Security statement

Myhrtoolkit security statement

At myhrtoolkit we understand just how important security and information safe-guarding is to our customers and website visitors. With that in mind, we employ modern security best practice to ensure that your data is safe. Additionally, myhrtoolkit are registered with the Office of the Information Commissioner as a data processor. The following sections outline our security and support systems.

You may also like to visit our Privacy and UK GDPR area.


ISO 27001 accreditation

Our HR software products have achieved the internationally recognised information security management standard ISO 27001. ISO/IEC 27001:2013 (ISO 27001) accreditation requires us to show a systematic and rigorous approach to keeping customer and company information secure. We achieve this through an effective Information Security Management System (ISMS). Find out more about how we achieved accreditation in our news announcement.


Service Status

This web tool monitors and displays the current status of each of our services; the Main Toolkit App, the Mobile App, the API and the website. It also provides detail of any future maintenance. You can view our Status page.


State-of-the-art secure hosting

The best security needs to extend all the way to the hardware level. Myhrtoolkit utilises Google Cloud Platform (GCP) to provide a secure and robust infrastructure.

Our infrastructure is protected by an advanced firewall. All services and ports other than standard web ports, are either removed or locked down by IP address. They run a patched and hardened installation of Linux.

Our infrastructure is highly resilient, with the ability auto-heal and scale on demand. All of our servers are kept up to date with the very latest security measures and patches.

GCP is also fully ISO 27001 compliant.

If after reading this document, you require further information regarding Google Cloud Platform and the services they provide to us, please visit You can also learn more about their security and see all of GCP’s accreditations at



Myhrtoolkit utilises the best encryption available. Our certificates are encrypted with 256bit encryption and all data that passes between you and our servers is encrypted with industry standard 128bit encryption. All passwords are encrypted using standard AES encryption algorithms. General data is obfuscated but not encrypted as this needs to be searchable and indexed. Encrypting all field level data would impact performance too much and isn’t feasible. This is a standard approach. We regularly update our encryption methods to ensure that we drop support for weak ciphers and apply security patches as soon as they are available. Connections to and from our servers takes place over SSL. We have strengthened our SSL (or accurately TLS) connections significantly and only support strong cipher suites. Connection to any of our websites requires a minimum of TLS 1.2. We do not support TLS 1.0, TLS 1.1 or SSL v2 and v3 protocols.

We are not required to be PCI DSS audited but where possible we use this standard as best practice. We have achieved an A+ grade from Qualys SSL Labs.

Encryption notes

  1. What is the reason why you are not PCI DSS Audited?

We do not require PCI audit as we do not process or hold payment card data. Such card processing as we undertake is managed for us by a third party merchant, Stripe; an international card payment company that processes around 31 million payments per day. They are fully PCI compliant.

However, we do look to the PCI standards to guide our internal development and processes.

  1. All data that passes between your and our servers is encrypted with industry standard 128bit encryption. Why is this not 256 bit encryption?

There are 2 components to communication encryption; key strength and data in transit.

Our key strength meets the RSA2048 bit standard, and is thus incredibly secure.

The encryption level used for data in transit is browser dependent. That is, it relies on the level of encryption supported by the browser of the user. As such and in line with PCI standards, we currently support connections of between 128 and 256 bit. 


Vulnerability detection

Each week our server application is scanned by Netcraft for vulnerabilities. Any found are resolved within days. From the Netcraft website: "Netcraft updates its test suite daily, adding new tests for the latest security exploits. A site with an up to date "Audited by Netcraft" seal is your assurance that the site owner is vigilant and maintaining the security of their site against the latest Internet security vulnerabilities.”

You can see our current Audited by Netcraft status and more information on the Netcraft website.


Distributed Denial of Service (DDoS) attack

A DDoS attack is an attempt to maliciously disrupt an online service by overwhelming the service with unusually high traffic until the service is no longer able to process genuine requests. Often this may be accompanied by a request for payment to stop the attack. Sadly, this is becoming an increasingly common part of the life of an online business, with companies such as Twitter and Instagram having been affected.

To maintain a solid defence against DDoS type attacks, our technical partners GCP and CloudFlare utilise sophisticated proprietary systems to both prevent and mitigate an attack of this nature.


Brute Force attack

Our login system has inbuilt protection against attempts to break into the system using automated brute force attack.


