At ClayHR, we know that our customers rely on us as an important part of their business processes and record keeping. We take our responsibilities to our customers seriously, and the security and reliability of the software, systems, and data that make up the ClayHR application are our top priority.
- SSL: All information traveling between your browser and ClayHR is protected from eavesdroppers with SSL encryption. The lock icon in your browser lets you verify that you aren’t talking to a phishing site impersonating ClayHR and that your data is secure in transit.
- Firewalls: We use server-level firewalls to protect our infrastructure from outside threats. We allow specific IP and port-based access to our servers.
- Vulnerability scanning: We use AWS vulnerability tools like AWS inspector and AWS Test Advisor. These scans test our servers both from the Internet and from inside our network, and any newly-identified problems are addressed as quickly as possible.
- Strong encryption: ClayHR uses industry-standard encryption protocols and practices to responsibly transmit any sensitive information.
All of our security controls and risk analysis are based around the premise of protecting customer data. In addition to encryption, our customer data security controls include:
- Who has access to customer data? – ClayHR’s access to customer data is highly restricted, and access requests by our support personnel follow a highly controlled and documented process. Before access is granted, employees must complete special security training to handle customer data. We have periodic user access reviews to ensure unwanted access gates staying open.
- Who did what, when and where? – All activity is logged in a protected system.
- How are incidents reported? – ClayHR is SOC compliant so follows a strict incident response process designed to handle customer data incidents.
- Are our employees trained to handle data? – Yes, All ClayHR employees are required to participate in security training.
- Backup servers and data centers: The ClayHR infrastructure uses AWS storage and servers to keep the application and your data available safe at every time. Every server has backup servers and we continuously take the backup of the database.
- Responsible Disclosure of Security Vulnerabilities: If you are a security researcher and think you’ve found a security vulnerability with our service, product, or website please visit our Responsible Disclosure Policy page.
THIRD-PARTY CERTIFICATIONS AND AUDITS
Third-party certifications and audits are an important component of any mature security program. We have a number of respected third-party agencies that certify and audit our environment.
ClayHR’s certifications, compliances, and audits include:
- SOC2 Type 1
- Privacy Shield
ClayHR hosts its data using Amazon Web Services (AWS), which is also SOC 2 certified.
CERTIFICATIONS WITH THE DEPARTMENT OF COMMERCE
EU-US & SWISS-US PRIVACY SHIELD
ClayHR has achieved EU-US & SWISS-US PRIVACY SHIELD certification with the US Department of Commerce.
OTHER RELEVANT CERTIFICATIONS
ClayHR cloud is hosted in AWS environment using services that comply with ISO/IEC 27001:2013, 27017:2015, 27018:2019, and ISO/IEC 9001:2015 and CSA STAR CCM v3.0.1.
Our comprehensive GDPR program is supported by key privacy principles — Accountability, Privacy by Design and Default, Data Minimization, Subject Access Rights, among others. Below are some aspects of the GDPR program at ClayHR, and how our products support customers in meeting their compliance obligations.
Read ClayHR’s Commitment to GDPR.
REGISTRATION AND OPERATING LAWS
ClayHR is registered in Delaware, United States of America. Company headquarters are in Reston, Virginia. For more details, please see the contact page. ClayHR operates under the laws of the Commonwealth of Virginia and the federal regulations of the US.
LOCATION OF SERVERS AND DATA
ClayHR uses Amazon Web Services (AWS) resources located in many different regions. To see various AWS regions, please see relevant AWS documentation. If you would like to request that a server located in a specific region be used to serve your users, it is possible to do that for a fee. Please get in touch with your account manager.