups that are retained for 14 days, ensuring near real-time data recovery capabilities. Additionally, we perform weekly backups, which are kept for a duration of 6 weeks, and monthly backups that are maintained for 6 months. For long-term data retention and historical reference, we archive 6-month snapshots of SQL databases, preserving these records for up to 2 years. This multi-tiered backup strategy is designed to provide comprehensive data protection and quick restoration in various scenarios, from recent data loss to more significant historical data recovery needs.
We understand the importance of data sovereignty, particularly for our customers who operate under strict regulatory requirements regarding where their data is processed and stored. By maintaining data within the Australian jurisdiction, we provide our customers with the assurance that their data is subject to Australian law and standards and not transferred internationally without compliance with legal requirements. Our data management policies are designed to respect and align with the data protection laws applicable in the regions we operate. This includes adherence to regulations such as the Notifiable Data Breaches (NDB) scheme, which requires us to notify individuals and the Office of the Australian Information Commissioner (OAIC) about any data breaches that are likely to result in serious harm. In addition to complying with local data protection laws, we conduct regular audits and reviews of our data handling practices to ensure ongoing compliance with data residency requirements. Our team is dedicated to upholding the highest standards of data security and privacy for our customers. For further details on our data management practices or to inquire about specific data protection requirements, please contact our support team.
EmployeeConnect rigorously protects customer data, utilizing Azure's secure data centers in Australia to adhere to strict data residency and sovereignty requirements. Our data security strategy includes robust encryption for data at rest and in transit, and we enforce stringent access controls in alignment with the Essential Eight Maturity Model, ensuring that only authorized personnel can access sensitive information. This approach is further enhanced by incorporating OWASP Top 10 security risks into our application development and maintenance processes, which helps us proactively address common web application security vulnerabilities. Our commitment to data security is reinforced by compliance with international standards such as ISO 27001 and SOC 2 Type II, and we conduct regular independent audits, including reviews for patch application effectiveness as recommended in the Essential Eight. Proactive incident response planning is a critical part of our strategy to quickly and effectively manage data breaches. We foster a culture of security awareness within our team, which includes training aligned with the 'User Application Hardening' aspect of the Essential Eight and OWASP guidelines. Privacy by design principles are integrated into every stage of our product development, ensuring that customer privacy is a foundational component. We practice data minimization and provide our customers with robust tools for data management, reflecting our commitment to maintaining strong data governance and control.
EmployeeConnect has a robust incident response plan for handling security breaches, which is activated immediately upon detection of a potential incident. Our system employs advanced monitoring tools to swiftly identify unusual activities. Once a breach is detected, the first step is containment, where affected systems may be isolated to prevent further damage. Following containment, a thorough investigation is conducted to assess the scope and impact of the breach. This involves collecting and analyzing data to understand the breach's nature and origin. After understanding the incident, remediation actions are taken to fix vulnerabilities and prevent future occurrences. Throughout this process, we maintain transparent communication with all stakeholders, including customers and regulatory authorities, as required by law. Post-incident, a detailed analysis is performed to refine our security measures and response strategies. Employee training is continuously updated to include learnings from the incident, ensuring enhanced preparedness for future scenarios. This comprehensive approach ensures that EmployeeConnect not only addresses the immediate concerns of a security breach but also strengthens its overall security posture against future threats.
EmployeeConnect manages access control to customer data by implementing stringent user authentication measures, including multi-factor authentication (MFA), to verify the identity of users accessing the system. We rigorously apply the principle of least privilege, ensuring that employees and users are granted only the minimum levels of access necessary for their role-specific tasks.
We offer Single Sign-On (SSO) capabilities to streamline user authentication and enhance security. We primarily recommend Azure Active Directory (Azure AD) for SSO integration, leveraging its robust security features and seamless integration with our systems. Additionally, we also provide support for Okta, a widely-used identity management service, offering our clients the flexibility to choose an SSO solution that best fits their organizational requirements and existing IT infrastructure

