ūüéČ Celebrating 10 Years of PayrollHero: Your Data’s Security is Our Top Priority! ūüõ°

Exciting news ‚Äď PayrollHero just hit the big 10! ūüéČūü•≥ We’ve been on this journey together, and we want to take a moment to celebrate and reassure you about your data’s security.

ūüĒź A Decade Strong – Zero Security Breaches:

Guess what? We’ve had your back for 10 years, and not a single security breach! Your data is as safe as ever.

ūüí™ We’re Always Improving:

We’ve been investing in top-notch tech, regular security checks, and staying ahead of the game to keep your info locked down. We take security seriously, and we’re not slowing down.

ūüôŹ Thanks for Trusting Us:

Big shoutout to you ‚Äď our awesome community! Whether you’re a long-timer or a newbie, your trust keeps us going. We couldn’t have hit this milestone without you.

ūüöÄ What’s Next? Share Your PayrollHero Story:

We want to hear from YOU! Drop a comment and tell us about your PayrollHero journey. What features do you love? How has it helped you? We’re all ears.

Here’s to a decade of success, and many more to come!

PayrollHero Security

securityWe value our customer’s security and work hard to ensure that our platform and procedures are focused on security of our clients data.¬†A PayrollHero account contains all employee information and confidential material. For that reason, we take security, encryption, and system permissions very seriously.

Below we have listed a complete guide of our security processes for your reference.

User Security

  • Mutual Non-Disclosure Agreement

At the onset of our business relationship, we sign a mutual non-disclosure agreement as part of our commitment to your company confidentiality.

  • Password Strength Policy

We have a Password Strength Policy which ensures that a PayrollHero user will be able to log in with high security measures.

We require all passwords to use the following:

– One lowercase letter
– One uppercase letter
– One number
– 8 characters in total for password length

  • Two Factor Authentication Log In

As an added layer of security for users, we have implemented a Two Factor Authentication (2FA) log-in, which makes logging in more safe and secure.

With 2FA, users are blocked from sharing passwords Рgiving the user complete ownership and responsibility for his or her personal account.

Every time a user logs in, they get a time-based, one-time password to authenticate the log in process. This password changes every time you log in, and only you, the user, will be able to know this generated password.

To enable 2FA, you would need a device, usually a smartphone, and an app to generate these one-time use passwords. Here are some of our recommended apps:

Click here for a complete guide on how to set up Two Factor Authentication for your PayrollHero account.

Platform Security

  • Encryption at Rest

All data within PayrollHero is encrypted in transit and at rest, meaning that it is not only encrypted when moving from application to application but it is also encrypted when idle.

  • HTTPS

All communication in and out of the PayrollHero platform is done through HTTPS. “Hypertext Transfer Protocol Secure (HTTPS) is a communications protocol for secure communication over a computer network, with especially wide deployment on the Internet”.

** For both security and non-security incidents, we have employ an urgent and critical process that brings a certain priority level to the team. There is an incident commander appointed during any of these incidents and is responsible for involving the necessary resources. 

Architecture

The PayrollHero System is designed to only expose access to customer facing services. All other access requires an encrypted administrator connection.

  • Only vetted senior staff members have access to production data.
  • All access requires encrypted access to the system.
  • All access to the system requires either an encrypted VPN connection or two factor authentication to access anything.
  • All access to production data is logged.
  • All systems are isolated from each other, regularly replaced, and security patches are applied as soon as they are available.

Customer data is stored on a multi-tenant environment, as such it does exist within the same databases. Extreme care is taken to never allow customer data to get mixed up.

The PayrollHero system is designed to deal with server failures. We perform offsite backups, and frequent onsite backups. We also have an offline mode for the clock in/out feature.

If you want to learn how to use TeamClock while offline, click here for a quick tutorial.

Servers

In an effort to ensure that all your data is kept secure, we only use one of the best names in server and cloud computing – Amazon.

Technically speaking, we secure our data with the following services.

PayrollHero utilizes AWS Services that are ISO 27001 and PCI DSS L1 Certified:

  • Amazon Web Services Elastic Compute Cloud (EC2)
  • Amazon Web Services Simple Storage Service (S3)
  • Amazon Web Services Relational Database Service (RDS)
  • Amazon Web Services Elastic Load Balancing (ELB)
  • Amazon Web Services Identity and Access Management (IAM)
  • Amazon Web Services Elastic Block Storage (EBS)

PayrollHero will use commercially reasonable efforts to make the PayrollHero platform available with a monthly uptime percentage of at least 99%, in each case during any monthly billing cycle (the ‚ÄúService Commitment‚ÄĚ). In the event PayrollHero does not meet the Service Commitment, You will be eligible to receive a Service Credit as described below.

Service Level Agreement

Service Credits are calculated as a percentage of the total charges paid by you (excluding one-time payments such as upfront payments) for the monthly billing cycle in which the platform was unavailable.

  • If the monthly uptime percentage drops below: 99%
  • Service Credit Percentage: 20%
  • Service Credits are applied to Your next months invoice.
  • To receive a Service Credit, You must submit a claim by opening a support case (support@payrollhero.com).

To be eligible, the credit request must be received by us by the end of the second billing cycle after which the incident occurred and must include:

  • the words ‚ÄúSLA Credit Request‚ÄĚ in the subject line;
  • the dates and times of each unavailability incident in respect of which You are claiming;
  • the affected PayrollHero account;
  • and your request logs that document the errors and corroborate Your claimed outage (any confidential or sensitive information in these logs should be removed or replaced with asterisks).

Our most up to date Terms of Service.

If you have any other questions about our confidentiality, data security, or encryption, please feel free to contact us at support@payrollhero.com.

