Security of SaaS HRM customers and developers
Currently, SaaS services are becoming more and more popular. According to forecasts, published by RAEC in 2012, the market volume amounted to 1.89 billion rubles, and the increase was 46%. I would like to pay special attention to SaaS HRM services, as they contain strategically important information about the organization’s personnel, workflow, bonus schemes, and other information on which to draw conclusions about the state of human capital of any company.
* Scientific reference from me:
Human capital is one of the structural elements of intellectual capital, which, in turn, is the “mass” that fills the gap between the gap in the company's market capitalization and the valuation of its value based on financial statements.
')
In view of the business’s awareness of the value of human capital as a driving force in the economy. HRM market responds quickly to business requests. As a result, there are new tools for management, training, development, motivation and evaluation of staff. Basically, the need for this kind of software arises from the "medium" and "large" business, with the number of employees from 100 to 300 and from 300 people and above, and the turnover from 150 million. up to 2.5 billion rubles / year and from 2.5 mln. and higher rubles per year. In this regard, there is a number of criteria for which the HRM service is selected.
- First, he must solve the tasks set by the HR management.
- Secondly, due to the territorial and temporary separation of offices and employees, the service should work not only locally, but also be widely available.
- Thirdly, since such services are automated tools, they should solve the problem of processing a large amount of information manually.
- Fourthly, a key criterion in the modern world of innovative technologies is that services must be safe from the point of view of protecting personal data and the interests of the organization.
As a result, a large number of new SaaS tools (software as a service) appear on the market, based on these introductory requirements for the HRM service. SaaS services for the most part satisfy the first 3 criteria, but with the last point, namely, the protection of personal data and the interests of the organization, for frequent problems (especially the "young" services), since the data is processed using the Internet.
How can a client company protect itself? And what solutions can a “young” SaaS HRM service developer use?
1. Relationship of the company-developer with the company-client.
Relations are governed by the contract (the name of the contract may be completely different: the provision of services, non-exclusive license, use, etc.) The main part of the contract is the responsibility, rights and obligations of the parties. Such an agreement should be drawn up and attached separately on the website of the developer, as evidence of the seriousness of intentions and the full responsibility of the developer to the client.
One of the common types of contracts is the SLA (Service Level Agreement) agreement with a client. But, since we are talking about SaaS service, where the task is to simplify and speed up the process of using to the maximum, it is possible to translate such an agreement into the format of an agreement on the level of service provided, which will be valid for customers who have entered into a public contract with the developer. The agreement prescribes warranty service to the client company. As a rule, such an agreement is annexed to the contract.
Also, when registering with the SaaS service, you can provide the client company with an agreement to use the service / user agreement for review. Thus, the development company will protect itself from possible wrongdoing (by notifying the client company) and the client will be notified of what awaits him after the registration procedure.
2. Security of personal data.
The issue of protection of personal data is extremely acute in recent times. Client companies believe that if they work through the “Internet”, then the probability of data leakage about employees and companies is enormous. But, for frequent, a greater threat to the integrity of personal data is data leakage through the channels of the client company itself, since it is their employees who are interested persons and sometimes disclose confidential information without even thinking that this could harm the company's reputation. A simple example is staff appraisal. Employees share information about the results. From "word of mouth" no one is insured. Although it is not personal data, this information directly relates to the client company and may affect its reputation.
In FZ-152 there are a number of features, in connection with which certain discrepancies arise. They consist in the following - for the processing of personal data it is necessary to have consent to it and provide evidence of this consent. On the Internet, identity is not identified. After all, a person can introduce himself, not Anastasia, but Maria, and no one can prove the opposite (on the Internet). Only the use of EDS (digital signature) allows you to identify the person. However, the receipt of EDS is not a mandatory procedure and few have it. So such an agreement is valid only if there is a signature.
It is possible to notify the client company and its employees that the development company performs the processing of personal data by posting on the site consent to the processing of personal data, which indicates that after registration, the user agrees to the processing and accepts the conditions specified in the document. It is possible and not to make an additional document, but to prescribe these provisions in the contract described above.
There is another version of the contract - NDA (non-disclosure agreement), which is signed by the parties. But, since this option does not suit us again (due to the fact that this type of contract is also difficult to apply), it can be transformed into a public contract. A developer may post a public confidentiality agreement, which sets out the confidentiality terms that come into effect from the date of registration on the developer's website. This is a good tool for both the client company and the developer company.
3. Technical security methods.
Of course, the use of "not paper" means of protection is much more reliable than fixing on paper. There are many different tools that can convince the client company of the security of the SaaS HRM service. For example, the method of double keys used abroad. In simple terms, the “folder with the data” of the client company is depersonalized and numbered and the number is divided into components. Part of the number is stored at the developer company, part of the number is stored at the client company. With this approach, even if the data is lost or stolen, it will be impossible to identify them.
It is possible to place the SaaS HRM system on the client company servers. This solution is naturally more expensive. But, at the same time, the client company itself is responsible for the safety of the data processed by the system. The main document regulating such relations will be a license agreement (not an exclusive license) between the developer company and the client company.
In general, these are the main points that need to be taken into account when forming the information and data protection scheme in the SaaS HRM system. Summarizing all the above, we can say that it is necessary to choose the right document or set of documents that would regulate the relationship between the client company and the developer company. But it is worth remembering that not a single, even the most correctly drafted document posted on the Internet will ever replace a document signed by the parties personally.
