Skip to main content
All CollectionsSurvey Platform HelpHR system integrationHRIS integration compliance overview
HRIS integration - compliance summary
HRIS integration - compliance summary

A summary document of how compliance is maintained with the different types of HRIS integration

Updated over a month ago

1. HRIS integration compliance summary

This document provides an overview of compliance requirements for integrating an HRIS with People Insight using both Secure File Transfer Protocol (SFTP) and Application Programming Interfaces (API). It focuses on the security aspects and compliance obligations; you should reference your existing Data Processing Agreement (DPA) with us and our general data security policies.

2. SFTP integration

Data transfer process

  • Employee data is securely transferred from the HRIS to People Insight via SFTP, ensuring compliance with data protection regulations.

  • This method adheres to security requirements outlined in the DPA.

Security measures

  • Data in transit is protected using Transport Layer Security (TLS 1.2), in line with industry standards.

  • Data at rest is secured through Transparent Data Encryption (TDE).

  • Data is hosted in an ISO 27001-compliant environment, as specified in People Insight's data security policies.

Data compliance

  • Processing activities comply with GDPR and other applicable regulations.

  • Data minimisation principles are applied to limit processing to the necessary information.

  • Data is encrypted and access is restricted based on role-based access controls (RBAC) and multi-factor authentication (MFA).

3. API integration

Data transfer process

Employee data can be transferred securely from the HRIS to People Insight via one of two API options:

1. Native API

  • Direct API connection between the HRIS and People Insight.

  • Authentication methods include OAuth tokens or API keys, in accordance with the DPA.

2. Integration via Merge

  • Merge acts as an intermediary platform that connects multiple HRIS systems with People Insight.

  • Merge handles data integration and transformation, ensuring compliance with GDPR and ISO 27001 standards.

  • Data security measures include encryption, access controls, and regular monitoring. Further details on Merge's security measures can be found at Merge Trust Centre.

Security measures

  • TLS 1.2 is implemented to protect data during transmission.

  • Data is encrypted at rest using TDE.

  • Hosting environment is ISO 27001-certified, ensuring compliance with regulatory requirements.

Data compliance

  • GDPR and other relevant data protection regulations are adhered to.

  • Regular audits and monitoring are conducted to verify compliance.

  • Data processing is conducted in accordance with People Insight's data security policies.

4. Compliance framework

Data Protection Responsibilities

  • People Insight acts as the Data Processor under the terms of the DPA.

  • Data minimisation principles ensure only necessary data is processed.

  • Technical and organisational measures are implemented to protect Personal Data.

Security Policies and Controls

  • Access controls: Role-based access control (RBAC) and multi-factor authentication (MFA) are enforced.

  • Encryption: TDE encryption for data at rest and TLS 1.2 for data in transit.

  • Data retention: Personal Data is retained as per the DPA and securely deleted when no longer required.

Incident Management

  • Security incidents are managed in accordance with the incident response policy.

  • Data breaches are reported within the required timeframe, as specified in the DPA.

Audit and Oversight

  • Regular internal and external audits are conducted to ensure compliance with the DPA.

  • Audit reports are maintained and available for review by compliance teams.

Related Articles
Sync your HRIS data to our Directory Management
How to sync your HRIS data from BambooHR
How to sync your HRIS data using an SFTP integration
How to sync your HRIS data using our Merge API
How we ensure anonymity in surveys and protect data
Did this answer your question?