Performance™ is here! Take control of your review process. Learn more
Performance™ is here!
This Security Statement applies to the products, services, websites and apps offered by Ironflow Technologies Inc., which are branded as “PurelyHR”, except where otherwise noted. We refer to those products, services, websites and apps collectively as the “Services” in this Statement. This Security Statement also forms part of the user agreements for PurelyHR customers.
PurelyHR’s information systems and infrastructure are hosted within secured, world-class, SOC 2 accredited data centers. Physical security controls at our data centers include 24x7 monitoring, cameras, visitor logs and entry requirements.
PurelyHR is compliant with the Payment Card Industry’s Data Security Standards (PCI DSS 3.2) and can therefore accept or process credit card information securely in accordance with these standards. PurelyHR re-certifies this compliance annually.
Access to PurelyHR’s technology resources is only permitted through secure connectivity (e.g., VPN, SSH) and requires multi-factor authentication. Our production password policy requires complexity, expiration, and lockout and disallows reuse. PurelyHR grants access on an as-needed basis, reviews permissions quarterly, and revokes access within 12 hours of employee termination.
PurelyHR maintains and regularly reviews and updates its information security policies on an annual basis.
PurelyHR conducts background screening at the time of hire (to the extent permitted or facilitated by applicable laws and countries). In addition, PurelyHR communicates its information security policies to all personnel, and requires new employees to sign employment agreements.
PurelyHR maintains a documented vulnerability management program which includes periodic scans, identification, and remediation of security vulnerabilities on servers, workstations, network equipment, and applications. All networks, including test and production environments, are regularly scanned using trusted third party vendors. Critical patches are applied to servers on a priority basis and as appropriate for all other patches.
We encrypt your data in transit using secure TLS cryptographic protocols. We also pseudo-anonymise all personal data at rest.
Our development team employs secure coding techniques and best practices, focused around the OWASP Top Ten.
Development, testing, and production environments are separated. All changes are peer reviewed and logged for performance, audit, and forensic purposes prior to deployment into the production environment.
PurelyHR maintains an asset management policy which includes identification, classification, retention, and disposal of information and assets. Company-issued devices are equipped with up-to-date antivirus software. Only company-issued devices are permitted to access corporate and production networks.
PurelyHR maintains security incident response policies and procedures covering the initial response, investigation, customer notification (no less than as required by applicable law), public communication, and remediation. These policies are reviewed regularly.
Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if PurelyHR learns of a security breach, we will notify affected users without undue delay so that they can take appropriate protective steps. We are committed to keeping our customers fully informed of any matters relevant to the security of their account and to providing customers all information necessary for them to meet their own regulatory reporting obligations.
PurelyHR’s databases are backed up on a rotating basis of full and incremental backups and verified regularly. Backups are stored within the production environment to preserve their confidentiality and integrity and are tested regularly to ensure availability.
Keeping your data secure also requires that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems.