PayrollHero Security

securityWe value our customer’s security and work hard to ensure that our platform and procedures are focused on security of our clients data. A PayrollHero account contains all employee information and confidential material. For that reason, we take security, encryption, and system permissions very seriously.

Below we have listed a complete guide of our security processes for your reference.

User Security

  • Mutual Non-Disclosure Agreement

At the onset of our business relationship, we sign a mutual non-disclosure agreement as part of our commitment to your company confidentiality.

  • Password Strength Policy

We have a Password Strength Policy which ensures that a PayrollHero user will be able to log in with high security measures.

We require all passwords to use the following:

– One lowercase letter
– One uppercase letter
– One number
– 8 characters in total for password length

  • Two Factor Authentication Log In

As an added layer of security for users, we have implemented a Two Factor Authentication (2FA) log-in, which makes logging in more safe and secure.

With 2FA, users are blocked from sharing passwords – giving the user complete ownership and responsibility for his or her personal account.

Every time a user logs in, they get a time-based, one-time password to authenticate the log in process. This password changes every time you log in, and only you, the user, will be able to know this generated password.

To enable 2FA, you would need a device, usually a smartphone, and an app to generate these one-time use passwords. Here are some of our recommended apps:

Click here for a complete guide on how to set up Two Factor Authentication for your PayrollHero account.

Platform Security

  • Encryption at Rest

All data within PayrollHero is encrypted in transit and at rest, meaning that it is not only encrypted when moving from application to application but it is also encrypted when idle.

  • HTTPS

All communication in and out of the PayrollHero platform is done through HTTPS. “Hypertext Transfer Protocol Secure (HTTPS) is a communications protocol for secure communication over a computer network, with especially wide deployment on the Internet”.

** For both security and non-security incidents, we have employ an urgent and critical process that brings a certain priority level to the team. There is an incident commander appointed during any of these incidents and is responsible for involving the necessary resources. 

Architecture

The PayrollHero System is designed to only expose access to customer facing services. All other access requires an encrypted administrator connection.

  • Only vetted senior staff members have access to production data.
  • All access requires encrypted access to the system.
  • All access to the system requires either an encrypted VPN connection or two factor authentication to access anything.
  • All access to production data is logged.
  • All systems are isolated from each other, regularly replaced, and security patches are applied as soon as they are available.

Customer data is stored on a multi-tenant environment, as such it does exist within the same databases. Extreme care is taken to never allow customer data to get mixed up.

The PayrollHero system is designed to deal with server failures. We perform offsite backups, and frequent onsite backups. We also have an offline mode for the clock in/out feature.

If you want to learn how to use TeamClock while offline, click here for a quick tutorial.

Servers

In an effort to ensure that all your data is kept secure, we only use one of the best names in server and cloud computing – Amazon.

Technically speaking, we secure our data with the following services.

PayrollHero utilizes AWS Services that are ISO 27001 and PCI DSS L1 Certified:

  • Amazon Web Services Elastic Compute Cloud (EC2)
  • Amazon Web Services Simple Storage Service (S3)
  • Amazon Web Services Relational Database Service (RDS)
  • Amazon Web Services Elastic Load Balancing (ELB)
  • Amazon Web Services Identity and Access Management (IAM)
  • Amazon Web Services Elastic Block Storage (EBS)

PayrollHero will use commercially reasonable efforts to make the PayrollHero platform available with a monthly uptime percentage of at least 99%, in each case during any monthly billing cycle (the “Service Commitment”). In the event PayrollHero does not meet the Service Commitment, You will be eligible to receive a Service Credit as described below.

Service Level Agreement

Service Credits are calculated as a percentage of the total charges paid by you (excluding one-time payments such as upfront payments) for the monthly billing cycle in which the platform was unavailable.

  • If the monthly uptime percentage drops below: 99%
  • Service Credit Percentage: 20%
  • Service Credits are applied to Your next months invoice.
  • To receive a Service Credit, You must submit a claim by opening a support case (support@payrollhero.com).

To be eligible, the credit request must be received by us by the end of the second billing cycle after which the incident occurred and must include:

  • the words “SLA Credit Request” in the subject line;
  • the dates and times of each unavailability incident in respect of which You are claiming;
  • the affected PayrollHero account;
  • and your request logs that document the errors and corroborate Your claimed outage (any confidential or sensitive information in these logs should be removed or replaced with asterisks).

Our most up to date Terms of Service.

If you have any other questions about our confidentiality, data security, or encryption, please feel free to contact us at support@payrollhero.com.

New Security Feature: Password Strength Policy

As we continue to enhancing security across PayrollHero, we have created a new system that enforces a password policy on user’s password. Users are now required to use at least the following in their password:

  • one lowercase letter
  • one uppercase letter
  • one number
  • 8 characters in total for the password length

We’re hoping this will help to avoid using simple passwords and secure everyone’s data.

This change will be effective November 3, 2014 and will affect all new user creations and password changes.

We also added Two Factor Authentication a few weeks ago. Read more here.

New Security Feature: 2 Factor Authentication

We recently added another layer of authentication that enables users to use time-based one-time password when authenticating/logging in. This password will be different every time you log in and would only be something that you and only you possess.

This added level of security is free for all users and available on all accounts now. What is 2 Factor Authentication? Here is what Wikipedia has to say:

“Time-based One-time Password Algorithm (TOTP) is an algorithm that computes a one-time password from a shared secret key and the current time. It has been adopted as Internet Engineering Task Force standard RFC 6238,[1] is the cornerstone of Initiative For Open Authentication (OATH) and is used in a number of two factor authentication systems.

TOTP is an example of a hash-based message authentication code (HMAC). It combines a secret key with the current timestamp using a cryptographic hash function to generate a one-time password. The timestamp typically increases in 30-second intervals, so passwords generated close together in time from the same secret key will be equal.

In a typical two-factor authentication application, user authentication proceeds as follows: a user will enter username and password into a website or other server, generate a one-time password for the server using TOTP running locally on a smartphone or other device, and type that password into the server as well. The server will then also run TOTP to verify the entered one-time password. For this to work, the clocks of the user’s device and the server need to be roughly synchronized (the server will typically accept one-time passwords generated from timestamps that differ by ±1 from the client’s timestamp). A single secret key, to be used for all subsequent authentication sessions, must have been shared between the server and the user’s device over a secure channel ahead of time. If some more steps are carried out, the user can also authenticate the server using TOTP.” *Wikipedia

Screen Shot 2014-09-09 at 8.10.31 PM

Screen Shot 2014-09-09 at 8.20.00 PM

More details here in our release notes and watch for the knowledge base article for a more detailed how to article.