Data protection at Sympa

How does Sympa’s HR service help us manage HR securely and stay GDPR Compliant?

Sympa’s HR Service provides a secure and efficient solution for organisations to manage their HR processes, including HR management (HRM), HR development (HRD), and recruitment. We uphold the highest standards in personal data protection, offering a fully GDPR-compliant service that customers can trust with their data.

As a service provider, Sympa acts as a data processor, handling personal data only as directed by the customer, who acts as the data controller. In some cases, Sympa may also act as a data controller, such as when processing personal data related to customer contacts for support or invoicing.

Processing activities depend on the customer’s configuration and can include collecting data from users and APIs, storing data in service and backup systems, distributing data to users (e.g., through reports) and APIs, and managing data according to customer instructions.

Sympa's HR Service integrates data protection and privacy principles by default, with technical and organisational measures designed to meet best practices in data security.

Sympa undergoes quarterly data security audits performed by independent security experts to ensure that our data security measures align with industry standards.

Sympa’s HR Service is designed to help customers meet key GDPR principles, including: 

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality
• Accountability

It’s important to note that, as the data controller, the customer is responsible for ensuring the lawfulness and accuracy of the data processed within Sympa's HR Service.

Compliance with GDPR and NIS2

We ensure full compliance with GDPR regulations, offering transparency and control over your personal data. Our already robust data security measures are being further enhanced as we align with the NIS2 Directive, strengthening the security of network and information systems across the EU.

What measures does Sympa take to ensure data protection?

Sympa is committed to adhering to all applicable legislation, applying Privacy by Design and by Default across our operations to ensure the secure processing of personal data. Sympa’s HR Service is specifically designed to support customers, acting as data controllers, in managing personal data securely and in compliance with GDPR. Data protection principles, requirements, and best practices are embedded into Sympa’s processes and operations from the start, applied consistently throughout the lifecycle of personal data processing, in line with the GDPR’s Privacy by Design and by Default principles. Our Information Security Management System (ISMS), alongside third-party security audits and certifications, provides a strong foundation for data protection. Sympa’s HR Service delivers all the essential functionalities required to meet  and exceed GDPR standard: 

• Sympa has a strong encryption policy, ensuring that all personal data, both in transit and at rest, is encrypted. Encryption keys for customers' data are created, held, and managed by Sympa under the BYOK (Bring Your Own Key) model.
• For any new features involving personal data processing, Sympa’s Legal and Data Protection Officer (DPO) review them before implementation.
• The Company’s information security organisation is led by Sympa’s CISO and DPO. 
• Sympa employs tools and processes to both prevent and mitigate data protection risks, with customer data and system security monitored 24/7. Our incident response policy details the data breach handling process.
• Sympa’s ISO27001 and ISO9001-certified Information Security Management System (ISMS) is designed to safeguard customer data. Key methods of protection and GDPR compliance include an advanced ISMS, third-party security controls, audits, and certifications. Sympa has also conducted a Data Protection Impact Assessment (DPIA) for its HR Service, considering its role as a data processor.
• Sympa’s HR Service provides options and controls that enable customers, as data controllers, to meet their own compliance obligations. Customers can define data removal processes to align with legal requirements or organizational data retention policies. Additionally, the service supports best practices for user rights and access management.

Who can access data, and how does Sympa ensure secure and limited data access?

Access to your data is strictly controlled, ensuring that only authorised personnel can view or modify information: 

• Role-Based Access Control (RBAC): You can define who has access to specific data based on their role, providing tight control over sensitive information. 
• Least Privilege Principle: Access is granted only to those who require it for their job functions, minimising the risk of unauthorised access. 
• Multi-Factor Authentication (MFA) and Single Sign-On (SSO): Enhanced security options like MFA and SSO ensure only verified users can access your system. MFA is enforced for all administrative users. 

How does Sympa handle cross border data transfers? 

Sympa has implemented essential measures to ensure the secure processing of personal data and compliance with cross-border data transfer requirements following the CJEU’s Schrems II decision. While Schrems II does not prohibit personal data transfers between the EU and third countries, such as the U.S., it mandates extra safeguards. For instance, companies may still use the EU’s standard contractual clauses for data transfers outside the EU or EEA, provided additional protections align with Schrems II requirements and the European Data Protection Board’s (EDPB) guidance.

Sympa primarily processes customer data within the EU and EEA. All sub-processors and partners are contractually bound to handle personal data strictly according to Sympa’s instructions.

And how about cloud services?

