FAQ-PM-001
What controls are in place to protect the customer or its client's personal identifiable information (PII)?
ZingHR is hosted on Microsoft Azure Cloud Data Centre. The Data is secured in transit between an application and Azure by using HTTPs. Azure Storage Services Encryption for data at rest helps to protect the data. With this feature, the ZingHR Platform makes the Data in motion between the application and the datacentres also encrypted and decrypted and additional features of masking are provided on frontend user data screens for personally identifiable information (PII) fields which are GDPR Compliant.
FAQ-PM-002
Describe the control environment that ensures the segregation of customer and its client data from other client’s data?
Every customer DB instance is partitioned by SQL schema in the underlying database, users are managed through barriers and privileges. DB servers are hardened as per ZingHR hardening standards
FAQ-PM-003
Will you store Customer's data on company-owned devices or on personal devices?
FortiClient Advanced Endpoint Security features allow for customer data to be available and controlled through its advanced AI driven policies, where if customer data is transmitted in case of personal devices which does not happen.
FAQ-PM-004
Do you consider retention period and disposal or handover of Customer’s information in contract?
In contract period, Customer data retention is part of service delivery. After contract period, encrypted PII customer data is retained at zero cost to your organization for five years. However any retrieval or service request by you (Ex-Customer ) later is charged commercially for any purpose that you (customer) might have.
FAQ-PM-005
What is the disposal process of Customer’s information in digital form and hard copies after termination of contract with Customer?
Answer: Details are provided in the NDA Agreement with Customer at the time of Customer Contract Sign-off.
Where customer requires digital data to be eliminated from the ZingHR Database, there is an off-line approval process.
FAQ-PM-006
Do you consider information transfer channel with client in contract signed with customer? i.e. Through application, email, hard copy and any other medium etc.
Public data is not covered under any agreement. Private business data for processing by ZingHR platform or the services team does consume all channels as appropriately defined/selected in the Service Agreements with/by the customer.
FAQ-PM-007
Is your digital information transfer channel secure?
Yes, Advanced Threat Protection is used in addition to Microsoft’s owned security protocols in O365 for email based data transfer. For application based uploads through ZingHR portal, appropriate front end security validations and communications through secure Https layer is the standard norm. Where API based Data transfer happens, data travels in an encrypted format (256 bit SSL layer Encryption).
FAQ-PM-008
Do you transfer information in Hard copy (e.g. Paper) with client?
Please refer FAQ-PM-006
FAQ-PM-009
What is the frequency to transfer information in Hard copy?
Please refer FAQ-PM-006
FAQ-PM-010
Who are the authorized persons to send and receive hard copy from your company and customer?
Please refer FAQ-PM-006
FAQ-PM-011
Do you transfer hard copy with customer through your employees or mutually agreed
courier service?
Please refer FAQ-PM-006
FAQ-PM-012
Do you track the records of hard copy received by Customer?
Please refer FAQ-PM-006 , can be done at separate commercials to be decided by the Sales Team.
FAQ-PM-013
What are the physical security controls implemented on information available in hard copy 1. Storage 2. Access 3. Retention period 4. Disposal?
Hardcopy – Custom process definition with the customer – a sign-off has to be taken.
Storage- – Custom process definition with the customer, where agreed by ZingHR in written - – a sign-off has to be taken.
Access – Access to any non-authorized resources is not given. Customer can request for access under Custom process definition with the customer – a sign-off has to be taken with separate commercials.
Retention Period – Defined in Retention and Disposal FAQ above.
Disposal – Defined in Retention and Disposal FAQ above.
FAQ-PM-014
Do you use any third party which store hard copy documents?
Please refer FAQ-PM-013
If yes, what are the security requirements communicated/agreed upon with the 3rd party
Custom process definition with the customer – a sign-off has to be taken with separate commercials.
FAQ-PM-015
What kind of API does ZingHR use ?
One of the most popular types of API is REST or, as they’re sometimes known, RESTful APIs. REST or RESTful APIs are designed to take advantage of existing protocols. While REST - or Representational State Transfer – is used over nearly any protocol, when used for web APIs it typically takes advantage of HTTP.
For any custom integration with any other third party software ZingHR always uses as default RESTful API Integration as existing product architecture design for its customers. However, where a customer might want it to be done in other ways, ZingHR custom integration teams take that requirement as a separate project.
FAQ-PM-016
API authentication uses key instead of credential-based authentication ?
APIs handle enormous amounts of data with widely varying type – accordingly, one of the chief concerns of any data provider is how specifically to secure our customer data. The idea that data should be secret, that it should be unchanged, and that it should be available for manipulation is the key to any conversation on API data management and handling.
ZingHR supports two methods to allow access securely to ZingHR APIs — API Keys or OAuth.
API Keys
ZingHR API Keys were created and in this approach, a unique generated value is assigned to each first time Organization’s user/employee, signifying that the user is known. When the user attempts to re-enter the system, their unique key (sometimes generated with combination and IP, and other times randomly generated by the server which knows them) is used to prove that they’re the same user as before.
OAuth
In this approach at ZingHR, the user logs into a system. That system requests authentication, usually in the form of a token. The user then forwards this request to an authentication server, which either rejects or allows this authentication. The token validates the user and can be used over time with strictly limited scope and age of validity.
FAQ-PM-017
The API communication the solution makes should be encrypted all times ?
Currently, API Communication (GET/POST) is not encrypted. It will have to be taken as a custom project as per customer requirement.