Security at Factorial

Factorial can be both a Controller and a Processor of personal data for the purposes of GDPR. For example, Factorial will be the Controller of personal data when a Customer enters into a contract directly with us, for the processing of said Customer’s data.

However, in most instances due to the nature of our business Factorial has no direct relationship with the data subjects and exclusively processes the End User’s personal data on behalf of the Customers and according to their instructions. Thus, if you are an employee using our platform we act solely as a Data Processor with respect to the processing of your data. Our Customers decide the purposes for which they use our Platform, as well as the means for collecting data from our platform’s magnitude of features. 

In the case of users who browse our website, Factorial will be processor for the processing of data collected here, such as cookies, or any data that is interesting to enjoy our content. 

As a Controller of your company's data, you can find Factorial's DPA here, which can be filled and signed online.

This is our updated list of subprocessors.

Factorial HR has appointed a Data Protection Officer. The contact details of which are:

Pridatect, S.L. Carrer de Tarragona 161, 3rd Floor, 08014, Barcelona, Spain. legal@pridatect.com

In the event that Factorial detects a security breach, it will activate a security breach analysis procedure that will allow to know:

- The nature of the security breach

- The categories of personal data affected

- The number of clients affected

- The number of affected personal data records; and

- The consequences of the breach

Parallel to the investigation, Factorial will take the immediate containment and correction actions that are appropriate, and will proceed to record the incident so that there is traceability of the incidents that have occurred in the organization.

Once the analysis has been carried out, Factorial will determine if it must be notified to the data protection authority, evaluating if the violation of personal data may pose a risk to the rights and freedoms of data subjects affected by the breach.

Likewise, Factorial will determine if it is necessary to notify the data subjects In any case, and as the person in charge of processing personal data, Factorial will notify the client of the security breach within a period of less than 48 hours. Said communication will include:

- Risk mitigation measures adopted

- Tech improvements

- Changes in incident management

- Updating of procedures

Please send an email to security@factorial.co

Suggested information to provide (where applicable):

- Description of the incident:

- Company name and user name affected:

- Type of data affected:

- Scope of incident detected:

- Degree of affectation to the rigths of data subjects:

Factorial is ISO/IEC 27001:2017 certified. This is the highest level of global information security standard available today, which provides customers assurance that we meet rigorous international standards on security.

You can download our ISO 27001 certificate here.

Factorial has already started the process of obtaining SOC 2 type I certificate, and it expects to be fully certified by summer 2022.

All of our services run in the cloud. We don’t host or run our own routers, load balancers, DNS servers, or physical servers.

All our customer data is stored on the servers of Amazon Web Services (AWS) in Frankfurt, Germany, a set of web services in the cloud that guarantee maximum security. Companies like Netflix or Airbnb rely on AWS to manage the data of millions of users.

The Amazon Web Services data center is defended by three physical layers of security. Likewise, the facilities are protected against impacts and are only accessible through a non-transferable personal card and pin.

You can read more about their security practices here: AWS

Our network security architecture consists of multiple security zones. We monitor and protect our network, to make sure that no unauthorized access is performed using:

- Virtual Private Cloud (VPC)

- A firewall that monitors and controls incoming and outgoing network traffic

- Encryption in transit: All data sent to or from our infrastructure is encrypted in transit via indusstry best practices using Transport Layer Security (TLS). You can see our report at SSL LABS

- Encryption at rest: We rely on AWS Key Management Service (AWS KMS) for managing our cryptographic keys. By default the "SYMMETRIC_DEFAULT" encryption algorithm is selected, which currently represents AES-256-GCM, a symmetric algorithm based on Advanced Encryption Standard (AES). Those keys are used for for encrypting / decrypting our S3 buckets, databases, secret manager, lambda, redshift, and lightsail.

We retain your data for a period of 1 year after you close your account. After that period, all data is completely removed from the servers. Once deleted, data will only be able to be recovered 30 days after.

- We use technologies to monitor exceptions, logs and detect anomalies in our applications.

- We collect and store logs to provide an audit trail of our application & activity.

