Payslip Product Sheet - Data Security, Privacy & Compliance

Data Security, Privacy & Compliance

Stay secure with Payslip

Payslip’s platform delivers complete security, compliance, and governance for your global payroll.

Payslip is committed to the absolute information security, protection, and privacy of the data in our platform.

❖ CONFIDENTIALITY

The Payslip platform has the most rigorous levels of security and auditing built into every layer of its technology, and we revisit our information security and data protection policies and practices routinely to ensure they adhere to the highest and most up-to- the-minute standards.

❖ INTEGRITY

❖ AVAILABILITY

Payslip enables our clients to operate in a secure environment with all communication occurring within the platform and its integrations.

Choose our secure multi- tenant environment, or upgrade to a Virtual Private Cloud (VPC). Payslip’s workflows, integrations, and hyper automation deliver a comprehensive global payroll management process, while providing full compliance with information security and privacy standards and a secure gateway, zero trust data store, and governance engine that you can trust.

© 2022 Payslip LTD. All other trademarks and copyrights are the property of their respective owners. All rights reserved.

2022 Payslip Data Security, Privacy & Compliance

Accreditation and Certification

Payslip has achieved accredited certification with the following globally-recognized standards for security and data protection.

ISO27001 ISO/IEC 27001:2013 (also known as ISO27001) is the international standard that sets out the best practice for an ISMS (information security management system). Read more here. ISO27701 ISO/IEC 27701:2019 (also known as ISO27701) is an extension to ISO/IEC 27001 for privacy information management. Read more here. Type 1 SOC 1 System and Organization Controls (SOC) is a suite of accreditations from AICPA. SOC 1 assesses an organizations' ICFR (internal control over financial reporting). Read more here.

Type 2 SOC 1, and SOC 2 certification are on our roadmap.

GDPR

Our ISO certification includes full GDPR compliance. Read more here.

Internal policy and procedure

Payslip has documented over 20 policy and procedural plans to define our security measures. These are reviewed annually. Regular information security and privacy training is mandatory for all Payslip employees. Data Residency Stored in AWS Ireland and fully compliant under GDPR

2022 Payslip Data Security, Privacy & Compliance

Data security

Payslip uses a wide range of technologies and practices to defend personal data from unauthorized access or malicious attacks and exploitation of data. The Payslip platform is designed to protect and preserve data integrity, ensuring that data is accurate and reliable.

Physical security Payslip uses highly-secure AWS data centers to host its SaaS platform. Read about Amazon’s AWS data center security protection here. Payslip enforces strict physical security at all of its premises via CCTV, entry and exit controls, and tracking measures. Access Control The Payslip platform uses a Zero Trust approach to ensure privacy and security of data. We operate on the Principle of Least Privilege (POLP) and Role-based Access Control (RBAC) to restrict user access to the bare minimum. Payslip tracks all access and activity for security and audit. Access is recertified on a quarterly basis. Authentication Payslip supports Single Sign-On (SSO) with Security Assertion Markup Language (SAML). SAML is an open standard widely used for authentication. We operate Two Factor Authentication (2FA) across a number of channels including email, SMS, and Authenticator app. Passwords are hashed and salted to ensure the highest level of protection. To ensure users create strong passwords, we impose password rules for employees and users of the platform. Accounts are locked after 5 failed login attempts. Smart Data Governance Payslip’s support for role-based access enables

you to restrict what your users can see and the actions they can perform. Build and enforce your own fine-grained data access control using Payslip’s powerful but intuitive policy expression language. Data Encryption All data on Payslip is obfuscated and encrypted using the strongest and most robust encryption standards. ❖ Data at rest Payslip uses the Advanced Encryption Standard (AES) with a key size of 256 bits to encrypt all data before it is stored in our database. AES 256 is a highly secure cipher and is a US Federal Government standard. ❖ Data in transit All AWS services are protected by AWS Key Management Service (AWS KMS). More information here.

2022 Payslip Data Security, Privacy & Compliance

Advanced Data Control As a global payroll platform, Payslip is designed to be audit-ready, providing a comprehensive set of reports on activity. It’s easy to manage data residency, access, and policy enforcement, with auditable logs and provenance. Activity monitoring and testing Payslip uses a dedicated Security Information and Event Management (SIEM) service to identify potential security threats before they can take effect. For example, unusual login patterns. The SIEM system is always running. We perform bi- weekly vulnerability scans and annual penetration tests. We use a Data Loss Prevention (DLP) tool, which issues alerts to help us protect PII data. Availability The Payslip platform is highly available. Our Business Continuity policy and plan ensures minimal disruption to your business in the event of a disaster. The Payslip platform is made subject to regular recovery testing. Payslip data is backed up continuously. The backups are archived in a secure vaultand cannot be edited in any way. Payslip’s RPO is zero data loss. Our tests have proved that our data center including database can be recovered and become available in minutes.

Network traffic to and from the Payslip platform across public internet is protected by Transport Layer Security (TLS). TLS defends against data

tampering and eavesdropping. Workflow-Aware Architecture

Payslip helps our partners manage and protect personal data without sacrificing usability. You can safely use, share, and analyze data within the platform without ever compromising privacy. Data is communicated only via a secure SFTP channel, and once it leaves this channel, it’s stored immediately on secure AWS S3 buckets or in Payslip’s secure document repository. Zero Touch Payslip’s Zero Touch approach protects data on our platform. Manual intervention by users is replaced by automation and integrations that perform ingestion and validation of data. The platform includes a set of robust APIs that enable processing ofall update and deletion requests without any manual intervention. HCM system integrations and bulk update of data via Secure File Transfer Protocol (SFTP) reduce manual intervention by enabling bulk update of employee data, creation of new employees, update of leavers, and processing of payroll updates.

2022 Payslip Data Security, Privacy & Compliance

Data Privacy

Data isolation As a multi-tenant SaaS platform, Payslip has a responsibility to ensure no tenant can ever access data belonging to another tenant. To isolate tenant data, every tenant on Payslip is on a completely separate schema. All tenant data is encrypted using a dedicated customer-specific key.

Data privacy is the proper handling, processing, storage and usage of personal identifiable information (PII). Payslip is committed to the absolute protection and privacy of PII data. Data Retention Payslip will retain the Client data as per the terms agreed in the MSA. The data retention solely depends on the legal requirements of the relevant countries and Payslip takes the instructions on the Client and Client ICP’s as their In-country experts. Client data is not being stored outside of Payslip platform. All files transferred via secure SFTP channel have been immediately deleted.

GDPR Our ISO certification includes full GDPR compliance.

Payslip and Data Protection

We have designed Payslip from the start to be a Global Payroll control platform, so we are very cognizant that you will be hosting your employee or data subjects PII data on our platform.

We have designed with:

❖ the best industry standards for information security and data protection

❖ built in controls and within the platform and around the platform to secure your data

Trusted By:

Please contact us at sales@payslip.com for further information

Page 1 Page 2 Page 3 Page 4 Page 5

payslip.com

Powered by