Information Security at Sympa

How does Sympa build secure software? 

Security is a key component of our robust and secure software development lifecycle (SDLC), ensuring our platform is resilient against any potential threats: 

• Security and Data Protection Training: Our Engineering gets periodical data protection and security trainings
• Environment Chain: Development, testing and staging environments are separated from Production environment.
• Peer Code Reviews: Proper code reviews for all the code entered to the version control system.
• Static Code Analysis: Integrated automated code scanners for every commit to detect problems or security issues in the code commits.
• Integrated Vulnerability Scanning: Automated checks are performed throughout the SDLC to detect and address vulnerabilities in the code or used libraries. On top of this, as part of our software development process, we periodically use the OWASP ZAP (Zed Attack Proxy) tool to identify and address security vulnerabilities, ensuring our application remains a secure and trusted platform for your information.
• Robust CI/CD: Robust Continuous Integration (CI) and Continuous Deployment (CD) tooling to deploy one-touch to any environment.
• Continuous Improvement: We regularly enhance our security practices, adopting new technologies and techniques to maintain the highest levels of protection. 

How is Sympa meeting security standards and what certifications are available? 

When choosing an HR system, don’t rely on promises — choose a solution that backs up its security claims with globally recognised certifications.

• ISO 27001:2022 Certified: Demonstrating a long-standing commitment to information security since 2014.
• ISO 9001:2015 Certified: Ensuring high standards in quality management across all processes.
• Since 2014, the company has maintained ISO 27001 certification, demonstrating excellence in information security. This certification encompasses all operations and locations handling customer data. Certificates and statements of applicability are available upon request.

Why we use Microsoft Azure 

We partner with Microsoft Azure for its unmatched security, compliance, and scalability. Azure’s EU Data Boundary ensures all data is processed and stored within the EU, fully aligning with GDPR.

Azure provides top-tier protection, including FIPS 140-2 compliant encryption, 24/7 threat monitoring, and AES 256 encryption at rest. With the Bring Your Own Key (BYOK) model, you maintain full control of encryption keys, ensuring your data is always secure.

In short, Azure offers the security, reliability, and global infrastructure that local providers can’t match. 

How does Sympa ensure that our data stays secure and encrypted within the EU?

We implement a strong encryption policy and mechanism to prevent any unauthorised access to customers' personal data. Whether your data is in transit or at rest, it’s encrypted to ensure full protection at every stage. 

• Sympa creates, holds, and controls all encryption keys to customers' personal data under the BYOK (Bring Your Own Key) model.
• The hosting provider (Microsoft) or governmental authorities cannot access the personal data or the encryption keys, as Sympa control them using BYOK.
• Encryption keys for personal data stored in Sympa HR databases are managed by Sympa in FIPS 140-2 certified key vaults.
• The cloud provider does not see or does not have access to these keys.
• Personal data stored in Microsoft Azure is configured to remain within Microsoft's EU Data Boundary, meaning all processing is conducted within the EU/EEA. 

24/7 Security Operations Centre (SOC)

Sympa has elevated its cybersecurity by partnering with Elisa Cyber Security Center, Elisa Oyj (PLC), the leading telecommunications and digital services provider in Finland.

Elisa is providing 24/7 cyber security governance, including advanced SOC and SIEM services tailored for Sympa SaaS and other operations. Sympa is protected by continuous, comprehensive security monitoring and management.

For additional information, please reach out to our Chief Information Security Officer (CISO).

How does Sympa ensure flexible access control and secure logins?

We offer flexibility for customers to designate any of their employees as Sympa users, within the agreed user limits. Sympa allows for precise control over data access, enabling restrictions to specific individuals and datasets as needed. Access is typically aligned with the organizational hierarchy, but we also support customized access rights, such as those needed by IT users.

For the best security and user experience, we recommend Single Sign-On (SSO) for login and authentication. Multi-Factor Authentication (MFA) can also be enabled through the customer’s Active Directory (AD) alongside SSO. Where SSO isn’t available, Sympa supports login with individual credentials that meet password complexity standards.

How does Sympa handle risk assessments and risk management?

Risk-aware thinking is a core element of the Company’s quality management (ISO9001 certified) and information security management (ISO27001 certified) systems. Our risk assessment processes involve identifying the likelihood, impact, and mitigation options for potential risks. Protecting customer data is recognized as Sympa's highest priority. Our risk assessment and management processes undergo annual audits by a third party.

How does Sympa stay ahead of security threats?

We continuously monitor and test our systems to stay ahead of potential threats:

• Quarterly Security Audits and Penetration Testing: Every three months, we perform thorough penetration testing and security audits through a trusted third-party vendor to simulate real-world attacks and identify potential vulnerabilities. This proactive approach ensures that any weaknesses are addressed before they can be exploited.
• 24/7 Security Operations Center (SOC) -service: Our cybersecurity experts and cloud providers monitor our systems around the clock, identifying and responding to threats in real time.
• Advanced Network Security: We use a web application firewall (WAF) and other advanced protocols to prevent unauthorised access. 

How Does Sympa guarantee secure data transfers in integrations?

Data is always transferred using secure SFTP or HTTPS protocols. Integrations can be customised to include only necessary information. If another system (e.g., your payroll system) that has been integrated into Sympa only requires the person’s mailing address and not their social security number or any other data, Sympa can be customised to share only the address in the integration. 

How does Sympa handle data breaches?

Sympa ensures 24/7 monitoring and protection of customer data, supported by a clearly defined protocol for identifying, mitigating, and notifying customers about potential data breaches. Detailed responsibilities in the event of a data breach are outlined in the Data Protection Agreement attached to the Service Agreement.

The company's dedicated security organisation manages the Information Security Management System (ISMS), focusing on continuous improvement, risk assessments, security audits, employee training, 24/7 monitoring, and incident management to maintain the highest standards of information security.

What logging practices does Sympa use to protect your data?

At Sympa, data security and transparency are top priorities. Our comprehensive logging practices help organizations maintain compliance and accountability while providing clear visibility into critical actions within the system.

Key activities are meticulously logged, including records of logins, logouts (including failed attempts), and data changes -detailing who made the change and when. Approval workflows, such as requests, approvals, and declines, are also tracked to establish a reliable audit trail for decision-making processes.

To enhance your oversight, Sympa offers downloadable audit trail logs directly within the system. This feature empowers you to independently review and monitor data changes, providing greater transparency and control over your organisational data.

In addition to user-facing logs, the Sympa maintenance team manages advanced logs, such as application and technical logs, as well as records of maintenance activities within the hosting environment. All logs are securely stored and protected against tampering, ensuring the integrity of your data.

Log retention periods are carefully managed based on the type of log:

• Technical logs unrelated to customer activities are retained for 30 days.
• Logs associated with customer activities are kept for 3 to 24 months, depending on their purpose and relevance.

By combining robust logging practices with secure storage and user-focused tools, Sympa ensures that your data remains protected and accessible when you need it.