Security at 247HRM

247HRM is built for organisations that handle sensitive HR, payroll, and employee data. The certifications and controls below summarise how we protect that data across our platform, our infrastructure, and our day-to-day operations.

Data protection

We use industry-standard AES-256 encryption to protect data at rest. For data in transit, we employ TLS (Transport Layer Security), so that all communications between your browser and our servers are encrypted with 256-bit encryption. Even if data is intercepted, it remains unreadable and secure.

We use Extended Validation (EV) SSL certificates to authenticate the identity of our website and establish an encrypted connection between your browser and our servers, providing the highest level of authentication. All traffic runs over HTTPS, so data in transit is protected from eavesdropping, tampering, and message forgery.

With ISO/IEC 27701:2019 certification, we operate a Privacy Information Management System (PIMS) that protects your data privacy in line with global best practices. We follow strict protocols so that your data is accessed only by authorised individuals and used only for its intended purposes, and our processes are designed to comply with data protection regulations including GDPR.

Access control

Access to critical assets is governed by a zero-trust policy, enforced through a secure VPN that requires multi-factor authentication. This reduces the risk of unauthorised access by ensuring that only authorised personnel can reach sensitive data. We employ a leading enterprise-grade endpoint security system, including antivirus, firewall, and antimalware protection, so that all endpoints are protected from the latest threats in real time.

Infrastructure and data residency

Our primary infrastructure is hosted on AWS in Mumbai, with a backup environment in AWS Hyderabad. By hosting on AWS, we inherit its state-of-the-art security features and extensive certifications, including ISO 27001, ISO 9001, ISO 27701, SOC 1, SOC 2, and SOC 3, ISO 27017, ISO 27018, and PCI DSS Level 1.

AWS data centres are among the most secure facilities in the world, with strict physical access controls including biometric scanning, video surveillance, and 24/7 on-site security personnel. They are designed with multiple layers of redundancy for power, networking, and connectivity, and use advanced climate control, fire detection, and suppression systems to protect hardware.

All data resides within India, complying with local regulations. Exceptions include our social features, geo-tagging, and upcoming AI features, which may use global services for enhanced functionality. Our backup environment in AWS Hyderabad ensures minimal disruption to services, so your data remains safe and accessible even in unexpected events.

We leverage AWS security services such as AWS Shield, AWS WAF, and AWS Key Management Service (KMS) to protect your data, and AWS GuardDuty for firewall protection. Vulnerability Assessment and Penetration Testing (VAPT) is conducted periodically to identify potential vulnerabilities, alongside our primary focus on preventive measures through robust infrastructure, continuous monitoring, and adherence to best practices.

Compliance and culture

247HRM is certified under ISO 9001:2015, ISO/IEC 27001:2022, and ISO/IEC 27701:2019. These certifications reflect our adherence to globally recognised standards for quality management, information security, and data privacy. To keep these standards embedded in our daily operations, all employees take part in ongoing training on security best practices, and we conduct regular audits and reviews so that we continue to meet and exceed ISO requirements.

Responsible disclosure

We welcome reports from security researchers and customers who believe they have found a vulnerability in our Service. If you discover a potential security issue, please contact us at the address below with enough detail for us to reproduce and investigate it. We ask that you give us a reasonable opportunity to address the issue before any public disclosure, and that you avoid actions that could harm our users or their data while testing.