By properly embracing cloud technology, Paycircle brings better security, countless processing efficiencies, more powerful automation and efficient and effective collaboration.

We use Microsoft Azure - chosen for its limitless scalability, regulatory compliance and focus on security whilst offering a unified delivery plan and built-in Disaster Recovery capability.

All customer databases are stored within the UK. We host some applications and services on servers in Western Europe through which encrypted data passes in a transient fashion. Backups are stored in other regions for reasons of contingency and disaster recovery.

There were no instances of application downtime hence our uptime is effectively equivalent to our hosting provider Microsoft Azure which is at least 99.995%

Paycircle achieved ISO 27001 certification in May 2022. Additionally, in 2021, we completed Cyber Essentials certification - a Government-backed scheme which evidences our commitment to safeguarding sensitive and personal information.

The following restrictions apply:

• minimum length 12 characters
• at least one number
• at least one upper case letter
• at least one lower case letter
• at least one special character

Optionally, a password expiration policy can be invoked to force a change every 90 days, with restrictions on the re-use of previous passwords.

However, passwords are only a small factor in our authentication regime. We also offer:

• IP whitelisting (restrict access locations)
• 2FA solution (using SMS or app)
• SSO integration (use your organisation's own authentication)

Yes. Whilst Paycircle's own highly-optimised authentication/authorisation framework is entirely sufficient, we recognise that increasingly many organisations wish to use SSO in order to simplify their operation across multiple cloud-based services. To that end, we offer solutions implementing the OIDC protocol (currently AAD and OKTA).

Two-factor authentication (2FA) is a security process in which users provide two different authentication factors to verify themselves. This process protects both the individual user and your data stored in the Paycircle system.

IP whitelisting functionality is available in the application for limiting and controlling access to users in trusted locations only. You control the IP addresses that define your extended network from where users are allowed to log in.

The self-assessment has been published by Microsoft in response to CAIQ which is in scope for Paycircle based on our usage of the Azure cloud and our internal toolset.

We utilise a security and event management (SIEM) application. Each and every API call is logged and available for audit. Security logs are kept indefinitely and can be requested anytime.

Our cloud platform has sophisticated traffic monitoring and automatic resource scalability to cope with regular or irregular load increases. We can also reassign our IP address range in response to a targeted attack. Ransomware is not applicable due to the nature of our architecture.

We have simulated phishing attacks on our own team by third party security specialists to identify any weaknesses and as an internal education process.

For full details of how security is central to Microsoft's Azure platform please visit https://azure.microsoft.com/en-gb/overview/trusted-cloud/

Each user request contains an encrypted token used to authenticate the sender and authorise access to resources on the platform.

Our relational database design ensures that each client has an unique identifier to logically separate the data. Separate physical tenancies are available on request.

The data we store (data at rest) is automatically encrypted using the platform's Transparent Data Encryption (TDE) and protected with multiple firewalls that restrict connections from specifically authorised services within our infrastructure.

Transport Layer Security (TLS mentioned above) ensures data in transit is protected from interception between your browser and our servers.

Communication takes place over an HTTPS (TLS) connection. Credentials are checked and validated for every service requested.

We implement the principle of least privilege - a concept in which a user is given the minimum levels of access and permission needed to perform their function. This approach is enforced across the application and our internal system management.

Within the application, payroll admin user roles have configuration options offering a highly granular permission/access landscape. Authorised users with the appropriate privileges can adjust the access rights and permissions of other users in their organisation, but not their own.

We are investing in features available in the native Azure security layer to actively monitor user login behaviour, detect irregular patterns and take appropriate action when necessary.

Yes. It is our policy to independently and regularly verify that our systems are secure. We engage appropriately qualified agencies to perform penetration testing on a semi-annual basis and when releasing significant platform updates. Where remedial action is recommended it is completed immediately. This process was most recently completed in May 2022.

All data is stored within the EEA. Our application servers are located in South UK and the Netherlands. It's a similar story with respect to the storage of backups which is additionally geo-replicated to Ireland

No. Other than when acting on an explicit request from you, the data controller, or implicitly with respect to transmission to HMRC, pension providers, etc. as part of our agreed and requested service.

Paycircle manages personal data in accordance with GDPR and as such supports data access rights on your instruction (as data controller) including deletion requests.

As well as awareness training. Our employee handbook includes guidance on management of personal data. We are able to satisfy data access requests within ICO-mandated timelines.

Paycircle takes data protection very seriously. We have ongoing awareness training for all employees - a compulsory module in our induction process followed by refresher courses at least annually.

Paycircle is registered with the ICO under the Data Protection Act. Any personal data added on the system (in the playground, in test mode, or live) fall within the scope of GDPR and is governed by the DPA.

In the context of the GDPR, when you enter into an agreement with us, Paycircle is a data processor of the information that you (as Data Controller) enter and manage in the application. In the absence of a contractual agreement, such as in a trial, users of the system should only use representative or generated data. Such dummy data can be deleted from the system once its purpose has been served.

Paycircle is a Data Controller of the information we need to set you up and maintain you as a customer.

By definition our applications can be accessed by any device that passes the user and location authentication steps outlined above. It is your responsibility to manage devices in your own environment and to implement GDPR controls therein.

No data is stored or cached locally on the client device

The only people who would have access to customer data would be those authorised by the customer to provide support services whilst using our platform.

Naturally, reporting of any data breach to the relevant authority, and likewise informing the subject, would be compatible with the applicable regulatory regime e.g. GDPR.

No

Customer data is backed up every 10 minutes. Our recovery model means that the database can be restored to any point in time (at 10 minute intervals) from the last 35 days.

We also recognise that for compliance reasons our customers must retain their data long term. To that end our long term backup strategy ensures that a weekly backup is taken and will remain available for 10 years.

These are not necessary based on the regular backup regime mentioned above.

Yes as part of agreed recovery provisions with our hosting and application supplier partners. In terms of our internal systems, since our workforce is decentralised, there is no physical location that we are reliant upon. Our operation is fluid and can operate on any of multiple collaboration platforms.

Yes. Our database backups and application servers are regularly restored and tested to confirm viability.

In the unlikely event of a catastrophic failure our RTO is one hour and, based on the backup schedule mentioned above, our RPO is maxiumum five minutes.

Due to the nature and importance of payroll, efficient and accurate testing is central to our ethos meaning that the testing function is pre-eminent within our organisation.

With respect to functional testing:

• Unit Testing: We encourage our software engineers to adopt a test driven development (TDD) approach. Unit tests are applied to all service components and are triggered during our compilation and build processes.
• Integration Testing: Integration tests are executed automatically as part of our service pipeline deployment.
• User Acceptance Testing: Comprises a mixture of manual, feature-driven testing which reflects a Linear Automation Framework, and a growing test script library that provides regression test coverage.

With respect to non-functional testing:

• Usability is part of our core specification and feature implementation is tested prior to release to UAT.
• Compatibility is tested during our automated UI build process.
• Performance is routinely reviewed and addressed as part of our support monitoring.
• Security is implicitly maintained by integration with our cloud hosting provider best practice.

Paycircle provides the ability to 'clone' a live payroll into test mode so that payroll calculations can be performed and the results evaluated before they are applied to the live payroll.

Paycircle provides a playground where you can set-up dummy payrolls and experiment with different scenarios.