How We Protect Your Data
Security and GDPR
Security and Data Privacy Drives Everything We Do
LunaHR is a fully encrypted cloud based platform, all client data is encrypted and stored safely behind a firewall and other security measures, making sure your company data is safe. Data security teams are employed to run regular checks and implement the latest security practices.
Without revealing too much about our security protocol, we carry out annual penetration tests, implement input validation, utilise bi-weekly vulnerability scans and run various security audits. In other words, your trust in LunaHR storing your data is taken very seriously.
LunaHR is a trading name of A2ZTECHNOLOGIES LTD, a UK based company that has been developing bespoke software applications and carrying out IT operations (including cyber security) for 10+ years now. LunaHR is our first commercial product.
Uptime / SLA
‘The cloud that never goes down’. LunaHR is a cloud based platform hosted on Microsoft Azure. Both Microsoft and our service level agreement is 99.9% uptime a month. Clients are informed about scheduled maintenance.
LunaHR is GDPR Compliant
What is GDPR?
GDPR (General Data Protection Regulation – May 2018) is a newly introduced European Data Protection Act. It was implemented to strengthen the rights individuals have regarding personal data related to them and how its processed.
As you can imagine GDPR is a big deal to us as a large aspect of our company is based around storing and processing personal data. LunaHR is GDPR compliant, we have a designated Data Protection Officer, and GDPR specified practices that are integrated into both our platform and policies.
Our Commitment to GDPR
What We Are Doing For GDPR
When considering LunaHR it is important to take into account how we are meeting the requirements of GDPR. We have outlined key information that will help you assess our GDPR status. If you would like further information, please get in contact with us and we will happily advise further.
LunaHR has a team of in-house cyber security experts. LunaHR afterall is a commercial product of A2ZTECHNOLOGIES LTD, an IT support company. A2ZTECHNOLOGIES specialise in IT operations for large clients across the UK.
Our in-house security experts have verified that the LunaHR application is GDPR compliant. The main part of this is the method of deletion and retention of customer data. Our methodology is acceptable for use under the GDPR act. We have gone further to verify this externally from legal experts who concurred.
What does this mean? You should not worry about using LunaHR as a third party application as it is GDPR compliant and will not hinder your companies GDPR validity.
A key requirement of GDPR is to maintain a high level of security. Since the announcement of GDPR we have worked hard to make sure LunaHR has the highest security levels possible.
In the case a personal data breach happens, we the controller shall without any delay inform the supervisory authority. While we do not anticipate a breach will happen, we have implemented breach reporting in accordance to GDPR regulations to ensure clarity.
Any breaches will be reported within 72 hours of the initial contact.
Processing According To Instructions
Any data in the LunaHR application will only be processed in accordance with the customer’s instructions.
We have been handling client HR data for over 10 years now. All of our employees are required to sign various training and sign paperwork including confidentially agreement and code of conduct training.
Our employees have the greatest respect to client data. You can be rest assured that we will handle your data in accordance to our policies and yours.
Use of Subprocessors
We do not use any Sub-processors. LunaHR directly conduct all of data processing activities required to provide the LunaHR services for all modules (core module, leave module, expense module and attendance).
Data Return and Deletion
In LunaHR users can amend their own data via their personal profile. Likewise, administrators or users with the correct permissions can delete employee data, via the functionality of LunaHR.
LunaHR currently has a 30 day retention policy, 3 hour snapshots. Backed up data is fully encrypted and lasts on our servers for 30 days.
How we assist Data Controllers
Data Subject’s Rights
LunaHR has always offered the service to export customer data, at any time during their license. We will continue to offer this.
Data Protection Officer
Our HR Data Protection Office for LunaHR is James Millard. Any questions regarding GDPR or data protection can be sent to him. You can contact him at email@example.com
LunaHR has and will always notify clients about incidents regarding their data or breaches. We aim to give a full incident report between a 24 hour to 72 hour period. This is outlined in our Terms of Service.
How we comply with the requirements of GDPR practices
The GDPR regulation outlines 6 principles, we comply with these. The 6 principles are as follows:
Lawfulness, fairness and transparency
LunaHR has the right to process any personal data we collect in a fair, lawful and transparent manner.
As a customer of LunaHR we process your personal data in accordance to our Terms of Service
Personal data is only collected for specified and legitimate purposes. Data we collect will not be used for any other purposes you have not been made aware of.
As a customer of LunaHR we will only process personal data you enter into your tenancy on LunaHR, for the sole purpose of provide our service in accordance to our Terms of Service
LunaHR will only collect personal data that is needed for us to carry out our services. Customers are responsible for ensuring that data you hold about your employees is limited to what is needed, adequate and relevant for specific purpose.
We will do our best to ensure collected personal data is accurate and up to date.
As a customer of LunaHR you are responsible for ensuring that data entered into the system about your employees is also accurate and kept up to date.
We will only keep personal data for as long as it is needed. In addition, you have the right to request erasure of your individual data.
As a customer of LunaHR you as responsible for ensuring that personal data entered into your tenancy on the system is removed when no longer needed. You can do this as an administrator by deleting users or other company related information.
Integrity and Confidentiality
We will process all personal data we collect in a manner that protects it against unwanted modification, disclosure or unlawful processing.
How we handle subject access requests (SAR)
LunaHR act as a Data Processor on behalf of our customers. We are not able to process data on your behalf. We provide you with the functionality inside LunaHR to do exactly this.
Frequently Asked Questions
You may have a few questions about LunaHR and GDPR. We have answered some of the most common questions below. If you have any further questions, feel free to get in contact with our inhouse expert James Millard.
Is LunaHR Compliant with GDPR?
We have done a self assessment and also seeked external legal valuation. We are currently compliant with GDPR.
Do you have a Data Protection Officer?
Do You Market Other Services To The Employees We Add?
No, definitely not. We simply store and process the data given to us in accordance to our terms of service.
How Long Do You Store Employee Data?
This is completely up to you. As administrator you can control to delete employee data when needed. We do store backups, however these only last for 30 days and can be deleted if requested.
Where Is Our Data Stored?
Client data is currently stored in the US for cost and performance reasons. Security access however is held in the UK, additionally Microsoft Azure comply with EU / US privacy shield policies.
If we were to ask you to remove all data we have provided you on an employee would you be able to do that in a timely fashion?
Employee data can be removed by administrators in your company. However, if we receive a request like this, we will also do it, including the backups. Please contact firstname.lastname@example.org so he can handle your request.