This article explains how Personio protects your data and where to find security and compliance documentation. It also covers the product settings available to help you meet your data protection obligations and data privacy considerations for specific Personio features. Personio is fully compliant with the EU General Data Protection Regulation (GDPR).
Personio Trust Center
Personio publishes all security and compliance documentation in the Personio Trust Center.
How to access the Trust Center
- Go to trust.personio.com and click Request Access.
- Fill out your details and submit your request.
- Once you receive access, sign in at trust.personio.com.
What's in the Trust Center
The Trust Center contains all legal, security, and compliance documentation for Personio, including:
- General Terms and Conditions (GTC) (including contractual notice periods and cancellation information)
- Privacy policy (for more details about how we use your data)
- Data Processing Agreement (DPA)
- Technical and Organizational Measures (TOM)
- Data Protection Officer (DPO) information
- Subprocessor list (also referred to as subcontractors)
- Security certifications and audit reports
- Data storage and security information (including encryption, hosting, backups, and access controls)
- Security and data protection policies
- GDPR compliance templates (including Data Protection Impact Assessment (DPIA) and list of processing activities)
Personio settings for data protection
Personio provides a set of product controls to help you meet your data protection obligations. We recommend reviewing and configuring these settings for your organization.
Restrict Personio Support access to your account
In compliance with GDPR, Personio employees cannot access your account by default. When access is necessary, for example, to support account setup or resolve service requests, Personio limits it to a small number of teams on an ad-hoc basis. Personio logs all access.
Account Owners can grant Personio Support access to allow our team to log in to your account and troubleshoot directly. Account Owners can revoke access at any time.
Secure your Personio account
You can take additional steps to further secure your account:
- Define employee roles with the least privilege access principles.
- Enable single sign-on (SSO) authentication.
- Enable two-factor authentication (2FA).
- Set up regular password changes for your employees.
- Use the security token feature, which alerts users to unusual session activities. Personio turns on this feature by default.
Manage email notifications
You can control whether Personio sends system email notifications to users in your account. When enabled, users can choose which notifications to receive. If you turn off this option, Personio doesn't send system email notifications to any user.
Opt in or out of subcontractors
You can opt in or out of specific subcontractors (also referred to as subprocessors) in the Data Protection Information tab. To access the Data Protection Information tab, follow these steps:
- Go to Settings.
- In the Account section, click Subscription & billing.
- Click the Data protection information tab.
Opting out turns off the associated feature in your account.
Data retention management for documents
If your organization stores documents in Personio, you can set rules for when documents must be reviewed for deletion. These policies can help you manage sensitive HR data and support compliance with GDPR and other requirements. To access your data retention policies, follow these steps:
- Go to Settings.
- In the Data management section, click Data retention.
Find out more about data retention policies.
Data privacy in Personio features
Some Personio features have specific data privacy considerations. See the following articles: