Security at Factorial

Factorial can be both a Controller and a Processor of personal data for the purposes of GDPR. For example, Factorial will be the Controller of personal data when a Customer enters into a contract directly with us, for the processing of said Customer’s data.

However, in most instances due to the nature of our business Factorial has no direct relationship with the data subjects and exclusively processes the End User’s personal data on behalf of the Customers and according to their instructions. Thus, if you are an employee using our platform we act solely as a Data Processor with respect to the processing of your data. Our Customers decide the purposes for which they use our Platform, as well as the means for collecting data from our platform’s magnitude of features. 

In the case of users who browse our website, Factorial will be processor for the processing of data collected here, such as cookies, or any data that is interesting to enjoy our content. 

As a Controller of your company's data, in case you want to proceed to signature you can find Factorial DPA here, which can be filled and signed online, or you can request a copy by sending an email to the privacy department (privacy@factorial.co).

Factorial HR has appointed a Data Protection Officer. The contact details of which are:

First Privacy B.V.

FIRST PRIVACY B.V., Naritaweg 127-137, PC 1043 BS, Amsterdam, Netherlands factorial@first-privacy.com

In the event that Factorial detects a security breach, it will activate a security breach analysis procedure that will allow to know:

- The nature of the security breach

- The categories of personal data affected

- The number of clients affected

- The number of affected personal data records; and

- The consequences of the breach

Parallel to the investigation, Factorial will take the immediate containment and correction actions that are appropriate, and will proceed to record the incident so that there is traceability of the incidents that have occurred in the organization.

Once the analysis has been carried out, Factorial will determine if it must be notified to the data protection authority, evaluating if the violation of personal data may pose a risk to the rights and freedoms of data subjects affected by the breach.

Likewise, Factorial will determine if it is necessary to notify the data subjects In any case, and as the person in charge of processing personal data, Factorial will notify the client of the security breach within a period of less than 48 hours. Said communication will include:

- Risk mitigation measures adopted

- Tech improvements

- Changes in incident management

- Updating of procedures

Please send an email to security@factorial.co

Suggested information to provide (where applicable):

- Description of the incident:

- Company name and user name affected:

- Type of data affected:

- Scope of incident detected:

- Degree of affectation to the rigths of data subjects:

Factorial is ISO/IEC 27001:2023 certified and has renewed its certification on March 2025. This is the highest level of global information security standard available today, which provides customers assurance that we meet rigorous international standards on security.

You can download our ISO 27001 certificate here.

Factorial has a SOC2 Type I report as of August 2022, and a SOC2 Type II report as of February 2024.

Related certification details and reports can be shared upon formal request and after signing of an NDA by the requestor.

All of our services run in the cloud. We don’t host or run our own routers, load balancers, DNS servers, or physical servers.

All our customer data is stored on the servers of Amazon Web Services (AWS) in Frankfurt, Germany, a set of web services in the cloud that guarantee maximum security. Companies like Netflix or Airbnb rely on AWS to manage the data of millions of users.

The Amazon Web Services data center is defended by three physical layers of security. Likewise, the facilities are protected against impacts and are only accessible through a non-transferable personal card and pin.

You can read more about their security practices here: AWS

Our network security architecture consists of multiple security zones. We monitor and protect our network, to make sure that no unauthorized access is performed using:

- Virtual Private Cloud (VPC)

- A firewall that monitors and controls incoming and outgoing network traffic

- Encryption in transit: All data sent to or from our infrastructure is encrypted in transit via industry best practices using Transport Layer Security (TLS). You can see our report at SSL LABS

- Encryption at rest: We rely on AWS Key Management Service (AWS KMS) for managing our cryptographic keys. By default the "SYMMETRIC_DEFAULT" encryption algorithm is selected, which currently represents AES-256-GCM, a symmetric algorithm based on Advanced Encryption Standard (AES). Those keys are used for encrypting / decrypting our S3 buckets, databases, secret manager, lambda, redshift, and lightsail.

By default and unless expressly instructed by the Client, Factorial will execute the deletion of all personal data 30 days after the termination of the provision of the processing services. After the 1 year period Factorial will delete all existing copies unless the retention of personal data is required by applicable law or the Client expressly requests the final deletion of such data during that period.

- We use technologies to monitor exceptions, logs and detect anomalies in our applications.

- We collect and store logs to provide an audit trail of our application & activity. Depending on the plan chosen by our customers, administrators can track all the actions and usage of employee records in the platform and gain greater visibility. More information on the audit logs can be found here.

We develop the following security best practices and frameworks (OWASP Top 10, SANS Top 25) to ensure the highest level of security in our software:

- We periodically review our code for security vulnerabilities

- We regularly update our dependencies and make sure none of them has known vulnerabilities

- We use Static Application Security Testing (SAST) to detect security vulnerabilities in our codebase and enforce code standards.

