Frequently asked questions
What advantages does putting our operation in the cloud give us?
By properly embracing cloud technology, Paycircle brings better security, countless processing efficiencies, more powerful automation and efficient and effective collaboration.
Which cloud platform is Paycircle hosted on?
We use Microsoft Azure - chosen for its limitless scalability, regulatory compliance and focus on security whilst offering a unified delivery plan and built-in Disaster Recovery capability.
Are the servers in the UK?
All customer databases are stored within the UK. We host some applications and services on servers in Western Europe through which encrypted data passes in a transient fashion. Backups are stored in other regions for reasons of contingency and disaster recovery.
What are your system uptime/downtime statistics for the last 12 months?
There were no instances of application downtime hence our uptime is effectively equivalent to our hosting provider Microsoft Azure which is at least 99.995%
Does Paycircle hold any information security-specific certifications?
Paycircle achieved ISO 27001 certification in May 2022. Additionally, in 2021, we completed Cyber Essentials certification - a Government-backed scheme which evidences our commitment to safeguarding sensitive and personal information.
What restrictions are applied to passwords for users accessing the Paycircle application
The following restrictions apply:
- minimum length 12 characters
- at least one number
- at least one upper case letter
- at least one lower case letter
- at least one special character
Optionally, a password expiration policy can be invoked to force a change every 90 days, with restrictions on the re-use of previous passwords.
However, passwords are only a small factor in our authentication regime. We also offer:
- IP whitelisting (restrict access locations)
- 2FA solution (using SMS or app)
- SSO integration (use your organisation's own authentication)
Do you support Single Sign-On (SSO)?
Yes. Whilst Paycircle's own highly-optimised authentication/authorisation framework is entirely sufficient, we recognise that increasingly many organisations wish to use SSO in order to simplify their operation across multiple cloud-based services. To that end, we offer solutions implementing the OIDC protocol (currently AAD and OKTA).
What security measures do you have in place for people logging into Paycircle?
Two-factor authentication (2FA) is a security process in which users provide two different authentication factors to verify themselves. This process protects both the individual user and your data stored in the Paycircle system.
Can a bureau restrict team members from logging in from outside our offices?
IP whitelisting functionality is available in the application for limiting and controlling access to users in trusted locations only. You control the IP addresses that define your extended network from where users are allowed to log in.
As a cloud-based vendor, have you completed the Cloud Security Alliance's Consensus Assessment Initiative Questionnaire (CAIQ) to reflect your security controls?
The self-assessment has been published by Microsoft in response to CAIQ which is in scope for Paycircle based on our usage of the Azure cloud and our internal toolset.
How is the service monitored, what security logs are kept and for how long and can they be requested?
We utilise a security and event management (SIEM) application. Each and every API call is logged and available for audit. Security logs are kept indefinitely and can be requested anytime.
What mitigation is in place for DOS/DDOS, Ransomware and Phishing attacks?
Our cloud platform has sophisticated traffic monitoring and automatic resource scalability to cope with regular or irregular load increases. We can also reassign our IP address range in response to a targeted attack. Ransomware is not applicable due to the nature of our architecture.
We have simulated phishing attacks on our own team by third party security specialists to identify any weaknesses and as an internal education process.
How does your cloud platform provider manage the overall security of the applications, networks and physical location that store, process or transmit our data?
For full details of how security is central to Microsoft's Azure platform please visit https://azure.microsoft.com/en-gb/overview/trusted-cloud/
How is the separation of traffic for multi-clients handled?
Each user request contains an encrypted token used to authenticate the sender and authorise access to resources on the platform.
How is our data separated from other users?
Our relational database design ensures that each client has an unique identifier to logically separate the data. Separate physical tenancies are available on request.
How is data secured at rest?
The data we store (data at rest) is automatically encrypted using the platform's Transparent Data Encryption (TDE) and protected with multiple firewalls that restrict connections from specifically authorised services within our infrastructure.
How is data secured in transit?
Transport Layer Security (TLS mentioned above) ensures data in transit is protected from interception between your browser and our servers.
How is data transferred between your network and our network?
Communication takes place over an HTTPS (TLS) connection. Credentials are checked and validated for every service requested.
How do you protect permissions and privilege access rights?
We implement the principle of least privilege - a concept in which a user is given the minimum levels of access and permission needed to perform their function. This approach is enforced across the application and our internal system management.
Within the application, payroll admin user roles have configuration options offering a highly granular permission/access landscape. Authorised users with the appropriate privileges can adjust the access rights and permissions of other users in their organisation, but not their own.
Do you monitor suspicious user behaviour?
We are investing in features available in the native Azure security layer to actively monitor user login behaviour, detect irregular patterns and take appropriate action when necessary.
Do you undertake penetration testing by a qualified third party?
