Security Policy

Is your data secure?

At CastHR, we take security very seriously. The highest information security and privacy standards are part of our product and our company’s integrity:

Compliance Certifications and Memberships: We use best practices and industry standards to comply with industry-accepted general security and privacy frameworks, helping our customers meet their compliance standards.

Integrating with best security standards practices in the industry: CastHR constantly invests in protecting your data. We put security measures and maintain policies and procedures in place to comply with required data security standards. We continue to take all the measures needed to improve our information security level.

Complete control over role-based segregated data: Your data is transparent to us. Only YOU can access your data and let relevant people know the relevant information at the right time, using a permissions system. Your data is secure in every stage, end-to-end, all the way.

What is CastHR doing to meet security standards? As a SaaS company, we work tirelessly to meet the ideal security standards to protect our customers from security vulnerabilities.

Who can access my data?

We should look at two types of parties that can get access to your data:

You and your staff — your staff will have access to the data per data access credentials that you will provide them. You can control who can view, edit, upload and download any information or document based on his/her role credentials.

Our staff — a small number of periodically trained authorized company personnel can gain access to your data. Any team member doing so will be performing specific (audited) tasks on your request via our support desk and after receiving your consent.

Is my data backed up?

Our data centers backup all the data at least once a day. The data is fully restorable for disaster recovery purposes. However, we recommend periodically backing up your data in your HRIS system based on our scheduled reports or through our API.

Where and how is my data stored and secured?

Your data is stored in the following ways:

Facilities

CastHR hosts data primarily in Hetzner DE data centers that have been certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant. Learn more about compliance at Hetzner.

Hetzner’s infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and, ultimately, your data.

On-Site Security

Hetzner’s on-site security includes several features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures.

Data Hosting Location

CastHR uses Hetzner data centers in Germany for primary hosting and Hetzner Frankfurt for disaster recovery.

What type of network security do you have?

CastHR protects your data with a secure network and other multiple security protection and technology measures, including:

Dedicated Security Team

Our globally distributed security team is on call 24/7 to respond to security alerts and events.

Protection

Our network is protected using key Hetzner’s security services, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.

Architecture

Our network security architecture consists of multiple security zones. More sensitive systems, like database servers, are protected in our most trusted zones.

Network Vulnerability Scanning

Network security scanning gives us deep insight so we can quickly identify out-of-compliance or potentially vulnerable systems.

Third-Party Penetration Tests

In addition to our extensive internal scanning and testing program done each year, CastHR employs third-party security experts to perform a broad penetration test across the CastHR production and corporate networks.

Security Incident Event Management

Our Security Incident Event Management (SIEM) system gathers extensive logs from essential network devices and host systems. The SIEM alerts on triggers that notify the security team based on correlated events for investigation and response.

Intrusion Detection and Prevention

The application ingress and egress points are instrumented and monitored to detect anomalous behavior. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats. This includes 24/7 system monitoring.

Threat Intelligence Program

CastHR participates in several threat intelligence-sharing programs. We monitor threats posted to these networks and act based on risk.

Logical Access

Access to the CastHR production network is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our CS Team. Employees accessing the production network are required to use multiple factors of authentication.

Security Incident Response

In case of a system alert, events are escalated to our 24/7 teams providing operations, network engineering, and security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.

Tell me about encryption

Encryption in Transit

All communications with CastHR UI and APIs are encrypted via industry-standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and CastHR is secure during transit.

Encryption at Rest

Data is encrypted at rest in Hetzner using AES-256 key encryption. In general, our data encryption has two layers:

  • DB at rest — based on RDS data encryption using KMS AES256
  • Application layer — all financial and salary data is encrypted using KMS AES256

Only a select few people have access to the database and the KMS for maintenance purposes and, of course, are bound by extreme legal and security safeguards (such as confidentiality and non-disclosure provisions, permission management, etc.).

Do you provide availability and continuity?

Disaster Recovery

Our Disaster Recovery (DR) program ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating disaster recovery plans, and testing activities. Our DR location is Hetzner Frankfurt.

How do you protect the CastHR application?

Secure Code Training (SDLC)

Annually, engineers participate in secure code training covering OWASP’s top 10 security risks, common attack vectors, and CastHR security controls.

Framework Security Controls

CastHR leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP’s top 10 security risks. These inherent controls reduce the exposure to SQL Injection (SQLi), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF), among others.

Separate Environments

Testing and staging environments are logically separated from the production environment. No data is used in our development or test environments.

Dynamic Vulnerability Scanning

We employ third-party security tooling to continuously scan our core applications against the OWASP’s top 10 security risks. We maintain a dedicated in-house product security team to test and work with engineering teams to remediate any discovered issues.

Static Code Analysis

The source code repositories for our platform and mobile applications are scanned for security issues via our integrated static analysis tooling.

Third-Party Penetration Testing

In addition to our extensive internal scanning and testing program, CastHR employs third-party security experts to perform detailed penetration tests on different applications within our family of products.

What other security measures do you have in place?

Here are some of the additional security measures we use:

Authentication Options

Customers can enable native CastHR authentication and/or Enterprise SSO for end-user authentication.

2-Factor Authentication (2FA)

CastHR recommends integrating with enterprise SSO 2-factor (2FA) authentication.

Role-Based Access Controls

Access to data within applications is governed by role-based access control (RBAC) and can be configured by the admin to define granular access privileges as needed.

Security Audits and Testing

Regular Security Assessments

CastHR undergoes third-party security audits and penetration testing on an annual basis to ensure our platform meets the highest security standards. Our comprehensive testing program includes:

  • Infrastructure security assessments
  • Application penetration testing
  • Network vulnerability scanning
  • Security controls validation

A summary report of our security assessments is available to enterprise customers upon request via [email protected].

Audit Logs and Monitoring

System Activity Tracking

CastHR maintains comprehensive audit logs of critical system activities to ensure transparency and accountability. While audit logs are not available directly in the customer-facing interface, we can provide detailed audit reports upon request to authorized administrators.

Our audit logs capture:

  • User authentication and authorization events
  • Data access and modifications
  • Permission and role changes
  • System configuration updates
  • Critical security events

To request audit logs for your organization, please contact our support team at [email protected].

Data Breach Notification

Incident Response Commitment

In the event of a data breach or security incident, CastHR is committed to transparency and prompt communication. We will notify affected customers within 72 hours of becoming aware of the breach, in compliance with GDPR and other applicable data protection regulations.

Our notification will include:

  • Nature and scope of the incident
  • Data types potentially affected
  • Steps taken to mitigate the breach
  • Recommended actions for affected parties
  • Contact information for further inquiries

Security Awareness

Policies

CastHR has developed a comprehensive set of security policies covering a range of topics. These policies are shared with and made available to all employees and contractors with access to CastHR information assets.

Training

All employees attend security awareness training sessions which are given upon hiring and annually after that. All engineers receive additional sessions for secure code training. The security team provides further security awareness updates via email, blog posts, and presentations during internal events.

What do you do about employee vetting?

Reference Checks

CastHR performs reference checks on all new employees per local laws.

Confidentiality Agreements

All new hires and contractors are required to sign Non-Disclosure and Confidentiality Agreements.