Security

Management Philosophy

At Employee Navigator, we’re committed to information security. Employee Navigator strives to lead the industry with the highest level of security and compliance for protecting sensitive regulated data. Employee Navigator is audited annually for SOC2 Type II, HITRUST, NIST, GDPR, 23 NYCRR 500, and CCPA.

The control environment for Employee Navigator reflects the philosophy of senior management with respect to the importance of providing the most secure and resilient HRIS platform for customers. The development of these controls has taken into consideration industry standards and best practices for security and availability. They are enforced by the CTO and Information Security Management. These policies have been published and communicated to all members of the Employee Navigator Team and are supported through the investment in resources, people, and technologies required for implementation and enforcement.

The security program at Employee Navigator protects our organization and your data at every layer

Meet our Security Chief

Find out what goes on behind the scenes with our Director of Security, Audrey Dawson
Learn More

How We Protect our Customers

Personnel Security

Employee Navigator follows a strict, formalized hiring practice verifying all potential new employees are qualified for the responsibilities of their job function. Employee Navigator conducts background checks, via a third-party vendor, on all new employees.

Access Management

Access to all Employee Navigator resources is tightly controlled and users are only granted access based on minimum level of access required to perform their role. All users are required to utilize two-factor authentication when accessing the systems. Physical access to the data center and Employee Navigator infrastructure is expressly prohibited.

Data Security

The Employee Navigator application is data-driven and licensees are responsible for uploading and managing their own data within the application. Customers are able to upload their data via HTTPS. Data sent from Employee Navigator to carriers is sent via protocols they define. The protocols include API, an SSL file upload, and SFTP/FTP with PGP with optional approved static IP’s providing encryption for all data in transit.

The Employee Navigator team does not access data provided by licensees through administrative and support activities unless explicitly requested by the customer. Employee Navigator does not perform any data classification on behalf of licensees. All licensee data is classified equally as sensitive. Employee Navigator does not share customer data stored in Employee Navigator with external third-parties, unless requested by the customer or required by law.

Encryption at Rest

Employee Navigator leverages Microsoft Azure for infrastructure components. When a managed disk is created Azure Storage Service Encryption (SSE) is enabled by default. As such, Microsoft manages the encryption keys. Data in Azure Storage is encrypted and decrypted transparently using AES 256-bit. SSE cannot be disabled for managed disks. Further details can be found here.

Encryption in Transit

All connections to employeenavigator.com are facilitated over HTTPS utilizing TLS 1.2+. Any attempts to connect over HTTP are automatically redirected to HTTPS.

Compliance certifications and attestations

SOC 2 Type II
SOC 2 (Type III) Trust Service Principles
HITRUST
Health Information trust Alliance (HITRUST)
NYCRR 500
New York State Department of Financial Services
GDPR
EU General data Protection Regulations (GDPR)
CCPA
California Consumer Privacy Act (CCPA)
HIPAA
Health Insurance Portability and Accountability Act (HIPAA)

System Backup and Recovery

Storage management hardware and software are utilized to schedule and perform disk to disk on-site backups for Employee Navigator, data replication between datacenters daily, and a high availability (HA) client database cluster for continuous uptime.

Certified Data Center Locations

Employee Navigator operates on Azure. Employee Navigator utilizes Logicworks for managed Azure External Public Cloud datacenter hosting and managed IT. A copy of Logicworks SOC2 report can be provided upon request.

Network Segmentation

Network Access is controlled based on an implicit ‘deny all’ network access control strategy. Network access controls have been implemented at all layers of Employee Navigator to allow only required traffic and deny all other network traffic. Perimeter firewall appliances control all ingress and egress network traffic to/from the datacenter and VPN appliances control access to the Employee Navigator systems and internal resources. Employee Navigator customers are only permitted to access their assigned application environment, and all other access is denied.

System Auditing and Logging

Employee Navigator technical configurations, supporting security and platform operational capabilities, and procedures provide the required tools and processes to capture and monitor system activity throughout. Key Employee Navigator components have auditing and logging facilities enabled and configured to capture system events, generate log files, and send log files to the centralized system information and event management software for correlation, analysis, and alerting.

The data center managed security services team utilize a variety of security tools to identify and detect potential security threats and incidents, including but not limited to, firewall logs, VPN appliance logs, IDS alerts, malware alerts, vulnerability assessments, and operating system event log files. These alerts and notifications are analyzed and security engineers respond as necessary 24 hours a day, 7 days a week.