Sympa has a service agreement with Microsoft for Azure cloud services, ensuring that all customer data is stored within the EEA (specifically in the Netherlands and Ireland) with Microsoft Ireland as the contractual party. Microsoft has implemented contractual and technical measures to keep Sympa’s customer data within the EEA, including updates to its Data Processing Agreements to comply with the Schrems II decision. All data, both in transit and at rest, is encrypted, and Sympa controls the encryption keys under the BYOK (Bring Your Own Key) model, meaning neither Microsoft nor government authorities have access to customer data or encryption keys. Additionally, data stored in Microsoft Azure is kept within Microsoft’s Data Boundary, so all processing remains within the EU/EEA. Sympa’s agreements with other sub-processors similarly restrict personal data processing to the EEA only.

What is Sympa’s data removal and backup policy?

Customers can delete personal data from the system as needed. Once removed, this data remains on disaster recovery systems for a period until it is automatically purged according to backup rotation cycles. After data has been removed from the backups, it cannot be restored.

Upon request or at the end of the customer relationship, all data is securely deleted from Sympa systems, including databases and backups, following the backup cycle rotation. Full data removal is coordinated with the customer, allowing for data to be returned to them or transferred to another system before erasure.Where is customer data hosted and who are the key sub-processors?

Customer personal data is stored in EU data centers. Currently, Microsoft (Azure) serves as the main hosting provider, with offsite backups managed by Microsoft (Azure) or Amazon (AWS). Optional integration technologies rely on Amazon (AWS) for hosting and storage needed for integration.

For services including the Recruitment module (Recruitee):

If included, Sympa’s affiliate, Recruitee, is the main sub-processor for ATS data, hosted primarily on Google Cloud Platform. Recruitee is headquartered in the Netherlands.

For Services Including the LMS Module (360Learning):

If included, Sympa’s partner, 360Learning, serves as the main sub-processor for LMS data, with primary hosting on Microsoft Azure and additional content hosting on OVHcloud. 360Learning is headquartered in France.

Support Services

All Company support services are delivered from Company’s European locations.

List of sub-processors

Find a detailed list of sub-processor use in connection with Sympa's HR system, here. 

What are Sympa's protocols for backups and disaster recovery?

Sympa is designed and built as a high availability (HA) service where all components are redundant.

Sympa’s data backup and recovery strategy

Customer data backups are conducted in near real-time, with a full backup taken once a week, differential backups every 12 hours, and transactional backups every 10 minutes. 

What is Sympa’s Recovery Point Objective (RPO)?

The Recovery Point Objective (RPO) for disaster recovery allows for data restoration to any point within the last 30 days at 10-minute intervals, to any day within the past three months, and to any week within the past 12 months.
In the event of a disaster, the RPO for recovery within the last 30 days is 10 minutes. If recovery is needed for data older than 30 days, the RPO extends to one day within the past three months and one week for data older than three months.

What is Sympa’s Recovery Time Objective (RTO)?

The Recovery Time Objective (RTO) depends on the severity of the disaster, as determined by our risk evaluation process. For loss of both primary and redundant services, the RTO is 60 minutes. In the event of a full data center loss, the RTO extends to seven (7) days. Backups are retained according to the following schedule: point-in-time backups for the last 30 days, daily backups for three (3) months, and weekly backups for twelve (12) months.

For services including the Recruitment module:

If your service scope includes the Recruitment module (Recruitee), the Recovery Point Objective (RPO) for ATS data is one (1) day, with ATS backups retained for 30 days.

For services including the LMS module:

If your service scope includes the LMS module (360Learning), the Recovery Point Objective (RPO) isf 24 hours, with data retained for 30 days (snapshot history).

Sympa as data controller

Sympa is considered as the data controller in the meaning set forth in General Data Protection Regulation (679/2016) in certain specific processing purposes when processing personal data of its customers’ employees. This processing is subject to Sympa Privacy Policy and concerns mainly project management and support services.

Please note that this processing does not concern personal data included in the content of Sympa HR SaaS Service. Sympa processes such personal data in Sympa HR SaaS Service only on behalf of its customers and is thus in the role of data processor. This processing carried out by Sympa in the role of data processor is governed by Sympa data processing agreement that Sympa and its customer have in place.

Sympa’s processors when Sympa acts as the data controller

Sympa employs only trusted service providers that are contractually obliged to process personal data as instructed by Sympa. Personal data is hosted in EU/EEA.

For more information about Sympa processors’ data processing you can download our list of sub-processors, here.