Data Protection and IT Security at Personio

Please send an email to security@personio.de

Suggested information to provide (where applicable):

• URL where the issue was detected:
• Your company name and the user name affected:
• Type of affected data:
• Mobile device / operating system information:
• Information on how issue can be reproduced:

In data protection matters, we rely on Bitkom Servicegesellschaft mbH, one of the leading consultancy companies in Germany for any issues related to the digital economy, and use their services as in-house data protection officers:

Bitkom Servicegesellschaft mbH, Albrechtstrasse 10, D-10117 Berlin.

For any questions regarding data protection at Personio, please contact privacy@personio.com

For one thing, all Personio employees are bound to data secrecy and data protection in general and are made aware of the consequences of any breach.
For another thing, we run training and awareness programs regarding the handling of personal details, as well as data protection, on a regular basis. These programs also include new legislation such as the European General Data Protection Regulation (EU GDPR).

Personio’s organizational structure is informed by the requirements of ISO/IEC 27001. We strive for continued improvement of the processes and structures ensuring data protection and information security. In addition to appointing a data protection officer and training staff on a regular basis, Personio employs an internal IT security officer in order to ensure that security has the highest priority in all processing and internal processes.
Furthermore, Personio closely cooperates with major decision-makers and bodies in the field of data protection and IT security and is a member, among others, of the German Association for Data Protection and Data Security (GDD), the Alliance for Cyber-security and Bitkom e.V.

In the unlikely event of a data breach at Personio, if personal data of a customer is affected and the breach is likely to entail a risk to the rights and the freedom of the customer’s staff, Personio will immediately notify the customer concerned, so as to enable them to fulfill their legal obligation to inform the regulatory authority and the individuals concerned.

Yes, data protection is an integral element of our product strategy. Therefore, even at the development stage of our features we carefully respect principles such as data economy and use state-of-the-art measures to ensure an adequate level of protection. In addition, when preparing for the EU GDPR, we reviewed the default settings of the entire application and adapted them to provide the highest-possible level of data protection while still ensuring user friendliness. Furthermore, the settings are generally all adaptable to the customer’s individual needs. In order to continuously ensure this, we also defined a process for feeding legal requirements into the product development process on an ongoing basis and reviewing the application accordingly at set intervals.

We generally assume that we are compliant with the essential requirements of the EU GDPR already today. This includes, in addition to the stipulations of art. 25 of EU GDPR re data protection by design and by default, supporting the customer in respecting the rights of data subjects such as the right to obtain erasure of personal details as well as the rights of access and data portability (chapter 3 of EU GDPR). This enables the customer to delete applicants’ data either automatically or manually as well as to either block or completely and securely delete employees’ data. Furthermore, due to Personio’s self-service approach, employees are given direct access to their own digital personnel file at all times. In addition, employees can export their own data from the staff list in a machine-readable format as well as download any documents that they personally added. Nevertheless, we make sure that the application, the underlying infrastructure and our organizational structure are suitably equipped at various levels to meet the requirements of the EU GDPR.

Personio uses the services of Amazon Web Services (AWS) in Frankfurt (https://aws.amazon.com/compliance/gdpr-center) for hosting its software. The data centers used are ISO/IEC 27001 certified and thus meet our high requirements for the physical security of our customers’ data.

As a general rule, neither staff at the data centers nor at AWS employees have access to your data. As far as Personio is concerned, only our DevOps Team (in charge of servers) and our Product Team as well as the Customer Success Team (in charge of customers’ systems) will access data as and when necessary. This will be necessary to assist with the initial creation of an account as well as the processing of service enquiries. Access rights are granted on a need-to-know basis and documented. In addition, access to customers’ systems is logged.

On the server side, Personio uses a host-based intrusion detection system to monitor parameters such as suspicious log entries, signatures of known rootkits and trojans, anomalies in the Device File System or classic brute force attacks. These parameters are scanned for anomalies on a regular basis. In case an anomaly is detected, the operations and development staff in charge are notified immediately so that they can take counteraction. In addition, on the application side, all essential activities (in particular change, delete and update operations) are logged to be able to prove upon request unauthorized access and changes to data.

Access is granted purely via personalized user accounts, each of which is clearly assigned to an individual. Registration is with a user name and password, with the latter having to be modified during initial login in accordance with the secure-password guideline implemented in the application. In addition, we advise our customers to use two-factor authentication to achieve a higher level of protection.

Access rights are generally designed to fulfill the requirements of art. 24 of EU GDPR regarding data protection by default. This means that all employees with newly created user accounts have by default no rights beyond editing their own profile. You as the customer, however, can manage the granting of access rights according to your individual authorization protocol.

Personio has implemented a backup concept for customer data and documents stored on its data centers according to the state of the art in order to guarantee adequate availability. The backups of the database systems are stored exclusively in encrypted form. This means that it is not necessary for the customer to carry out own backups. Regular restore tests are carried out to ensure that the backups have been stored properly and can be restored if necessary.

In the unlikely event of a total failure of the system, the redundant structure of the data centers (productive and backup data) ensures that your data is not lost. In this case, we will ensure fastest-possible recovery in accordance with our disaster recovery concept.

For one thing, we run audits of our procedures and our product at regular intervals, generally once a year, in keeping with the legal data protection requirements. The results of these audits are then used to take specific action to further develop our documentation, processes, structures and/ or functionalities, as well as our technical and organizational processes.

For another thing, we perform internal vulnerability scans at regular intervals to test our application and infrastructure. In addition, we hire an external service provider on a regular basis to perform penetration tests to examine our systems and applications for errors and weak spots. As the security of our systems and our application as well as the detection of attacks is of utmost importance to us, we rely on secuvera GmbH, an IT-security service provider that is certified by the Federal Office for Information Security (BSI).