Papaya Global is entrusted with the payroll and payments and for hundreds of companies and tens of thousands of employees. To earn that trust, Papaya places security at the core of the Papaya platform and operations.
Our platform and operations are certified as meeting the top industry standards. That’s why data security companies like Checkmarx, Cato, and CyberArk choose Papaya for their global payroll.
Our policies ensure ongoing safety and privacy, and our team of security professionals is constantly testing and improving our system to guarantee security in the future.
See for yourself why Papaya Global is the top choice for security professionals around the globe:
Major Certifications and Audit Reports
Papaya Global is certified and audited in compliance with multiple security and privacy standards:
ISO 27001 – As a cloud-based platform, information security is our highest priority. Papaya Global has been certified with ISO 27001 – the highest international standard for information security – since 2018. The standard provides the framework for identifying information security risks, creating Business Continuity Planning, and preparation for disaster recovery – all audited by an external examiner.
ISO 27701 – In tandem with ISO 27001, this certification assures data privacy though a Privacy Information Management System (PIMS). This certification indicated that all of Papaya Global’s privacy standards meet the highest standard. Companies that want to be sure they are compliant with GDPR and related legislation should look for the ISO27701 certificate.
SOC1 Type II – This highly-valued audit report evaluates how a service provider internal controls impact how customers control their financial reporting. The final report was submitted to Papaya with no deviations, indicating that all audited controls were deemed effective.
SOC2 Type II – This audit report examined Papaya Global’s controls in the areas of information security. It covers five key areas, known as the Trust Principles: security, availability, processing integrity, confidentiality, and privacy. While companies only need to submit to an audit on three of the five principles, Papaya Global chose to include all five in its audit.
Security Practices and Policies
The key to Papaya’s security and privacy is the implementation of numerous policies and procedures that ensure best practices
Amazon Web Services (AWS) – Data is hosted on multiple AWS Availability Zones and all system components are duplicated in each zone. If something happens to an Amazon data center, it can move Papaya’s data to another availability zone, away from the disruption.
GDPR and CCPA Compliance – Automated compliance and accuracy engine contains safeguards to ensure highest standard of data privacy, supported by an internal audit for every payroll cycle.
Role-Based Access Controls – Papaya provides a detailed user permission table to keep track of who is allowed to read or edit data, divided among different roles within the company such as HR, Finance, Management, etc, limiting access only to those who need it.
Segregation of Duties – The Papaya Platform differentiates between different users, roles, and permissions so that multiple systems can run concurrently without compromising privacy or security. By formalizing and segregating duties and assigning access permissions, Papaya mitigates the chances of data exposure and provide an added level of protection to the clients.
Data Encryption in Transit – All communication is encrypted end-to-end while using Papaya Global’s platform Using HTTPS protocol.
Data Encryption at Rest – Data at rest is always encrypted. Any access to the data must be authenticated through a validated, enabled user account, authorized through a dedicated role.
Principle of Least Privilege – Papaya grants the least possible access to the least number of people to ensure that access permission goes only to those who need it.
Single Sign-On (SSO) – Papaya Global’s platform supports SSO integration with our customer identity providers (IDP). That way users can access multiple applications, such as email, calendars, documents, etc. through one login. The centralized system streamlines operations for users and reduces potential entry-points for malicious activity.
Papaya’s security practices constantly evolve. We continue to add tools and solutions to ensure we meet the highest standards today and have the capacity to meet the challenges of tomorrow.
Full security transparency – Full disclosure of the platform, policies, security practices, third-party service providers and managed applications. Privacy and cookie policies are available on our website. Clients can request access to Papaya’s SOC 1, Type II and SOC 2, Type II audits for a detailed account of Papaya’s financial and information controls.
WAF Protection – All data is filtered according to company policy in order to block unauthorized entry and reducing the risk of malicious software infecting individual computers or entering the system
Dedicated Security Team – A professional security team is always on hand monitoring the security of all of Papaya’s assets and available to answer questions and handle customers’ requests or reports
Data Backups – All critical and irreplaceable files are backed every eight hours and saved in a separate location. If anything happens to the original files, the backups are ready for use, keeping business going around the clock even if a major disaster takes place in one part of the world.
Periodic Testing – Database recovery tests are performed every quarter, more than the industry standards of 1-2 times per year. Penetration tests are performed regularly.
Awareness Training – Entire Papaya workforce must undergo awareness training at least once per year. All new hires undergo a detailed training during the onboarding process.
Learn more about Papaya’s security and privacy policies and total global workforce management solution