Android Users Read This

As you may have heard, Android phones have a new¬†vulnerability – and it’s pretty bad. It has been covered on most major tech blogs and media outlets.

From NPR:

Android is the most popular mobile operating system on Earth: About 80 percent of smartphones run on it. And, according to mobile security experts at the firm Zimperium, there’s a gaping hole in the software ‚ÄĒ one that would let hackers break into someone’s phone and take over, just by knowing the phone’s number.

In this attack, the target would not need to goof up ‚ÄĒ open an attachment or download a file that’s corrupt. The malicious code would take over instantly, the moment you receive a text message‚Ķ

Here’s how the attack would work: The bad guy creates a short video, hides the malware inside it and texts it to your number. As soon as it’s received by the phone, Drake says, “it does its initial processing, which triggers the vulnerability.”

Google has already issued a patch for this vulnerability.

BUT,¬†most Android patches don’t make it to existing smartphone owners. They first have to be dealt with by the¬†manufacturers of the phones (of which there are many) and then by telco themselves. Both of which don’t happen super fast – which results in million’s of Android devices being vulnerable to this issue.

At PayrollHero, we push Apple as our prefer platform for clients to use for clocking in and out. We support Android, but most of our new features come out for iOS first. Plus, there are so many added benefits that Apple brings, security being one of them, but other built in features like Guided Access.

Apple does not have this same problem as Android as Apple has controlled the relationship with the telcos and has the ability to push updates to iOS phones themselves. No need for the telco to get involved and Apple makes the hardware, so no manufacturers to deal with.

Apple vs Android

Going Open Source with our Singapore Payroll Gems

At PayrollHero we are proud of our work and want to share it with the business community of Singapore.  Over the coming months we intend to release the payroll aspects of our code for free to the public.

That’s right, we are going open source with our Singapore payroll code! ¬†Any developer or interested party will be able to scrutinize the code responsible for Singapore Payroll calculations like CPF. ¬†PayrollHero‚Äôs payroll transparency will allow anyone the opportunity to use our code . It will engage the software community to provide the best possible product to all our clients – this will result with furthering our mission to bring Payroll Accuracy for Singapore Employees.

We write our software using a language called Ruby on the Ruby on Rails Framework (we flew DHH to Whistler in 2004). The Ruby community is a passionate collection of developers who have helped us create the HR Platform we have today. This is our opportunity to give back to the community who helped us get to where we are today.

Not a developer but you are interested in learning more about the quality of our code at PayrollHero? ¬†We use a program called code climate that systematically grades every line of code that we write. ¬†It helps us to write the best code possible and gives a neutral and outside indication of it’s quality using a GPA system. ¬†We don’t release anything less than a 4.0 GPA!

code climate singapore payrollSecurity important to you? Our code also receives a Security Scan performed every few hours for potential vulnerabilities. When anything is found we immediately act on the alert.

Here are the links you need for our Singapore Payroll CPF Gem:

Source Code: https://github.com/payrollhero/singapore_cpf_calculator
Gem: https://rubygems.org/gems/singapore_cpf_calculator
Code Climate Score: https://codeclimate.com/github/payrollhero/singapore_cpf_calculator

Singapore Payroll Software by PayrollHeroWant to learn more about PayrollHero Singapore? Head over to singapore.payrollhero.com to find out more about our Charter Client Program.

New Security Feature: Password Strength Policy

As we continue to¬†enhancing security across PayrollHero, we have created a new system¬†that¬†enforces a password policy on user’s password. Users¬†are now required to use at least the following in their password:

  • one lowercase letter
  • one uppercase letter
  • one number
  • 8 characters in total for the password length

We’re hoping this will help to avoid using simple passwords and secure everyone’s data.

This change will be effective November 3, 2014 and will affect all new user creations and password changes.

We also added Two Factor Authentication a few weeks ago. Read more here.

New Security Feature: 2 Factor Authentication

We recently added another layer of authentication that enables users to use time-based one-time password when authenticating/logging in. This password will be different every time you log in and would only be something that you and only you possess.

This added level of security is free for all users and available on all accounts now. What is 2 Factor Authentication? Here is what Wikipedia has to say:

“Time-based One-time Password Algorithm¬†(TOTP) is an algorithm that computes a¬†one-time password¬†from a¬†shared secret key¬†and the current time. It has been adopted as¬†Internet Engineering Task Force¬†standard¬†RFC 6238,[1]¬†is the cornerstone of¬†Initiative For Open Authentication¬†(OATH) and is used in a number of¬†two factor authentication¬†systems.

TOTP is an example of a hash-based message authentication code (HMAC). It combines a secret key with the current timestamp using a cryptographic hash function to generate a one-time password. The timestamp typically increases in 30-second intervals, so passwords generated close together in time from the same secret key will be equal.

In a typical two-factor authentication application, user authentication proceeds as follows: a user will enter username and password into a website or other server, generate a one-time password for the server using TOTP running locally on a smartphone or other device, and type that password into the server as well. The server will then also run TOTP to verify the entered one-time password. For this to work, the clocks of the user’s device and the server need to be roughly synchronized (the server will typically accept one-time passwords generated from timestamps that differ by ¬Ī1 from the client’s timestamp). A single secret key, to be used for all subsequent authentication sessions, must have been shared between the server and the user’s device over a secure channel ahead of time. If some more steps are carried out, the user can also authenticate the server using TOTP.” *Wikipedia

Screen Shot 2014-09-09 at 8.10.31 PM

Screen Shot 2014-09-09 at 8.20.00 PM

More details here in our release notes and watch for the knowledge base article for a more detailed how to article.