How Papaya Protects Data and Ensures Privacy
Alex Margolin| Apr 19, 2021
Papaya Global is entrusted with the payroll and payments and for hundreds of companies and tens of thousands of employees. To earn that trust, Papaya places the top priority on maintaining security and privacy in transferring, processing, and storing data.
Papaya’s security standards and practices are peer reviewed for ISO 270001 and SOC 1 compliance, the international standards for security and emergency preparedness. The Papaya Platform is compliant with the highest levels of GDPR regulations, ensuring data privacy for all our clients through a combination of human oversight and automated features on the platform itself. Our business continuity planning, disaster recovery procedures, and SLA monitoring are all well above the industry standards.
The Papaya Platform is a cloud-based, SaaS solution accessible to authorized and authenticated users anywhere in the world. Papaya uses Amazon Web Services (AWS) with data hosted on multiple Availability Zones and all system components are duplicated in each zone. AWS adds an additional layer of protection to Papaya’s already potent defenses. If something happens to an Amazon data center, it has the ability to move Papaya’s data to another availability zone, away from the disruption.
The real key to Papaya’s security and privacy, however, is the implementation of numerous policies and procedures that ensure data is encrypted in transit, at rest, and throughout all of the processing that is necessary for managing people, payroll, and payments.
Safe Data Transfer
As soon as a contract is signed with a new client, the onboarding process begins. The client needs to enter sensitive data to the Papaya Platform securely and with maximum privacy.
Each client has a dedicated account manager who creates a special channel within the platform for data transfers. This is done through secure online forms (wizards) shared through secure protocols (HTTPS sites), with all data encrypted in transit. That means no information is ever exposed as it moves from the client to Papaya, even if one of the parties is working through a public Wi-Fi system that could be vulnerable otherwise.
The secure protocol ensures that only those authorized to read the data can see it. In compliance with GDPR regulations, the Papaya Platform maintains a strict system of access permissions, which restricts access only to those who have been granted permission in advance.
Safe Data Processing
The raw data submitted by the client through the secure forms must be processed according to the policies established by the client. The security challenge shifts to ensuring the data is processed in a safe manner that ensures privacy.
The Papaya Platform maintains role-based access control (RBAC), which mean it differentiates between different users, roles, and permissions so that multiple systems can run concurrently (for example, payroll can be processed while BI collects data and creates its own reports) without compromising privacy or security.
This is achieved through a process called Segregation of Duties. During the onboarding stage the client assigns a Platform Administrator within the company who will serve as the sole authority on granting permissions to access data and the degree of access allowed. All user management requests must be submitted to Papaya by the designated admin to be validated and authenticated by Papaya. The platform ensures that access requests submitted from users other than the Platform Admin will be rejected.
Permission to access data is limited through user accounts and roles within the company. People will be able to access the data they need without accessing any data that is not designated for their role. All activity within the platform is accountable at all times.
Papaya provides a detailed user permission table to keep track of who is allowed to read or edit data, divided among different roles within the company such as HR, Finance, Management, etc, limiting access only to those who need it.
By formalizing and segregating duties and assigning access permissions, Papaya mitigates the chances of data exposure and provide an added level of protection to the clients. Since everything is done through a recognized procedure, there is no confusion over how any individual will interact with the data.
Safe Data Storage
Papaya implements all of the best practices for data storage and adheres to the AAA system (Authentication, Authorization, and Accountability). Data at rest is always encrypted and requires a decryption key for access. The person seeking to view the data must be authenticated through a validated, enabled user account, authorized through a dedicated role approved through a chain of permissions, and accountable so that any action on the platform leaves a fingerprint that can be traced back to its source.
Files are stored through a secure shared file system that allow people to access documents and data without needing to transfer them through highly insecure methods such as email.
Accessing documents even through a shared folder often requires authentication through a One Time Password (OTP), which sends users a password through an authenticator app or through SMS that will only be valid at the time of use. Access to the platform folders in general requires a Multi-Factor Authentication (MFA).
The high level of authentication protects keeps data out of reach for those who do not need to access it. It also helps maintain accountability. Since there are no generic user accounts, it is easy for the IT department to spot an potential “bad actors” immediately in the event of a breach.
Papaya has also implemented technological solutions that allow people to access data but not share it. For example, people can access documents on shared folders but cannot copy and paste the material. That way the data remains within the platform.
Papaya’s Payroll and Payments Solutions
Hiring abroad or managing a global workforce can be a daunting task. Our mission is for you to regain control of your global spending. We offer complete transparency through direct access to our local partners, a consolidated overview of your global payroll, employers of record, and contractors, and fixed pricing without hidden fees.
The Papaya platform integrates with your HRIS and ERP and ensures full legal compliance. Team members are paid in their local currency and receive payslips in their native language through our secure worker’s portal – Papaya Personal.
Learn more about Papaya’s security and privacy policies and total global workforce management solution.