Crunchr is
seriously secure

IT Security & Data Privacy

We meet the highest standards in data security and data privacy. We ensure that the right access controls are always in place through our role and field-based authorization model.

 

Crunchr has been designed from the ground up according to the latest industry best practices around security and privacy/GDPR compliancy. Measures range from technical design to procedures to people. Our systems are annually audited (SOC 2 Type 2) and pentested by reputable firms. Crunchr also has advanced authorization models, anonymity thresholds and data anonymization algorithms in place.

Security reflected
at all levels

Crunchr meets the privacy, security and scalability requirements of large enterprises, especially those with operations in many markets and/or in highly regulated industries.

Functionality

The solution uses HR domain knowledge to provide advanced workforce reporting and people analytics functionality in one integrated online solution that takes care of all privacy, security, and regulatory requirements. Data is extracted from core HR systems of customers and transferred to the Crunchr solution. There the quality of the data is validated, and inconsistent or missing data is automatically corrected or augmented where necessary. Afterwards, the data is made accessible to users in an intuitive graphical interface designed for HR professionals. In this way, a high level of security, scalability and functionality is reached that cannot be matched by generic analytics solutions or in-house developed tooling.

Architecture

The solution is built with a defense-in-depth approach, where each of the web frontend, business logic, and database backend components are compartmentalized to ensure a strict separation between them. These functional components run on dedicated virtual private servers per customer, avoiding any multi-tenancy issues. Access to the Crunchr instance of a specific customer is controlled via a gateway that enforces strong two-factor authentication, checks on the origin of the access and provides Single Sign-On using the customer’s existing Active Directory infrastructure. Security monitoring is in place to detect and deal with possible attacks. The integration with existing HR systems is only on the data exchange level and users can access the solution from any modern browser on laptops or tablets. There is no need for complex middleware to link systems. The architecture scales horizontally; extra hardware is added (or removed) dynamically to ensure Crunchr always provides a snappy experience. This happens invisibly, without downtime, and at no additional cost to customers.

Data

Production data is not regularly accessible by Crunchr personnel; operational processes in production are done by means of continuous delivery and automated deployment, avoiding error-prone and risky manual steps. The development environment is identical to, but separate from, the production environment and uses only generated test data. Data is encrypted in-transit and at-rest wherever possible. Data sets can be selectively anonymized as required, and data is securely disposed when an instance is decommissioned. The solution provides fine-grained role-based access control for users, row-based, column-based, and functionality-based to ensure they only have access to those parts of the data set and the Crunchr functionality they need to do their job.

Location

The solution is hosted in modern data centers in The Netherlands, Sweden, and the United States of America. The VPS companies hosting the solution are ISO 27001 certified for security. The Crunchr office is in Amsterdam, The Netherlands. There are no servers present at the office location, there is a strict separation between development work (on workstations at the office location) and production work (on servers at the datacenter locations). For US customers, we guarantee that their data never leaves the US, and for non-US customers that it never leaves the European Economic Area.

Organization

Crunchr deploys a three-lines-of-defense model where the first line performs daily operations, the second line is responsible for risk management, and the third line does internal audit. All employees are government-screened, and recruited from top universities, the majority of them having M.Sc. or Ph.D. qualifications in computer science or related fields. Crunchr’s CTO was recruited from ING Bank, where as Chief Security Architect he was responsible for ING’s global security architecture for six years, and our CISO was recruited from Volksbank, where as CISO he was end-responsible for bank-wide security for seven years. Together they bring a wealth of knowledge on European and American regulated industries as well as the current global security landscape.

Regulation

Crunchr is fully compliant with the stringent European GDPR and American CCPA/CPRA regulations and hence provides rich functionality around data anonymization, protection and access. Crunchr’s Data Privacy Officer oversees privacy compliance and is registered with the Dutch privacy regulator. Several European banks and American insurance companies are demanding customers that have chosen Crunchr specifically because the solution can deliver to their corporate policies and the regulatory requirements of their industries.

Assurance

Crunchr is audited on a yearly basis to the SOC2 standard for service organizations by the audit firm 2-Control, to ensure all required technical, procedural, and organizational controls are in place, effectively used, and maintained. A yearly penetration test is performed by reputed firm Zolder to have a realistic assessment of vulnerabilities in the solution in relation to real-life threats; issues found are quickly resolved. Both the SOC2 and the penetration test report are available on request.

Security Vulnerability Policy

Crunchr takes security and privacy very seriously and investigates all reported vulnerabilities. Despite the effort we put into the security of our services every day, vulnerabilities can still be present. Read more about our practice for addressing potential vulnerabilities in any aspect of our services.