Subprocessors

Azure

USA ISO27001 SOC2 GDPR

Office 365

USA ISO27001 SOC2 GDPR

KeyPay

AU ISO27001 GDPR

Slack

Communication USA ISO27001 SOC2 GDPR

Zoho Projects

Project Management AUS ISO27001 ISO9001 SOC1 SOC2 GDPR

Trello

Product Roadmap USA ISO27001 SOC2 GDPR

ActiveCampaign

CRM/Marketing USA ISO27001 SOC2 GDPR

Google Analytics

Analytics USA ISO27001 SOC2 GDPR

SentinelOne

Security USA SOC2 FedRamp AU IRAP

View all
Trust Centre - Security Updates
Security Updates

Security 27001 Certification Due Q1 2024

EmployeeConnect is targeting ISO 27001 security certification in the first quarter of 2024. This certification marks a significant milestone in the company's commitment to enhancing cybersecurity measures across various industries. Designed to cater to both individual professionals and organizations, the EmployeeConnect security certification will encompass a comprehensive curriculum that covers the latest in cybersecurity threats, defense mechanisms, and best practices. The anticipation for this certification is high, as it promises to equip recipients with the skills and knowledge necessary to navigate the increasingly complex landscape of digital security. This initiative not only underscores EmployeeConnect's dedication to fostering a safer digital environment but also positions the company as a trailblazer in the field of cybersecurity education and awareness.

Published on:

Trust Centre - Security Updates

Our priority is to ensure the online security of our systems and we take every possible precaution to protect them. Despite our diligence, there are times where a possible vulnerability may exist. If you believe you have discovered a vulnerability in any of our systems, you can report it to us here.

Monitoring

Communications

Privacy Policy
A Privacy Policy to both external users and internal personnel. This policy details the company's privacy commitments.
Description of Services
Descriptions of the company's services and systems are available to both internal personnel and external users.
Confidential Reporting Channel
A confidential reporting channel is made available to internal personnel and external parties to report security and other identified concerns.
Communication of Security Commitments
Security commitments and expectations are communicated to both internal personnel and external users via the company's website.
Terms of Service
Terms of Service or the equivalent are published or shared to external users.

Physical Security

Physical Security Policy
A Physical Security Policy that details physical security requirements for the company facilities is in place.

Incident Response

Incident Response Plan Testing
The Incident Response Plan is periodically tested via tabletop exercises or equivalents. When necessary, Management makes changes to the Incident Response Plan based on the test results.
Incident Response Plan
An Incident Response Plan outlines the process of identifying, prioritizing, communicating, assigning and tracking confirmed incidents through to resolution.
Lessons Learned
After any identified security incident has been resolved, management provides a "Lessons Learned" document to the team in order to continually improve security and operations.
Tracking a Security Incident
Identified incidents are documented, tracked, and analyzed according to the Incident Response Plan.

Network Security

Automated Alerting for Security Events
Alerting software is used to notify impacted teams of potential security events.
Restricted Port Configurations
Configurations ensure available networking ports, protocols, services, and environments are restricted as necessary, including firewalls.
Network Security Policy
A Network Security Policy identifies the requirements for protecting information and systems within and across networks.

Availability

Testing the Business Continuity and Disaster Recovery Plan
The Business Continuity and Disaster Recovery Plan is periodically tested via tabletop exercises or equivalents. When necessary, Management makes changes to the Business Continuity and Disaster Recovery Plan based on the test results.
Business Continuity and Disaster Recovery Policy
Business Continuity and Disaster Recovery Policy governs required processes for restoring the service or supporting infrastructure after suffering a disaster or disruption.
Backup Restoration Testing
Backed-up data is restored to a non-production environment at least annually to validate the integrity of backups.
High Availability Configuration
The system is configured for high availability to support continuous availability, when applicable.

Confidentiality

Data Retention and Disposal Policy
A Data Retention and Disposal Policy specifies how customer data is to be retained and disposed of based on compliance requirements and contractual obligations.
Retention of Customer Data
Procedures are in place to retain customer data based on agreed-upon customer requirements or in line with information security policies.
Disposal of Customer Data
Upon customer request, Company requires that data that is no longer needed from databases and other file stores is removed in accordance with agreed-upon customer requirements.
Access to Customer Data is Restricted
Access to, erasure of, or destruction of customer data is restricted to personnel that need access based on the principle of least privilege.
Data Classification Policy
A Data Classification Policy details the security and handling protocols for sensitive data.

