Which cloud platform is Paycircle hosted on
We use Microsoft Azure - chosen for its limitless scalability, regulatory compliance and focus on security whilst offering a unified delivery plan and built-in Disaster Recovery capability.
Are the servers in the UK?
Our critical services are based in the UK, with some others elsewhere in Western Europe.
What advantages does putting our operation in the cloud give us?
By properly embracing cloud technology, Paycircle brings better security, countless processing efficiencies, more powerful automation and efficient and effective collaboration.
What security measures do you have in place for people logging into Paycircle?
2FA (two-factor authentication) is a security process in which users provide two different authentication factors to verify themselves. This process protects both the individual user and your data stored in the Paycircle system.
Can a bureau restrict team members from logging in from outside of a bureau’s offices?
We use IP whitelisting functionality for limiting and controlling access to users in trusted locations only. You control the IP addresses that define your extended network from where users are allowed to log in.
How is access managed for people joining or leaving a bureau?
Bureaus can manage their own administrators and permissions for administrators for anyone joining or leaving their bureau team.
How do you protect permissions and privilege access rights?
Only authorised users with the correct privileges can adjust the access rights and permissions of other users.
How will data be transferred between your network and our bureau’s network?
Communication takes place over an HTTPS (TLS) connection, credentials are checked and validated for every service requested.
How is data secured in transit and at rest?
Transport Layer Security (TLS mentioned above) ensures data in transit is protected from interception between your client and our servers. Any data we store (data at rest) has all the protections afforded by the Azure platform including multiple firewalls and limiting connections to only authorised services hosted within the Azure infrastructure.
How will our bureau’s data be separated from other bureau’s data?
Our relational database design ensures that each client has an unique identifier that is used to logically separate the data.
How is the separation of traffic for multi-clients handled?
The traffic contains an encrypted token which is used to authenticate and authorise all requests made to the platform.
Which security company do you use to vet the overall security of the applications, networks and physical location that store, process or transmit our data?
We make use of the Microsoft Azure platform. For full details relating to the security of Azure visit https://azure.microsoft.com/en-gb/overview/trusted-cloud/
What mitigation is in place for a DoS/DDoS, Ransomware and Phishing attacks?
Microsoft Azure allows for us to monitor the traffic load on the system and if we detect large spikes we can spin up new virtual machines and reassign our IP address. Ransomware is not applicable due to the nature of our architecture. We have simulated phishing attacks on our own team by third party security specialists to identify any weaknesses and as an internal education process.
Is your system able to connect to a cloud based ID management system so that access can be managed via our bureau’s Active Directory?
Paycircle has its own access and authorisation system and does not make use of Active Directory; we are happy to discuss with our partners how we can share information securely using custom solutions which can be regulated by Active Directory.
How is the service monitored, what security logs are kept and for how long and can they be requested?
Monitoring is performed via logging of each API call that is made. Security logs are kept indefinitely and can be requested anytime.
Does Paycircle hold any information security specific certifications?
We have identified these as desirable and related activity is in progress.
Backups and Disaster Recovery
How often is our data backed up?
How long is the retention period and can this period be extended or reduced?
The retention period is 3 years - this can be extended or reduced.
What about specific payroll and pension compliance data?
Data retention can be extended on demand up to a maximum of 10 years where necessary for compliance reasons.
Can ad-hoc back-ups be requested?
What is the recovery period of restoring a back-up from request to available data?
This is available and can be provided within 24 hours or according to an agreed SLA.
Are backup files periodically restored as a test to verify they are usable?
Yes. We restore and verify the database on a weekly basis.
Data Protection, Regulation and Privacy
Has your technology or company had any known data breaches?
Please confirm your ability to report any data breaches in respect of employee or client data after becoming aware of such a breach.
Naturally, reporting of any data breach to the relevant authority, and likewise informing the subject, would be compatible with the applicable regulatory regime e.g. GDPR.
Who would have access to our bureau’s data within your company or any external party?
The only people who would have access to your bureau’s data would be those authorised by your bureau to provide support services to your bureau while using our platform.
What is your legal basis for holding and processing personal data?
Paycircle is a data processor as defined in the GDPR.
Do you require your own team to complete mandatory data protection training, at least annually, as part of acknowledging and enforcing ongoing data protection obligations?
Yes. It is a compulsory module in our induction process.
Does Paycircle provide ongoing data protection awareness to their own team members? (i.e. through newsletters, emails, seminars and briefings etc.)
Paycircle treats data protection very seriously, and as such we have a defined role within the company for maintaining awareness of related issues and information and its dissemination to our employees.
Does Paycircle follow any data protection specific codes of conduct?
As well as awareness training. Our employee handbook includes guidance on management of personal data. We are able to satisfy data access requests within ICO-mandated timelines.
Please confirm your policy on deleting personal data.
Paycircle manages personal data in accordance with GDPR and as such supports data access rights including deletion requests.
Does Paycircle share data with any third party?
No. Other than when acting on an explicit request from the user, or implicitly with respect to transmission to HMRC, pension providers, etc. as part of our agreed and requested service.
Does Paycircle have a current disaster recovery plan for recovering our bureau’s data?
Yes as part of agreed recovery provisions with our hosting and application supplier partners. Since our workforce is decentralised there is no specific premise that we are reliant upon. Our operation is fluid and can operate on any of multiple collaboration platforms.
Does Paycircle periodically test its disaster recovery plan?
Yes. Our database backups are regularly restored and tested in an identical environment to that in production. Productivity tools are interchangeable in normal operation. We are working with other service providers to test DR.