* Scientific reference from me:
Human capital is one of the structural elements of intellectual capital, which, in turn, is the “mass” that fills the gap between the gap in the company's market capitalization and the valuation of its value based on financial statements.
')
In view of the business’s awareness of the value of human capital as a driving force in the economy. HRM market responds quickly to business requests. As a result, there are new tools for management, training, development, motivation and evaluation of staff. Basically, the need for this kind of software arises from the "medium" and "large" business, with the number of employees from 100 to 300 and from 300 people and above, and the turnover from 150 million. up to 2.5 billion rubles / year and from 2.5 mln. and higher rubles per year. In this regard, there is a number of criteria for which the HRM service is selected.
- First, he must solve the tasks set by the HR management.
- Secondly, due to the territorial and temporary separation of offices and employees, the service should work not only locally, but also be widely available.
- Thirdly, since such services are automated tools, they should solve the problem of processing a large amount of information manually.
- Fourthly, a key criterion in the modern world of innovative technologies is that services must be safe from the point of view of protecting personal data and the interests of the organization.
As a result, a large number of new SaaS tools (software as a service) appear on the market, based on these introductory requirements for the HRM service. SaaS services for the most part satisfy the first 3 criteria, but with the last point, namely, the protection of personal data and the interests of the organization, for frequent problems (especially the "young" services), since the data is processed using the Internet.
How can a client company protect itself? And what solutions can a “young” SaaS HRM service developer use?
1. Relationship of the company-developer with the company-client.
Relations are governed by the contract (the name of the contract may be completely different: the provision of services, non-exclusive license, use, etc.) The main part of the contract is the responsibility, rights and obligations of the parties. Such an agreement should be drawn up and attached separately on the website of the developer, as evidence of the seriousness of intentions and the full responsibility of the developer to the client.
One of the common types of contracts is the SLA (Service Level Agreement) agreement with a client. But, since we are talking about SaaS service, where the task is to simplify and speed up the process of using to the maximum, it is possible to translate such an agreement into the format of an agreement on the level of service provided, which will be valid for customers who have entered into a public contract with the developer. The agreement prescribes warranty service to the client company. As a rule, such an agreement is annexed to the contract.
Also, when registering with the SaaS service, you can provide the client company with an agreement to use the service / user agreement for review. Thus, the development company will protect itself from possible wrongdoing (by notifying the client company) and the client will be notified of what awaits him after the registration procedure.
2. Security of personal data.
The issue of protection of personal data is extremely acute in recent times. Client companies believe that if they work through the “Internet”, then the probability of data leakage about employees and companies is enormous. But, for frequent, a greater threat to the integrity of personal data is data leakage through the channels of the client company itself, since it is their employees who are interested persons and sometimes disclose confidential information without even thinking that this could harm the company's reputation. A simple example is staff appraisal. Employees share information about the results. From "word of mouth" no one is insured. Although it is not personal data, this information directly relates to the client company and may affect its reputation.
In FZ-152 there are a number of features, in connection with which certain discrepancies arise. They consist in the following - for the processing of personal data it is necessary to have consent to it and provide evidence of this consent. On the Internet, identity is not identified. After all, a person can introduce himself, not Anastasia, but Maria, and no one can prove the opposite (on the Internet). Only the use of EDS (digital signature) allows you to identify the person. However, the receipt of EDS is not a mandatory procedure and few have it. So such an agreement is valid only if there is a signature.
It is possible to notify the client company and its employees that the development company performs the processing of personal data by posting on the site consent to the processing of personal data, which indicates that after registration, the user agrees to the processing and accepts the conditions specified in the document. It is possible and not to make an additional document, but to prescribe these provisions in the contract described above.
There is another version of the contract - NDA (non-disclosure agreement), which is signed by the parties. But, since this option does not suit us again (due to the fact that this type of contract is also difficult to apply), it can be transformed into a public contract. A developer may post a public confidentiality agreement, which sets out the confidentiality terms that come into effect from the date of registration on the developer's website. This is a good tool for both the client company and the developer company.
3. Technical security methods.
Of course, the use of "not paper" means of protection is much more reliable than fixing on paper. There are many different tools that can convince the client company of the security of the SaaS HRM service. For example, the method of double keys used abroad. In simple terms, the “folder with the data” of the client company is depersonalized and numbered and the number is divided into components. Part of the number is stored at the developer company, part of the number is stored at the client company. With this approach, even if the data is lost or stolen, it will be impossible to identify them.
It is possible to place the SaaS HRM system on the client company servers. This solution is naturally more expensive. But, at the same time, the client company itself is responsible for the safety of the data processed by the system. The main document regulating such relations will be a license agreement (not an exclusive license) between the developer company and the client company.
In general, these are the main points that need to be taken into account when forming the information and data protection scheme in the SaaS HRM system. Summarizing all the above, we can say that it is necessary to choose the right document or set of documents that would regulate the relationship between the client company and the developer company. But it is worth remembering that not a single, even the most correctly drafted document posted on the Internet will ever replace a document signed by the parties personally.
Source: https://habr.com/ru/post/163583/
All Articles