Security Overview

As a business we take security and operational reliability seriously. Our organisation has completed the UK Government backed Cyber Essentials certification – certificate number 945de80a-96d8-418e-946b-23099ead58ab. All customer data is held within UK data centers.

Pandemic Response

We incorporate pandemic response policies and procedures into our disaster recovery planning to prepare to respond rapidly to infectious disease outbreak threats. Mitigation strategies include alternative staffing models to transfer critical processes to alternative resources, and activation of a crisis management plan to support critical business operations.

Protecting your billing information

All card transactions are processed by “Stripe”, a Level 1 PCI Service Provider. No card data is ever transmitted to or stored by PolarHR.

Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry.

Protecting your data

All customer data is stored securely and redundantly across multiple geographically dispersed locations. Data is encrypted at rest using industry standard AES-256 encryption and backed up continuously using modern techniques to remove points of failure.

Whenever any data is transmitted to us, it is always encrypted and sent using HTTPS and 2048-Bit encryption. This data is only decrypted within our secure firewalled networks.

System Redundancy

Our data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day. Data centers are equipped with a back-up power supply to ensure power is available to maintain operations in the event of an electrical failure for critical and essential loads in the facility.

Data centers use mechanisms to control climate and maintain an appropriate operating temperature for servers and other hardware to prevent overheating and reduce the possibility of service outages. Personnel and systems monitor and control temperature and humidity at appropriate levels.

Physical Security

Physical systems access is granted only to approved engineers. All employees who need data center access must first apply for access and provide a valid business justification.

These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound.

Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions.

Risk Management

We conduct regular threat and vulnerability reviews of data centers. Ongoing assessment and mitigation of potential vulnerabilities is performed through data center risk assessment activities.

Surveillance & Detection

Physical access points to server rooms are recorded by Closed Circuit Television Camera (CCTV). Images are retained according to legal and compliance requirements.

Electronic intrusion detection systems are installed within the data layer to monitor, detect, and automatically alert appropriate personnel of security incidents. Ingress and egress points to server rooms are secured with devices that require each individual to provide multi-factor authentication before granting entry or exit. These devices will sound alarms if the door is forced open without authentication or held open. Door alarming devices are also configured to detect instances where an individual exits or enters a data layer without providing multi-factor authentication. Alarms are immediately dispatched to a 24/7 Security Operations Centers for immediate logging, analysis, and response.

If you have any questions about security, you can contact us:

Last updated April 2022