The protection of your data is crucial to us and represents a key component of the products and services provided by Personio. We observe data protection requirements as a matter of course, particularly those of the EU General Data Protection Regulation (GDPR).
Tip:
To learn more about data protection at Personio, visit the Personio Trust Center. If you have questions about data protection at Personio, contact datenschutz@personio.de.
What are the requirements of the EU GDPR?
The GDPR came into force as national law on 25 May 2018. It aims to strengthen data protection law throughout Europe. It also aims to create a uniform legal framework across the EU. As an organization and in terms of our software, Personio is fully compliant with the GDPR. This means that your personal data is protected. We have introduced technical and organizational procedures to ensure our data processing security.
Where is my data stored?
Personio uses Amazon Web Services (AWS) as a hosting provider. We store all our customer data on ISO/IEC 27001-certified servers in Frankfurt. The data doesn't leave the EU. The servers thus fulfill our strict requirements for the physical security of your data. Our Data Protection Officer and the state Data Protection Authority have confirmed that the use of AWS in Germany complies with data protection regulations.
How is my data stored?
Your Personio data remains secure both during transit and at rest. Learn more about Personio's data storage policies.
Who can access my data?
We store all data in encrypted form, and we generate the master keys. This ensures that neither AWS nor any other third parties have access to your data. The master keys are secured and not freely accessible.
At Personio, only our Product Managers, Customer Success Team employees (customer system side), and our Infrastructure Team (server side) have access on an ad-hoc basis. This is necessary to assist with the initial setup of your account and to deal with service requests. The allocation of access rights and access to customer systems is always logged. The customer determines whether to give our support staff access to a Personio account. Learn more about support access.
Where can I find out about Personio's data security policies?
Learn more about our data security policies in the Personio Trust Center.
How can I harden or secure a Personio instance?
We create new Personio instances using industry best practices. There's no need to adjust the default settings for security. You can take steps to further harden your instance, as required by your organization’s security policies:
- Define employee roles with the least privilege access principles.
- Enable single sign-on (SSO) authentication.
- Enable two-factor (2FA) authentication.
- Set a strong password policy.
Additionally, the security token feature alerts users to unusual session activities. This feature is always on and enabled by default.
How does Personio show the application is compliant with the GDPR?
We have implemented several measures to comply with the GDPR obligations. This includes privacy-friendly default settings and organizational rules. We also have regular external audits by Bitkom Consult to ensure GDPR compliance. They have concluded that our software meets the requirements for the development and operation of HR software within the GDPR framework.
The same applies to our data protection management when processing personal data on behalf of our customers.
We are committed to continuous improvement. We frequently review our measures to ensure they align with the latest technical standards. Visit our security policies for more information.
Has Personio appointed a data protection officer?
Personio employs the services of Bitkom Servicegesellschaft mbH as our Data Protection Officers. Bitkom is a leading digital economy consultancy in Germany. They audit Personio’s compliance with data privacy requirements.
How does Personio support me as a customer with our data protection impact assessment?
We support our customers by providing relevant information for data protection. This includes the Data Processing Agreement (DPA) with service descriptions and our Technical and Organizational Measures (TOM). As the controller, you can use these in line with Article 35 of the EU GDPR to carry out the Data Protection Impact Assessment (DPIA). You can find the TOM and DPA in the Data Protection Information section of your account.
Where can I find the technical and organizational measures (TOM)?
We keep this information in our Personio Software as a single source of truth to meet our information duties. You can access the TOM in the Data Protection Information section of your account.