Disaster Recovery Data back-up

We understand the importance of regular reliable backups to ensure system availability and continuity; as such, we operate a comprehensive backup routine for the purposes of disaster recovery.

Our database is backed up hourly. This backup is encrypted, transmitted to multiple off-site locations, over a secure connection and remains encrypted whilst it is outside our network. It is stored with multiple PCI DSS Level 1 service providers on resilient and fault-tolerant media.

As well as being encrypted and stored redundantly across multiple zones, customer uploaded files are also backed-up to a secure off-site location. Google Cloud Storage offers 99.999999999% durability and 99.9% availability.

All of our backups are stored for up to 31 days before being securely deleted.

All facilities are based entirely in the EEA.

Please note that individual data, records or documents cannot be extracted from this backup.


Data retention

Following a customer serving notice to terminate their use of myhrtoolkit, an account operates normally until the final day of contract, usually the day before the next monthly invoice would have been issued. During this period we are happy to assist in data extraction.
Customer data is then archived for a further 30 days before all data is deleted rendering it non-recoverable.
Following the archive period, account data then resides in the disaster recovery back up for a further 30 days (as mentioned above).
After this point, the only data retained is company level data appropriate for recording the previous existence of our commercial relationship. No personal data is stored.

Stage Period Access
Normal usage Until final day of contract Full
Archive 30 days Can be reinstated on request (fees apply)
Data Recovery back up 30 days No


How is customer data classified, handled and stored?

All customer data is treated as confidential when it is received or viewed. Access to this information is restricted to a limited number of personnel on a “need to know” basis, and who are subject to an internal confidentiality agreement.

Our default position is that no-one accesses any identifiable customer data for any reason. However, to allow us to properly diagnose problems and fix bugs, we may occasionally require access to customer data, following a well-defined and permission-focussed process. See our Customer Data Access Policy for more details.

All database access is logged and checked regularly by our IT Director. Once issues are resolved, all copies of data are securely destroyed from our development environment and servers, and any paper records shredded. From initial customer data access requests through to the final destruction of retrieved data, the whole process is audited and checked regularly by the IT Director.

Hard copy information is disposed of via a fully accredited third party data destruction company.

A full statement about this can be found in our Customer Data Access Policy.


Security Centre

Every myhrtoolkit system features a hub called the Security Centre; providing system Controllers with oversight of and tools to manage their own security.

This includes a Password Builder which allows the Controller to specify the components that make up their passwords, such as minimum length and character type.

More information about the Security Centre can be found in our Security Centre support guide.


Service & support

Myhrtoolkit comprises a team of professionals who are dedicated to making myhrtoolkit both highly secure and extremely reliable. We are committed to ensuring that when a problem does arise we are responsive and quick to resolve it. At the hardware level, our GCP infrastructure has been setup to be as fault-tolerant as possible with auto-healing and auto-scaling features.

When you do need support, you can find a fully integrated help section within myhrtoolkit. Here you can find a guide to using myhrtoolkit as well a form to send a direct message to the myhrtoolkit Support team. Additionally there are a wide range of support documents and videos on the Support area of our website.

Alternatively, support is available from a member of the team within myhrtoolkit business hours: 09:00 - 17:00  Monday to Friday (UK Time) by submitting a support ticket through your myhrtoolkit account phoning the support line.


Data Protection

Myhrtoolkit is compliant with the UK General Data Protection Regulation (UK GDPR) (EU) 2016/679.
We have a Resource Centre for Privacy and UK GDPR.

last updated on : 16th August 2021 @ 16:46

Interested? get in touch

The best way to find out all you need to know about myhrtoolkit is to arrange a demo with a member of our customer support team. Just fill out the form below to arrange your demo!

make hr admin easy with:
HR Documents
  • Full Accountability – who reads what
  • Documents stored securely and easily
  • Get reminders of expiry of employee documents such as insurance
  • Communicate workplace policies and procedures quickly
Absence management
  • Track all attendance information
  • Bradford factor/index and pattern absence indication
  • Online self certification for employees
  • Full absence reporting
  • Email notifications for managers
Track annual leave
  • Employee self service holiday requests
  • See your holidays in Microsoft Outlook/Google Calendar
  • Automatic pro-rata holiday entitlement calculations
  • Email alerts of bookings or requests
free data migration
unlimited free support
3 month MOT