Yes. It is our policy to independently and regularly verify that our systems are secure. We engage appropriately qualified agencies to perform penetration testing on a semi-annual basis and when releasing significant platform updates. Where remedial action is recommended it is completed immediately. This process was most recently completed in May 2022.
Data Protection, Regulation and Privacy
Data Protection, Regulation and Privacy
Where is the data (including backups) geographically stored?
All data is stored within the EEA. Our application servers are located in South UK and the Netherlands. It's a similar story with respect to the storage of backups which is additionally geo-replicated to Ireland
Does Paycircle share data with any third party?
No. Other than when acting on an explicit request from you, the data controller, or implicitly with respect to transmission to HMRC, pension providers, etc. as part of our agreed and requested service.
Please confirm your policy on deleting personal data.
Paycircle manages personal data in accordance with GDPR and as such supports data access rights on your instruction (as data controller) including deletion requests.
Does Paycircle follow any data protection specific codes of conduct?
As well as awareness training. Our employee handbook includes guidance on management of personal data. We are able to satisfy data access requests within ICO-mandated timelines.
Does Paycircle provide ongoing data protection awareness to their own team members?
Paycircle takes data protection very seriously. We have ongoing awareness training for all employees - a compulsory module in our induction process followed by refresher courses at least annually.
What is your legal basis for holding and processing personal data?
Paycircle is registered with the ICO under the Data Protection Act. Any personal data added on the system (in the playground, in test mode, or live) fall within the scope of GDPR and is governed by the DPA.
In the context of the GDPR, when you enter into an agreement with us, Paycircle is a data processor of the information that you (as Data Controller) enter and manage in the application. In the absence of a contractual agreement, such as in a trial, users of the system should only use representative or generated data. Such dummy data can be deleted from the system once its purpose has been served.
Paycircle is a Data Controller of the information we need to set you up and maintain you as a customer.
Can reports be downloaded to a non-corporate asset?
By definition our applications can be accessed by any device that passes the user and location authentication steps outlined above. It is your responsibility to manage devices in your own environment and to implement GDPR controls therein.
Does the application require data to be stored or cached on client devices?
No data is stored or cached locally on the client device
Who within your company (or any external party) has access to customer data?
The only people who would have access to customer data would be those authorised by the customer to provide support services whilst using our platform.
Please confirm your ability to report any data breaches in respect of employee or client data after becoming aware of such a breach.
Naturally, reporting of any data breach to the relevant authority, and likewise informing the subject, would be compatible with the applicable regulatory regime e.g. GDPR.
Has your technology or company had any known data breaches?
Backups and Disaster Recovery
Backups and Disaster Recovery
How often is application data backed up?
Customer data is backed up every 10 minutes. Our recovery model means that the database can be restored to any point in time (at 10 minute intervals) from the last 35 days.
How long is payroll and pension data retained for compliance reasons?
We also recognise that for compliance reasons our customers must retain their data long term. To that end our long term backup strategy ensures that a weekly backup is taken and will remain available for 10 years.
Can ad-hoc back-ups be requested?
These are not necessary based on the regular backup regime mentioned above.
Does Paycircle have a disaster recovery plan?
Yes as part of agreed recovery provisions with our hosting and application supplier partners. In terms of our internal systems, since our workforce is decentralised, there is no physical location that we are reliant upon. Our operation is fluid and can operate on any of multiple collaboration platforms.
Does Paycircle periodically test its disaster recovery plan?
Yes. Our database backups and application servers are regularly restored and tested to confirm viability.
What are your expected Recovery Time Objective (RTO) and Recovery Point Objective (RPO)?
In the unlikely event of a catastrophic failure our RTO is one hour and, based on the backup schedule mentioned above, our RPO is maxiumum five minutes.
Please outline what testing (functional and non-functional) is undertaken in the development and maintenance of your applications.
Due to the nature and importance of payroll, efficient and accurate testing is central to our ethos meaning that the testing function is pre-eminent within our organisation.
With respect to functional testing:
- Unit Testing: We encourage our software engineers to adopt a test driven development (TDD) approach. Unit tests are applied to all service components and are triggered during our compilation and build processes.
- Integration Testing: Integration tests are executed automatically as part of our service pipeline deployment.
- User Acceptance Testing: Comprises a mixture of manual, feature-driven testing which reflects a Linear Automation Framework, and a growing test script library that provides regression test coverage.
With respect to non-functional testing:
- Usability is part of our core specification and feature implementation is tested prior to release to UAT.
- Compatibility is tested during our automated UI build process.
- Performance is routinely reviewed and addressed as part of our support monitoring.
- Security is implicitly maintained by integration with our cloud hosting provider best practice.
How do our staff perform 'what-if' scenarios with live company data?
Paycircle provides the ability to 'clone' a live payroll into test mode so that payroll calculations can be performed and the results evaluated before they are applied to the live payroll.
How do our staff 'play' with data to try out different features?
Paycircle provides a playground where you can set-up dummy payrolls and experiment with different scenarios.