At ZenHR, security and privacy are core principles that guide everything we do. To assist our customers in enhancing their security and compliance practices, we must first ensure the utmost security for our systems and processes.
ZenHR's Security and Privacy teams formulate policies and implement controls. They continuously assess compliance with these controls and provide evidence of our robust security and compliance practices to third-party auditors. This proactive approach showcases our dedication to safeguarding data and maintaining the trust of our valued clients.
The basis of our policies stems from the following foundational principles:
01.
Our access control approach entails restricting access solely to individuals with a verifiable business necessity, adhering to the principle of least privilege when granting permissions.
02.
Security controls must be applied and layered following the defense-in-depth principle.
03.
Consistent application of security controls is essential across all areas of the enterprise.
04.
Controls should undergo an iterative implementation process to achieve better effectiveness and reduce friction across the organization.
We actively apply SOC 2 Type II controls, a widely recognized data security and privacy standard, to demonstrate our dedication to safeguarding our clients' assets and data. This is a testament to our ongoing efforts to maintain the highest protection and trust for our valued customers.
All customer data, including S3 buckets, is encrypted at rest. For enhanced security, sensitive collections and tables utilize row-level encryption. This ensures that data is encrypted even before it reaches the database, rendering physical access or logical database access insufficient to read the most sensitive information.
ZenHR ensures data security in transit by employing TLS 1.1 or higher whenever data is transmitted across potentially insecure networks. Additionally, we implement advanced features like HSTS (HTTP Strict Transport Security) to further enhance data security while it is in transit. AWS manages server TLS keys and certificates deployed through Application Load Balancers for robust protection.
At ZenHR, we prioritize the security of our products and cloud infrastructure through rigorous penetration testing on an annual basis. Our commitment to security includes conducting annual penetration tests and leveraging the expertise of top professionals in the field. Our approach to penetration testing involves comprehensive assessments across all aspects of the ZenHR product and cloud infrastructure. To ensure thorough evaluation and coverage, we provide full access to our source code to the testing team. We maintain a strong focus on security without relying on external vendor names. This approach allows us to continually enhance the protection of our systems and data, providing our clients with the highest level of security and trust. Please rest assured that our dedication to security remains unwavering as we continually strive to safeguard our systems and customer information at ZenHR.
ZenHR takes a proactive stance on endpoint protection. Our corporate devices are centrally managed and fortified with mobile device management software alongside robust anti-malware measures. Our vigilant watch extends around the clock, all year round, ensuring that endpoint security alerts receive constant attention. To enhance security, we utilize MDM software to uphold secure configurations for endpoints, including features like disk encryption, screen lock parameters, and consistent software updates.
At ZenHR, security education is paramount. We empower our employees with robust security training upon onboarding. Every new team member participates in a mandatory live onboarding session that delves into fundamental security principles. Additionally, our new engineers receive a compulsory live onboarding session focusing on secure coding best practices.
ZenHR’s vigilant security team regularly imparts crucial threat briefings, ensuring that employees are well-informed about vital security updates that demand heightened attention or swift action.
Granting application access aligns with employee roles at ZenHR, with automatic de-provisioning upon termination. Additional access is meticulously governed, subject to approval based on the policies established for each application.
Please email: security@zenhr.com
