Security at Nmbrs
Safe HR and Payroll software is both our profession and guarantee. The security of our platform, network and products are our highest priority day and night.
We safeguard your privacy
Nmbrs will never use the data for purposes other than HR- and payroll related practice, and we are determined to make sure nobody else ever will. All customer data that requires storage is located in the Equinix datacenter with the highest levels of security and operational reliability. When data-sharing occurs with applications or tools that enhance our product, this happens in compliance with the EU Data Protection Act. That means that the shared information is very limited and does not expose any kind of personal sensitive data.
We treat all data in our application carefully, securely and confidentially. The processing of data is done exclusively in accordance with existing guidelines of existing laws and regulations. By using our application, one agrees to the use of his or her data, as described in our privacy statement.
The new General Data Protection Regulation (GDPR) went live on May 25th, 2018. Obviously, this has implications for Nmbrs and its services. Since the 1st of February, we have employed a compliance and risk officer, who is dedicated to rolling out this project. Of course, the compliance officer is registered at the Dutch Data Protection Authority and will make sure to inform all those involved as accurately as possible.
We are committed to handle all data in our application carefully, safe, and confidentially. We process data exclusively in accordance with existing guidelines, restricted exclusively to HR- and payroll related practice. When using our application, one agrees with the use of his or her data as outlined in our privacy policy.
Nmbrs uses the services of other companies. Think about datacenters, product development systems, support solutions. In legal terms these parties are called subprocessors. Find a list of all our subprocessors right here.
How do we secure your data?
Nmbrs have taken measures to make Nmbrs both secure and convenient for our partners and users. We use several tools for application, infrastructure and user monitoring that alert our operations team to act in critical situations. For the complete picture, the Nmbrs IT whitepaper offers an elaborate explanation of the efforts and policies that help secure our data.
Data traffic to our servers is controlled 24/7 from a central control room. Within 30 minutes, Nmbrs will respond to unauthorized attempts to access to the web service, irregular traffic or other attempts to subvert Nmbrs. The Nmbrs infrastructure is protected by a Firewall managed by hosting partners that continuously identify potential threats. Each server that is accessible from the Internet (web-servers) is also protected by an extra Operating System Firewall.
The client/Server communication is done with HTTPS, which guarantees data integrity and prevents data tampering. The Nmbrs certificate uses a 2048 bit encryption. The HTTPS transport layers uses a standard TLS without fallback to SSLv2/SSlv3, which are disabled because of security reasons. Internet users are able to recognize the SSL-secured status by the lock icon before the website URL, and Extended Validation SSL-secured websites by the green address bar.
Nmbrs offers a range of policies for password requirements, including options for periodical password resets and pin codes. Furthermore, Two-factor authentication provides an optional second authentication level. Nmbrs does not store user's passwords itself in the database, but instead, a salted hash of the password. This prevents password stealing even with database access.
Every user has a whitelist with approved IP addresses to access the system. When users access the system from a new IP address an email is sent to verify the new IP. It is also possible to restrict access to Nmbrs to a list of IP’s or IP ranges. This measure helps to to prevent third parties from entering Nmbrs accounts from alien locations and devices.
Who verifies our quality?
Nmbrs consults external parties to verify our operational excellence, procedures and methodologies. Nmbrs maintains a set of compliance certifications that provide independent verification of our quality.
Nmbrs has produced an ISAE 3402 report. One of the purposes of this ISAE 3402 Type II report is to provide Nmbrs customer with information to obtain an understanding of the design and implementation of controls implemented by Nmbrs, which are relevant to the control of the user organisation’s internal processes for the purpose of the audit of their financial statements. Find out more information about the report right here.
What policies do we deploy?
A number of legal documents is important to both us at Nmbrs, as well as our customers, our prospects, and users of our application. To make it easy to find the information you’re looking for, we’ve assembled them here under one roof, provided with a quick rundown of the individual regulations.
A processor agreement concerns an agreement about confidentiality, security, privacy, data elimination and other obligations. If you are a (new) customers looking for our standard processor agreement, we have included this in our general terms and conditions. When you subscribe for a Free Trial and again when you give the order confirmation you agree to these conditions.
In the unfortunate event that a user or hacker identifies a vulnerability in our product, the Responsible Disclosure Policy provides instructions that ensure that information about the weakness will be handled confidentially, and investigated with high priority. Find out more about this policy right here.
How can we work even safer?
To be an online software means that online crime is a risk of our service. Cyber criminals may attempt to obtain sensitive information by accessing individual accounts or using our name and image. We believe that the most forceful weapon against this form of crime is shared knowledge. Therefore, we aim to provide all our users and partners with clear knowledge and instructions on how to deal with possible attempts to online crime.
