We are committed to keeping your data safe and secure
Naturally, the security of payroll and HRM information is a major concern. This is especially true when using third party hosts.
Please note that we take the security of each customers' data very seriously. We take industry-standard precautions when securing our infrastructure and applications.
At least annually, software engineers participate in secure code training which covers OWASP Top 10 security flaws and common attack vectors.
Development Best Practices
The underlying software development framework limits exposure to OWASP Top 10 security flaws. These include inherent controls that reduce our exposure to Cross-Site Scripting (XSS), Broken Access Control, and SQL Injection (SQLi), among others. OWASP ASVS 4.0 is used to ensure that secure architecture and coding standards are implemented.
Testing and staging environments are separated physically and logically from the production environment. No customer data is used in the development, testing, or staging environments.
Dynamic Vulnerability Scanning
We employ a number of third-party, qualified security tools to continuously scan our application. Celery is scanned weekly against the most common security flaws which includes the OWASP Top 10, PCI and CAPEC.
Security Penetration Testing
In addition to our extensive internal scanning and testing program, every 6 months Celery employs third-party security experts to perform detailed penetration tests on different parts of the application.
Celery software and all user data stored within are hosted in Tier III data centers. The data centers are powered by redundant power, each with UPS and backup generators.
All systems, networked devices, and circuits are constantly monitored by Celery operations and the co-location providers.
These data centers utilize different security zones, 24/7 manned security, camera surveillance and biometric access to the server rooms. Access to the server rooms by third parties is only permitted provided that authorization is granted and that the person is at all times accompanied by an authorized and verified employee of the data center.
Being located on Curacao and in The Netherlands guarantees fast access to the application and keeps data away from the US Patriot law.
Encryption of Data in Motion
Encryption of Data at Rest
All user data is stored encrypted at rest on Celery servers using a strong AES-256 cipher. All passwords are stored in a strongly hashed format which cannot be decrypted by Celery or anyone else within a reasonable amount of time.
All our backups are stored encrypted using a strong AES-256 cipher and transmitted via an encrypted channel to an off-site datacenter.
Availability & Continuity
Celery maintains a publicly available system-status webpage that includes system availability details and service incident history.
We make encrypted backups of all customer data (both databases and documents) at regular intervals throughout the day, every day. These backups are securely transferred to an off-site location. Off-site backups are stored for 6 months.
Our disaster recovery program ensures that our services remain available or are easily recoverable in the case of a disaster. This is accomplished by building a robust technical environment, creating disaster recovery plans, and testing.
Additional Product Security Features
Access Privileges & Roles
Access to data within your Celery account is governed by access rights, and can be configured to define granular access privileges. Celery has various permission levels for users (account administrator, account user, company user and employee) accessing your Celery account.
Brute Force Authentication Protection
Celery detects multiple unsuccessful login attempts and automatically locks that user account and notifies the user of the access attempt by email.
Each user can add an extra layer of security to their user account with two-factor authentication (2FA). They can use a range of popular 2FA apps (Google Authenticator, 1Password, and Authy) and use printable backup codes to get emergency access to their account if their device is lost.
Email Signing (DKIM/DMARC)
We support DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) for signing outbound emails from Celery. Using an email service that supports these features allows you to stop email spoofing.
Concerning credit cards, we actively maintain a PCI-compliant system to provide industry standard protection of our customers information. We never store sensitive credit card data on our own servers and will always use a dedicated Payment Provider for this purpose.