Access Security

Encryption and Key Management Policy
An Encryption and Key Management Policy supports the secure encryption and decryption of app secrets, and governs the use of cryptographic controls.
Least Privilege in Use
Users are provisioned access to systems based on principle of least privilege.
Administrative Access is Restricted
Administrative access to production infrastructure is restricted based on the principle of least privilege.
Encryption-in-Transit
Service data transmitted over the internet is encrypted-in-transit.
Access Control and Termination Policy
An Access Control and Termination Policy governs authentication and access to applicable systems, data, and networks.
Asset Inventory
A list of system assets, components, and respective owners are maintained and reviewed at least annually
Removal of Access
Upon termination or when internal personnel no longer require access, system access is removed, as applicable.
Encryption-at-Rest
Service data is encrypted-at-rest.
Unique Access IDs
Personnel are assigned unique IDs to access sensitive systems, networks, and information

Organizational Management

Disciplinary Action
Personnel who violate information security policies are subject to disciplinary action and such disciplinary action is clearly documented in one or more policies.
Acceptable Use Policy
An Acceptable Use Policy defines standards for appropriate and secure use of company hardware and electronic systems including storage media, communication tools and internet access.
Code of Conduct
A Code of Conduct outlines ethical expectations, behavior standards, and ramifications of noncompliance.
Roles and Responsibilities
Information security roles and responsibilities are outlined for personnel responsible for the security, availability, and confidentiality of the system.
Internal Control Monitoring
A continuous monitoring solution monitors internal controls used in the achievement of service commitments and system requirements.
Security Awareness Training
Internal personnel complete annual training programs for information security to help them understand their obligations and responsibilities related to security.
Information Security Policy
An Information Security Policy establishes the security requirements for maintaining the security, confidentiality, integrity, and availability of applications, systems, infrastructure, and data.
Internal Control Policy
An Internal Control Policy identifies how a system of controls should be maintained to safeguard assets, promote operational efficiency, and encourage adherence to prescribed managerial policies.
Personnel Acknowledge Security Policies
Internal personnel review and accept applicable information security policies at least annually.
Performance Review Policy
A Performance Review Policy provides personnel context and transparency into their performance and career development processes.
Information Security Program Review
Management is responsible for the design, implementation, and management of the organization’s security policies and procedures. The policies and procedures are reviewed by management at least annually.
Performance Reviews
Internal personnel are evaluated via a formal performance review at least annually
Organizational Chart
Management maintains a formal organizational chart to clearly identify positions of authority and the lines of communication, and publishes the organizational chart to internal personnel.
Cybersecurity Insurance
Cybersecurity insurance has been procured to help minimize the financial impact of cybersecurity loss events.

Change Management

Secure Development Policy
A Secure Development Policy defines the requirements for secure software and system development and maintenance.
Change Management Policy
A Change Management Policy governs the documenting, tracking, testing, and approving of system, network, security, and infrastructure changes.
Configuration and Asset Management Policy
A Configuration and Asset Management Policy governs configurations for new sensitive systems
Segregation of Environments
Development, staging, and production environments are segregated.
Approval for System Changes
System changes are approved by at least 1 independent person prior to deployment into production.
Production Data Use is Restricted
Production data is not used in the development and testing environments, unless required for debugging customer issues.

Vulnerability Management

Vulnerability and Patch Management Policy
A Vulnerability Management and Patch Management Policy outlines the processes to efficiently respond to identified vulnerabilities.
Vulnerability Scanning
Vulnerability scanning is performed on production infrastructure systems, and identified deficiencies are remediated on a timely basis.
Third-Party Penetration Test
A 3rd party is engaged to conduct a network and application penetration test of the production environment at least annually. Critical and high-risk findings are tracked through resolution.

Risk Assessment

Risk Assessment and Treatment Policy
A Risk Assessment and Treatment Policy governs the process for conducting risk assessments to account for threats, vulnerabilities, likelihood, and impact with respect to assets, team members, customers, vendors, suppliers, and partners. Risk tolerance and strategies are also defined in the policy.
Risk Register
A risk register is maintained, which records the risk mitigation strategies for identified risks, and the development or modification of controls consistent with the risk mitigation strategy.
Risk Assessment
Formal risk assessments are performed, which includes the identification of relevant internal and external threats related to security, availability, confidentiality, and fraud, and an analysis of risks associated with those threats.
Vendor Risk Management Policy
A Vendor Risk Management Policy defines a framework for the onboarding and management of the vendor relationship lifecycle.
Vendor Due Diligence Review
Vendor SOC 2 reports (or equivalent) are collected and reviewed on at least an annual basis.