We develop the following security best practices and frameworks (OWASP Top 10, SANS Top 25) to ensure the highest level of security in our software:

- We periodically review our code for security vulnerabilities

- We regularly update our dependencies and make sure none of them has known vulnerabilities

- We use Static Application Security Testing (SAST) to detect security vulnerabilities in our codebase and enforce code standards.

- We regularly check for security incidents – reported by bug bounty hunters or pentest providers – and eagerly fix them. Our last pentest was done by Cobalt.

- We keep secrets away from code

- We keep OS & Docker images up to date and run the services with an unprivileged role

- We protect our users against data breaches by monitoring and blocking brute force attacks.

- We provide Single Sign-On (SSO) using Google, Microsoft, and Linkedin.

- We offer role-based access control on all our accounts and we allow our users to define permissions.

- We use AWS Cognito that supports Multi-Factor Authentication (MFA).

- We use GitHub security tools to receive alerts in case of vulnerability. The security team applies security patches on a routine basis.

All payment instrument processing is safely outsourced to Stripe which is certified as a PCI Level 1 Service Provider. We do not collect any payment information and are therefore not subject to PCI obligations.

- We use a centralized account management

- We rely on a password management system

- We use nominal accounts with 2FA enforced

- We rotate passwords every 90 days

- We onboard / offboard new employees using a checklist that takes into account security best practices.

- We secure access control to the offices to ensure that only employees have access to it

- We routinely remind employees to lock their computers

We ensure all of our employees take specific trainings in data protection and information security.

We conduct background checks on potential new hires.

Factorial will use all efforts to be available with a Monthly Uptime Percentage of at least 99.95%. Subjecto to the SLA Exclusions, if we do not meet the Service Commitment, the client will be elegible to receive a Service Credit. This means that we guarantee you will experience no more than 21.56 min/month of Unavailability.

We maintain a publicly available source for our uptime at https://status.factorialhr.com. Please, feel free to subscribe to get incident updates.

Factorial backs up all the data on a daily basis and it retains the backups of 30 days. Hence, our RPO is 1 day. Is worth noticing that we have high availability with RDS Multi-AZ. This means that in order to have data loss we would need both availability zones to have an incident at the same time (an extremely unlikely scenario). If that were to happen, it's very easy for us to recover a backup. Our RTO is 15 minutes.

Service Credits are calculated as a percentage of the total charges due on your Factorial invoice for the monthly billing cycle in which the Unavailability ocurred.

For Monthly Uptime Percentage less than 99.95%, you will be elegible for a Service Credit of 5% of the charges for the current period.

We will apply any Service Credits only against future payments for the Services otherwise due from you.

To receive a Service Credit, you must submit a claim by emailing support@factorial.co with the dates and times of each Unavailability incident that you are claiming.

If the Monthly Uptime Percentage of such request is confirmed by us and is less than the Service Commitment, then we will issue the Service Credit to you within one billing cycle following the month in which your request is confirmed by us. Your failure to provide the request and other information as required above will desqualify you from receiving a Service Credit.

The Service Commitment does not apply to any Unavailability:

- Caused by factors outside of our reasonable control, including any force majeure event, internet access, or problems beyond the demarcation point of Factorial.

- That results from any actions or inactions of you or any third party.

- That results from the equipment, software or other technology of you or any third party (other than third party equipment within our direct control).

- That results from any Maintenance.

If availability is impacted by factors other than those used in our Monthly Uptime Percentatge calculation, then we may issue a Service Credit considering such factors at our discretion.

Here you can find our updated privacy policy.

Here you can find Factorial's terms and conditions.

In enunciating but not limiting way, it will be understood as Confidential Information the information referring to customer data, its existence, its structure, promotion and sales plans, source codes and object of computer programs, systems, techniques, inventions, processes , patents, trademarks, registered designs, copyrights, know-how, trade names, technical and non-technical data, drawings, sketches, financial data, plans relating to new products, data relating to customers or potential customers as well as any other information used in the business scope of Factorial and the Client.

The obligation of confidentiality will persist even after the resolution, for any reason, of the contractual relationship between the parties without generating any type of compensation.

The breach of the obligation of confidentiality assumed in this agreement or the return of the Confidential Information established above, will entitle any of the Parties to claim the full amount of the damages that such breach would have generated.