Data security & GDPR
Security Assessment
All your data is stored using Google Cloud, one of the world’s leading cloud-based services. The Google Servers we are using are located within the EU/EAA- to be more precise - in Belgium.
Yes. Your data is physically secured by trained staff around the clock and encrypted both at rest and in transit (see Google Cloud whitepaper on security). Sensitive data is encrypted, using an individual per-customer AES 256 based encryption key.
Yes. Your data is transferred with high-grade TLS 1.2 (https) technology. In addition to that do we limit the duration of sessions and automatically log you out after a certain time.
1) You and your staff will have access to the data, using a password and per data access credentials that you will provide them. You can control who can see, add, edit, upload/download any information based on user role credentials.
2) A small number authorised Alexis personnel as defined in our security policy can gain access to your data. Any team member doing so will be performing specific (audited) tasks on your request via our support desk. Access to all sensitive data requires two-factor authentication by these personnel.
3) In few cases, based on your consent, data will be provided, per your request, to 3rd party service providers for specific business purposes (e.g. integrating to one of our integration partners).
Yes. To protect your data we work according to best practices on the legal framework of the European General Data Protection Regulation (EU GDPR) in addition to following standards and guidelines such as ISO/IEC 27001 and the principles of basic IT protection. You can find more information about our Data Processing Agreement here.
We keep an audit log of all activity on system data allowing you - based on your user role credential rights - see a log of all changes that have ever been made.
Each piece of data stored is associated with a tenant ID. All access to data is enforced to use a tenant ID key. Data is logically divided. If the information is stored on disk then every client has its own folder, if data is stored on a database then access to the data is strictly enforced to use the tenant identifier so there is no leakage between clients. Sensitive data is encrypted using a unique encryption key per tenant.
We maintain a Security Policy that defines the security tasks that we should perform periodically. Our site and API undergoes independent, ongoing third-party penetration testing, security scans, threat detection and black box assessment.
In some cases, we transfer your personal data outside the European Union or the European economic area in accordance with data protection legislation. In all situations, we transfer your personal data outside the EU/EAA only based on one of the lawful grounds mentioned below:
• The EU Commission has decided that the recipient country in question ensures an adequate level of protection;
• We have established appropriate safeguards for the transfer of personal data by using the standard data protection clauses approved by the Commission. You shall then have the right to obtain a copy of such by contacting us; or
• You have given your explicit consent for the transfer of your personal data or another lawful basis for the transfer of your personal data outside the EU or EEA exists. For a list of sub-processors and their residence see our DPA.
Data privacy and security are the foundation of our business - Alexis is built to process and protect your data. Find more information here: https://alexishr.com/privacy-policy
You can see our entire policy and list of Cookies used here: https://alexishr.com/cookie-policy
The General Data Protection Regulation contains rules on when and how the transfer of personal data to countries outside the EU/EEA ("third countries), is permitted. The transfer of personal data from the EU/EEA to the USA has previously been possible through, among other things, Privacy Shield, a framework for certification of a sufficiently high level of protection for personal data processing at American companies. The European Court of Justice has ruled in the so-called Schrems II judgment (Case C311-18) that the Privacy Shield agreement between the EU and the USA does not provide sufficient protection for personal data when they are transferred to the USA. The ruling means that European companies are no longer allowed to transfer personal data to US subcontractors with the support of the Privacy Shield. Alexis processes its customers' personal data mainly in the EU/EAA, but we use a few systems and services linked to individual subcontractors that result in personal data being transferred to the USA.Since the verdict, we have worked continuously to deal with the legal consequences of the verdict. Among other things, we are investigating the possibilities of replacing our American subcontractors with corresponding subcontractors within the EU. Any changes to European subcontractors will take place in accordance with current personal data assistant agreements. For a list of sub-processors and their residence see our DPA.
You are the owner and controller of your data within the meaning of art. 24 EU GDPR, meaning that you are responsible for respecting the rights of data subjects as defined in chapter 3 of EU GDPR. We are the order processor and in this capacity processes your data exclusively at your instruction and for the purposes laid down in the data processing agreement (received and signed upon registration).
Our goal is that you can always access your AlexisHR account. There are times when the AlexisHR service will be unavailable due to planned maintenance or due to a component failure. In such cases, AlexisHR staff are paged as soon as the failure is detected and work to make sure the service is back up in the shortest possible time. You can see and follow our services statuses at status.alexishr.com. There you can also see and follow our current uptime, broken down per service.
If we find issues that might affect your ability to use the AlexisHR service, we will post it immediately on the Status site (https://status.alexishr.com). Updates to current issues will also be posted on the same site. We have also built notifications within your AlexisHR page that will notify you of functionality that may be experiencing issues at that time, look out for a banner that will explain the affected service.You can always report any issues you might have with the service at: support (at) alexishr (dot) com