Data Privacy and security

by design

The system is hosted on AWS and resides in the Europe (Frankfurt-Germany) Region.

Horizons adheres to all foundational network security (encryption through TLS) on all public networks. We also deploy a WAF that adheres to OWASP security standards and all ingress traffic is monitored through this. We have runtime security scanners that monitor outbound calls to suspicious destinations.

Physical security is maintained by AWS at their data center. More information on AWS’s Security and compliance can be found here.

All transmissions between the customer and the server, as well as with external systems, is secured via end-to-end encryption using TLS. Horizons maintains clear segregation between its testing and production environments. The network of Horizons is isolated from the internet, with the exception of a single point of entry (proxy). Every point within the network adheres to rigorous firewall regulations. Additionally, all accesses to production can be recorded and inspected through the use of a jumpbox.

All internal applications at Horizons undergo rigorous scanning for vulnerabilities using tools like Static Application Security Testing (SAST) and third-party dependency scanners. Horizons aims to maintain an update cadence of N-1 versions for the open-source software it uses, with immediate updates whenever security patches are identified and flagged.

Yes, data is indeed encrypted at rest. This is a standard practice provided by AWS. In addition to that, Horizons’ software also ensures further security by encrypting all personally identifiable information. This guarantees that such data is safely stored in EBS, RDS, and other AWS services.

Any data that is transmitted over public networks is secured through the use of TLS, ensuring encryption while in transit.

Horizons has robust onboarding and offboarding processes in place for all users, bolstered by regular monthly user evaluations and the generation of audit logs. These logs are established to monitor authentication and scrutinize logical system and data access, as well as modifications. Furthermore, system technical occurrences, like errors, are independently tracked and logged.

Horizons mandates the use of Multi-Factor Authentication (MFA) for all members of the support and/or administration team.

Horizons has Disaster Recovery systems and processes to allow replication to another GCP region, initial backups and notification to the Customer base. In the event of impact on payment, backup file may be uploaded to the Customer’s bank to allow payment.

To view our latest uptime and available data you can visit our dedicated status page at https://status.horizons.io and subscribe to receive service updates.

Horizons has strict internal guidelines to ensure no data leakage of personal data in the onboarding process. All personal data files are immediately deleted from our systems and Horizons employee computers after the data has been successfully imported onto Horizons cloud infrastructure.

Once the offboarding process is completed, personal data files are stored in compliance with the relevant laws and for the minimum necessary duration. Following this period, all personal data is completely deleted. It is upon the Customer to maintain and create separate backups of any personal data it has provided, for its own record-keeping purposes.

Horizons only stores customer data for the sole purpose of performing its responsibilities as global employment service provide. In cases where a data deletion request is made, Horizons initiates an automated deletion process, which can be triggered via its support channel. This can be directly addressed to support@joinhorizons.com.

Any service data that is kept afterwards is anonymized and irreversibly stripped of any personally identifiable information or other customer identifiers.

All sub-processors, which include local payroll providers, law firms, and third-party employment partners, must sign legal agreements with Horizons. These agreements contain necessary security provisions, including suitable clauses pertaining to international transfers. As part of Horizons’s procedures, a review of a sub-processor’s security credentials is conducted to confirm adherence to industry-standard security practices.

The environment is designed to manage access and any changes are carefully controlled and tested. All Horizons employees who operate the applications undergo comprehensive training, including security instruction. Further measures, such as the encryption and management of shared documents via Microsoft 365, are implemented to lessen the risk of unintentional disclosure of personal data.

In the context of the Horizons global human resources services, Horizons serves as the data controller, downstream partners act as data processors, and the Customer is considered the data subject. If the Customer elects to use Horizons as their human resources platform provider, Horizons will gather employee data to carry out payroll and other human resources services.

More information on this can be found in our Data Processing Agreement, found here.