- We regularly check for security incidents – reported by bug bounty hunters or pentest providers – and eagerly fix them. Our last pentest was done by Cobalt. Internal vulnerability testing is performed continuously as well as continuous penetration testing via HackerOne. (https://hackerone.com/factorial).

- We keep secrets away from code

- We keep OS & Docker images up to date and run the services with an unprivileged role

- We ensure separation of environments and segregation of duties during the development process. Developers do not have the ability to migrate changes into production environments.

- We protect our users against data breaches by monitoring and blocking brute force attacks.

- We provide Single Sign-On (SSO) using Google, Microsoft, and Linkedin.

- We offer role-based access control on all our accounts and we allow our users to define permissions.

- We use AWS Cognito that supports Multi-Factor Authentication (MFA).

- We use GitHub security tools to receive alerts in case of vulnerability. The security team applies security patches on a routine basis.

- We perform quarterly access rights reviews over our critical applications, including steps such as review of authorizations, generic accounts, and ensuring terminated employees' access are removed.

All payment instrument processing is safely outsourced to Stripe which is certified as a PCI Level 1 Service Provider. We do not collect any payment information and are therefore not subject to PCI obligations.

- We use a centralized account management

- We rely on a password management system

- We use nominal accounts with 2FA enforced

- We rotate passwords every 90 days

- We onboard / offboard new employees using a checklist that takes into account security best practices.

- We ensure access privileges comply with the principle of least privilege.

- We secure access control to the offices to ensure that only employees have access to it

- We routinely remind employees to lock their computers

- We have established procedures in terms of mobile device and removable media usage

We ensure all of our employees take specific trainings in data protection and information security. Additionally, there are trainings and security workshops aimed towards secure software development practices.

We conduct background checks on potential new hires.

Factorial will use all efforts to be available with a Monthly Uptime Percentage of at least 99.9%. Subject to to the SLA Exclusions, if we do not meet the Service Commitment, the client will be eligible to receive a Service Credit. This means that we guarantee you will experience no more than 43.5 min/month of Unavailability.

We maintain a publicly available source for our uptime at https://status.factorialhr.com. Please, feel free to subscribe to get incident updates.

Factorial backs up data on a daily basis and retains the backups for 30 days. High availability is ensured with RDS Multi-AZ.  Since in order to have data loss both availability zones would need to have an incident at the same time, this decreases the possibility of data loss. Our Recovery Time Objective (RTO) is 1 hour and our Recovery Point Objective (RPO) is 1 day.

Related business continuity and disaster recovery plans are formally documented based on ISO27001 and SOC2 framework requirements.

Service Credits are calculated as a percentage of the total charges due on your Factorial invoice for the monthly billing cycle in which the Unavailability ocurred.

For Monthly Uptime Percentage less than 99.9%, you will be eligible for a Service Credit of 5% of the charges for the current period.

We will apply any Service Credits only against future payments for the Services otherwise due from you.

To receive a Service Credit, you must submit a claim by emailing support@factorial.co with the dates and times of each Unavailability incident that you are claiming.

If the Monthly Uptime Percentage of such a request is confirmed by us and is less than the Service Commitment, then we will issue the Service Credit to you within one billing cycle following the month in which your request is confirmed by us. Your failure to provide the request and other information as required above will disqualify you from receiving a Service Credit.

The Service Commitment does not apply to any Unavailability:

- Caused by factors outside of our reasonable control, including any force majeure event, internet access, or problems beyond the demarcation point of Factorial.

- That results from any actions or inactions of you or any third party.

- That results from the equipment, software or other technology of you or any third party (other than third party equipment within our direct control).

- That results from any Maintenance.

If availability is impacted by factors other than those used in our Monthly Uptime Percentage calculation, then we may issue a Service Credit considering such factors at our discretion.

Here you can find our updated privacy policy.

Here you can find Factorial's terms and conditions.

In enunciating but not limiting way, it will be understood as Confidential Information the information referring to customer data, its existence, its structure, promotion and sales plans, source codes and object of computer programs, systems, techniques, inventions, processes , patents, trademarks, registered designs, copyrights, know-how, trade names, technical and non-technical data, drawings, sketches, financial data, plans relating to new products, data relating to customers or potential customers as well as any other information used in the business scope of Factorial and the Client.

The obligation of confidentiality will persist even after the resolution, for any reason, of the contractual relationship between the parties without generating any type of compensation.

The breach of the obligation of confidentiality assumed in this agreement or the return of the Confidential Information established above, will entitle any of the Parties to claim the full amount of the damages that such breach would have generated.