Exelsys employees are required to sign a confidentiality agreement and commit to abide by the Exelsys Information Security Policy as well as to attend relevant trainings. The Exelsys Information Security Policy outlines expected behaviour with respect to the protection of information.

Exelsys is based on Windows Azure PaaS, an infrastructure from Microsoft that provides the security, performance, and reliability normally found in only the most sophisticated IT departments. The cloud model allows companies of all shapes and sizes to leverage this infrastructure, which would otherwise be out of reach for most.  Azure is a secure, rock solid, open and flexible cloud platform managed by Microsoft. Azure helps us to provide highly secure, available, scalable applications and deliver great SaaS solutions to customers anywhere around the world.

The Exelsys Terms of Service have evolved to provide notifying the Data Controller within 72 hours of any data breaches.

According to the GDPR, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Exelsys operates global infrastructure designed to provide state-of-the-art security through the entire information processing lifecycle. This infrastructure is built to provide secure deployment of services, secure storage of data with end-user privacy safeguards, secure communications between services, secure and private communication, and safe operation by administrators.
Exelsys is committed to maintain a high level of security, to meet all GDPR expectations which apply to Data Processors. Exelsys is utilises the Microsoft Azure platform and uses the Azure PaaS model. It therefore takes full advantage of the security features available in Windows Azure Cloud Services. Microsoft has achieved security compliance audit certifications for Windows Azure services from various compliance regulators (ISO 27001, SSAE 16, ISAE 3402, ISO 22301:2012, EU Model Clauses and HIPAA BAA). Exelsys customers can be confident that their data is safely guarded during transmission, storage and processing in the cloud.
In addition to the above features and functionality, Azure SQL Database also participates in regular audits and has been certified against a number of compliance standards. For more information, see the Microsoft Azure Trust Center, where you can find the most current list of SQL Database compliance certifications. Exelsys uses encryption to protect data in transit and at rest. Data in transit to Exelsys is protected using HTTPS, which is activated by default for all users. Exelsys HCM encrypts content stored at rest, without any action required from customers, using one or more encryption mechanisms.
Exelsys HCM is a multi-tier application where information travels through different layers. With N-Tier architecture, where “n” is any number of distinct tiers that an application is broken into. By deconstructing the main building blocks into tiers, each tier can be separated, distributing the processing load and increasing the security and scalability of the application. Windows Azure runs in geographically-dispersed data centres managed and operated by Microsoft, delivering a 99.95% service-level agreement for high availability. Microsoft operations staff have years of experience in delivering the world's largest online services with 24/7 continuity.

Users access the Exelsys application by providing a user code and password. Password complexity and other password attributes are controlled by the security profile associated with the user account. Each company administrator can create a number of security profiles and associate them with user accounts. Passwords are doubly encrypted, firstly by the application using hash algorithms and then by the SSL/TLS transmission protocol.

Exelsys maintains detailed audit logs of any data changes recording the user, the data changed and the date and time that the change occurred. In addition, Exelsys keeps a detailed log of all the data processing operations, showing the function used to access or process data, the user who executed it and the date and time it occurred.

Exelsys HCM processes data according to the instructions of Data Controller Administrators. Data Controller Administrators execute functions of the system to process data. For any other processing required by the customer (Data Controller) that cannot be done by the Data Controller Administrators using the Exelsys HCM Platform functionality, customers are required to submit clear instructions to Exelsys in writing.

Exelsys backs up the encrypted data daily, going back 30 days using the Azure Point-in-time restore mechanism. In addition, Exelsys uses Active Geo-replication. Using Active Geo-Replication, a separate readable secondary database in a separate region to that of the primary data centre is used and can be switched over in the case a disaster happens in the primary data centre.

Our customers and regulators expect independent verification of security, privacy, and compliance controls. Exelsys does regular vulnerability and penetration tests at least once a year, conducted by companies who are Qualified Security Assessors (QSA).

Exelsys uses Microsoft as a sub-processor as described above to provide the data centre infrastructure and database services. No other sub-processors are being used.

Data Controller Administrators can export customer data, via the functionality of Exelsys HCM, at any time during the term of the agreement. We have included data export commitments in our data processing terms for several years, and we will continue offering those after the GDPR comes into force, and working to enhance the robustness of the data export capabilities. Data Controller Administrators can also delete customer data, via the functionality of Exelsys HCM Online Service, at any time. When Exelsys receives a complete deletion instruction from a customer who terminates the service, Exelsys will delete the relevant customer data from all its systems within a maximum period of 45 days. Data Controller Administrators have at their disposal several functions allowing them to delete data that is no longer necessary to the company, such as old job applicants.

Exelsys is designed to provide for 99.95% availability with very fast transaction times. When customers sign up they have the option to select to have their data located in the Microsoft Azure Data Centre in the UK or the Netherlands. In addition to the main data centre selected, the data as part of the disaster recover plan policy is also stored in another Microsoft Azure Data Centre within the European Union, usually in Ireland. In the case of a technical or physical incident that will prevent access to the data in the main data centre, access can be restored using the backup site in a timely manner