Security

We take care of your data
like our own!

At PeopleStrong, our top priority is keeping our customers’ data secure. We implement stern security controls at the organizational, architectural, and operational levels to ensure that your data, applications, and infrastructure remain safe.

Architectural Security

Processing Relationship

Our customers serve as the data controller while PeopleStrong is the data processor. This means that customers have full control of the data entered into services, as well as all setup and configurations. Because customers control the data—and we only process it—they don’t have to rely on us to perform day-to-day tasks such as:

  • Assigning security authorization and manipulating roles
  • Creating new reports
  • Configuring business process flows, alerts, rules, and more
  • Creating new integrations
  • Changing or creating new organizational structures
  • Monitoring all business transactions
  • Looking at all historical data and configuration changes

Data Encryption

PeopleStrong encrypts every attribute of customer data before it’s persisted in a database. We use the Advanced Encryption Standard (AES) algorithm with a key size of 256 bits and a unique encryption key for each customer.

Transport Layer Security (TLS) protects user access via the internet, helping to secure network traffic from passive eavesdropping, active tampering, or message forgery. File-based integrations can be encrypted via PGP or a public/private key pair generated by PeopleStrong, using a customer-generated certificate. WS-Security is also supported for web services integrations to the PeopleStrong’s API.

Logical Security

A dedicated Identity Provider (Alt IDP) supporting multiple types of authentication providers including LDAP, OpenID Connect based Single Sign-on in Alt Applications and support for SAML for third party single sign-on integrations.

Single-Sign-On Support

Alt IDP allows seamless single-sign-on experience between the customer’s internal applications and PeopleStrong by integrating customers authentication systems (Octa, ADFS, Office365, Google etc.) allowing both Auth2.0/OpenID Connect and SAML protocols. Customers have to just login to their company’s internal web portal using any of their own authentication system/IDP presented with a link to PeopleStrong apps, which automatically gives customers access without having to log in again.

Step-Up Authentication

If someone leaves their console open or multiple users’ access PeopleStrong applications from the same device, organizations that use SAML as an authentication type can secure the connection against unauthorized access by identifying critical items. This allows the user to force a second level of authentication factor that users must enter to access the required items.

PeopleStrong Native Login

For customers who wish to use our native login, PeopleStrong only stores the passwords in the form of a secure hash as opposed to the password itself. Unsuccessful login attempts are measured along with successful login/logout activity for audit purposes. Inactive user sessions are automatically timed out after a specified time, which is customer configurable by the user. User configurable encryption rules include length, complexity, expiration, and forgotten password challenge questions.

Infrastructure Security

PeopleStrong applications are hosted in the public cloud of leading cloud computing platforms, which are designed to protect mission-critical computer systems with fully redundant subsystems and compartmentalized security zones. Our application hosting data centres adhere to the strictest security measures encompassing

Cloud Security Alliance Controls, ISO 9001, ISO 27001, ISO 27017, ISO 27018, SOC1, SOC 2 and SOC 3.

All-access to the data centres is highly restricted and stringently regulated by Cloud Service Provider

Network Security

PeopleStrong has established detailed operating policies, procedures, and processes designed to help manage the overall quality and integrity of our environment. We’ve also implemented proactive security procedures, such as perimeter defence and network intrusion prevention systems (IPSs), Intrusion Detection System (IDS), Distributed Denial of Service (DDOS), Application Filtering, etc.

We also maintain a Network Operation Centre & Security Operations Centre for identifying, investigating, prioritizing, escalating and resolving issues

Application Security

PeopleStrong has implemented an enterprise Secure Software Development Life Cycle (SDLC) to help ensure the continued security of PeopleStrong applications.

This program includes an in-depth security risk assessment and review of PeopleStrong Alt features. Also, both static and dynamic source code analyses which are automated to help integrate enterprise security into the development lifecycle. Automated binary analysis and VA/PT on quarterly intervals helps add a level of application security. The development process is further enhanced by application security training for developers and penetration testing of the application.

Organizational Security

Security begins on day one at PeopleStrong. All users receive security and compliance training the moment they are onboarded on the system. Though the extent of involvement may vary by role, security is everybody’s responsibility at PeopleStrong.

Application

With our collaboration with a leading security vendor, we perform an application-level security vulnerability assessment of our web and mobile application before each major release. The firm performs testing procedures to identify standard and advanced web application security vulnerabilities, including, but not limited to, the following:

Security weaknesses linked with Flash, AJAX, Flex and ActionScript

Cross-site request forgery (CSRF)

  • Improper input handling (such as cross-site scripting, SQL injection, XML injection, and cross-site flashing)
  • XML and SOAP attacks
  • Weak-session management
  • Data validation flaws and data model constraint inconsistencies
  • Insufficient authentication or authorization
  • HTTP response splitting
  • Misuse of SSL/TLS
  • Use of unsafe HTTP methods
  • Misuse of cryptography
  • Network

External vulnerability tools scan all internet-facing assets, including firewalls, routers, and web servers for potential weaknesses that could allow unauthorized access to the network. Also, an authenticated internal vulnerability network and system assessment are performed to identify potential weaknesses and inconsistencies with general system security policies.