Security of your and our data

We are committed to keeping your data safe and secure

Naturally, security of payroll and HRM information is a major concern. This is especially true when using third party hosts.

Please note that we take the security of each customers's data very seriously. We take industry-standard precautions when securing our infrastructure and applications. 

Application Security

Security Training

At least annually, software engineers participate in secure code training which covers OWASP Top 10 security flaws and common attack vectors.

Development Best Practices

The underlying software developement framework limits exposure to OWASP Top 10 security flaws. These include inherent controls that reduce our exposure to Cross Site Scripting (XSS), Broken Access Control and SQL Injection (SQLi), among others. OWASP ASVS 3.0 is used to ensure that secure architecture and coding standards are implemented.

Separate Environments

Testing and staging environments are separated physically and logically from the production environment. No customer data is used in the development, testing or staging environments.

Dynamic Vulnerability Scanning

We employ a number of third-party, qualified security tools to continuously scan our application. Celery is scanned weekly against the most common security flaws which includes the OWASP Top 10, PCI and CAPEC.

Security Penetration Testing

In addition to our extensive internal scanning and testing program, every 6 months Celery employs third-party security experts to perform detailed penetration tests on different parts of the application.

Physical Security

Facilities

Celery software and all user data stored within are hosted in Tier III data centers. The data centers are powered by redundant power, each with UPS and backup generators.

On-site Security

These data centers utilize different security zones, 24/7 manned security, camera surveillance and biometric access to the server rooms. Access to the server rooms by third parties is only permitted provided that authorization is granted and that the person is at all times accompanied by an authorized and verified employee of the data center.

Monitoring

All systems, networked devices, and circuits are constantly monitored by Celery operations and the co-location providers.

Location

Being located on Curacao and in The Netherlands guarantees fast access to the application and keeps data away from the US Patriot law.

Encryption

Encryption of Data in Motion

Communications between you and Celery servers are encrypted via industry best-practices HTTPS and Transport Layer Security (TLS). We consistently score an A+ rating for our SSL security in industry benchmarks.

Encryption of Data at Rest

All user data is stored encrypted at rest on Celery servers using a strong AES-256 cypher. All passwords are stored in a strongly hashed format which cannot be decrypted by Celery or anyone else within a reasonable amount of time. 

Encrypted Backups

All our backups are stored encrypted using a strong AES-256 cypher and transmitted via an encrypted channel to an off-site datacenter.

Availability & Continuity

Uptime

Celery maintains a publicly available system-status webpage that includes system availability details and service incident history.

Backups

We make encrypted backups of all customer data (both databases and documents) at regular intervals throughout the day, every day. These backups are securely transferred to an off-site location. Off-site backups are stored for 6 months.

Disaster Recovery

Our disaster recovery program ensures that our services remain available or are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating disaster recovery plans, and testing.

Additional Product Security Features

Access Privileges & Roles

Access to data within your Celery account is governed by access rights, and can be configured to define granular access privileges. Celery has various permission levels for users (account administrator, account user, company user and employee) accessing your Celery account.

Brute Force Authentication Protection

Celery detects multiple unsuccessful login attempts and automatically locks that user account and notifies the user of the access attempt by email.

Two-factor authentication

Each user can add an extra layer of security to their user account with two-factor authentication (2FA). They can use a range of popular 2FA apps (Google Authenticator, 1Password, and Authy) and use printable backup codes to get emergency access to their account if their device is lost.

Email Signing (DKIM/DMARC)

We support DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) for signing outbound emails from Celery. Using an email service that supports these features allows you to stop email spoofing.

PCI Compliance

Concerning credit cards, we actively maintain a PCI-compliant system to provide industry standard protection of our customers information. We never store sensitive credit card data on our own servers and will always use a dedicated Payment Provider for this purpose.