HRM8 handles hiring and people data, so security and privacy are built into how we work. This page explains how we protect data, and is honest about what is in place today and what is on our roadmap.
We design the platform to protect the confidentiality, integrity and availability of the data entrusted to us. Security is a shared responsibility: we secure the platform and infrastructure, and customers are responsible for managing their own users, access and the data they choose to put into the Services.
The platform runs on Amazon Web Services, a leading cloud provider with strong physical and infrastructure security and its own independent certifications. We use managed, hardened cloud services and follow the principle of least privilege for access to production systems. Your data is processed in the AWS region or regions in which the Services are hosted.
Data is encrypted in transit using current TLS standards, and data at rest is encrypted using industry-standard algorithms. Keys are managed using cloud key management services with restricted access.
Access to customer data is restricted on a need-to-know basis and protected by role-based access controls. We support single sign-on and multi-factor authentication for account access, and we encourage customers to enable them. Administrative access to production systems is limited, logged and reviewed.
Security is part of how we build. We follow secure development practices, review changes before release, keep dependencies maintained, and test the platform for vulnerabilities. This includes peer review of code changes, automated scanning of dependencies for known vulnerabilities, and security testing of the platform, which we expand as we move toward and through general availability.
Customer data is logically separated so that each customer can only access their own data through the Services. Access is enforced by the application and supported by our infrastructure controls.
We design for resilience and take regular backups so data can be recovered. We aim to keep the Services available and use reasonable measures to do so. We do not publish time-bound performance promises here; any specific service levels are agreed in writing where offered. We may publish status and maintenance information. Backups are taken regularly and retained for a limited period, and our systems are designed so that data can be restored after an incident.
We are honest about where we are. As we move toward general availability:
We will update this page as our certifications and attestations progress.
How we handle personal data is set out in our Privacy Policy. For business customers, we make a Data Processing Addendum available that governs our processing of personal data on their behalf. See our Data Processing Addendum.
Your data is yours. You can export your data while your account is active, and we make your data exportable to you on request. We do not sell personal data. When a relationship ends, we return or delete data in line with our agreement and the Privacy Policy, except where we are required to keep it by law.
Where the Services use artificial intelligence, including in assessments, the outputs are designed to support human decisions, and experienced consultants are involved in delivered professional outputs. We build AI features with appropriate safeguards and expect customers to apply human review where the law requires it.
We use a small set of vetted service providers to help run the Services, such as cloud hosting. We keep a current list of sub-processors and the role each plays. See our sub-processor list.
If you believe you have found a security vulnerability or have a security concern, please contact our security team at info@hrm8.com. We welcome responsible disclosure and will work with you in good faith to investigate and address valid reports.
