Security protocol

    We take the protection of your data seriously. And we do everything we can to protect it.

    Access Control

    Do you offer or support SAML/SSO capabilities for authentication?

    • We do provide SSO only for Google Workspace and Microsoft Active Directory

    What types of multifactor authentication are supported?

    • We do not currently support multiparty authentication at the time but have it in the development pipeline.

    How are customer data or processes protected from unauthorized access?

    • Customer data are stored at encrypted servers where there is no access from the outside world. We are using VPC (Virtual Private Cloud) where only parts of the application that are in the same network (VPC) have access to them.

    What measures do you have in place to prevent unauthorized viewing of information?

    • We are using JWT token (with 1-minute expiration) for authentication & authorization purposes. We are using RBAC (Role Based Access Control) in order to be able to provide customers with granularity of authorization

    Who at your company can see customer data?

    • Only the customer support Admins under direct and personal request granted by customer her /himself

    Do you use a multi-tenant server model?

    • Yes

    What measures do you have to isolate individual tenant systems and data?

    • Everything is mapped on an entity called “Company” and every data is associated with it via Foreign keys.

    Data protection

    What does your data security protocol look like? (Data security protocols, defined as “the software and behavioral rules that guide how employees handle and access data”, provide clear guidelines that demonstrate an organization’s approach to data security. This might include things like SSL certificates, virtual private networks (VPNs), multi-factor authentication (MFA), and more.)

    • Customer data are stored at encrypted servers where there is no access from the outside world. We are using VPC (Virtual Private Cloud) where only parts of the application that are in the same network (VPC) have access to them.
    • We are using SSL connection for all components of our application

    Is your platform externally audited?

    • Yes, ISO 27001 Audited at June 2023

    Do you work with other third parties to deliver your SaaS solution? If so (and if they have access to your data) then what do their security protocols look like?

    • Amazon – Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg, cloud infrastructure service provider. The data centres are located in Frankfurt am Main, Federal Republic of Germany.
    • HubSpot Ireland Ltd, Ground Floor, Two Dockland Central, Guild Street, Dublin 1, Co. Dublin, Ireland(VAT: IE9849471F), Hubspot service for sending mass messages, notifications and customer support (
    • Userflow, Inc. 548 Market St PMB 69598, San Francisco, California 94104-5401, United States, služba UserFlow for sending mass communications, notifications and customer support services (,
    1., s.r.o. Šumavská 524/31, Brno, CZ 60200, Czech Republic, Reg. no.: 09508830, VAT ID: CZ09508830, Smartlook for analysing user behaviour in the application. (
    2. Stripe Technology Europe, Ltd., 25/28 North Wall Quay, Dublin 1, D01H104, ID: 0599050 Služba Stripe for payment gateway services. (
    3. Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irsko (Registrační číslo: 368047 / DIČ: IE6388047V) – statistics services Google Analytics a Google Tag Manager. (

    Do You Store Credit Card Information On Your Server?

    • We do not store credit card information on our server. We use Stripe as a payment processor.

    What happens in the event of data corruption?

    • We restore them from the daily backup automatically (daily backup has isolated storage outside the application itself)

    Who Owns This Data if We Stop Using You as a Vendor

    • The customer owns the data

    What actions do you do to destroy data after it is released by a customer?

    • We delete them permanently

    When was your last third-party pentest done?

    • each month by the 1. day

    Disaster recovery

    What is/are your disaster recovery plans?

    Do you perform routine disaster recovery tests?

    • Yes

    How often are incremental backups made?

    • Every 24 hours

    How many copies of data do you store and where are they stored?

    How far back do the backup copies go?

    • 1 month

    Have You Ever Had a Security Breach?

    • No

    How often and how do you test your backup and recovery infrastructure?

    • Once half a year

    What are your methods for backing up our data? What are offerings to back up data?

    Incident Response

    Do you have an incident response plan?

    Do you include customers in the incident response process?

    • Yes

    Do you provide reports of attempted or successful breaches of systems, impacts, and actions taken?

    • If requested by the customer

    Which tasks and incidents remain under the responsibility of the customer?

    • If the incident of losing data is caused by the customer itself, it’s the responsibility of the customer. All application is covered by an Audit-Login, which stores details such as:
      • IP address of the executor (person who executes an action)
      • Action name
      • Unique identifier of logged-in person (email)
      • Timestamp of an action
      • Which version of the application has been deployed at the time of the action
      • Which data has been changed and eventually even the diff, what’s been changed to what

    Physical Security

    How do you assess your employees’ security understanding?

    • We don’t have physical servers

    Where is your data center, and what physical security measures are in place?

    • We use datacenters located in Frankfurt provided by Amazon Web Services. We don’t have access to them

    What countries is data stored in – both on your infrastructure and for backups?

    • Frankfurt datacenters provided by Amazon Web Services

    Regulatory Compliance

    Do you comply or plan to comply with privacy regulations (e.g. Privacy Shield, GDPR)?

    YES, fully comply.


    How do you collect personal data?

    The subject collecting personal data is the customer (company), which collects and processes personal date of their respective employees.

    Why do you collect personal data?

    Personal data that are collected by subjects specified above are collected for the sole purpose of managing Human Resources agenda of the employer (company).

    What are you using personal data for?

    Collected personal data enables employers to plan vacations, schedule shifts, distribute internal documents and process other internal agendas.

    How long will you keep the personal data?

    As the owner of the data is the employer, the data will be kept in the application storage as long as the customer keeps them. In case of the customer stopping using the application, all data will be erased within 1 month after expiration of the commercial licence.

    Do I have any rights?

    All users, whose personal data is collected, are guaranteed all the right based on the GDPR regulation, specifically the right to observe, update, and forget.