Security at Nmbrs®

Safe HR and Payroll software is both our profession and guarantee. The security of our platform, network and products are our highest priority day and night.

We safeguard your privacy

Nmbrs® will never use the data for purposes other than HR- and payroll related practice, and we are determined to make sure nobody else ever will. All customer data that requires storage is located in the Equinix datacenter with the highest levels of security and operational reliability. When data-sharing occurs with applications or tools that enhance our product, this happens in compliance with the EU Data Protection Act. That means that the shared information is very limited and does not expose any kind of personal sensitive data.  

 

 

 

 

GDPR

We are aware and supportive of the passage of the General Data Protection Regulation (GDPR). The deadline for compliance with its terms is until May 2018. During the implementation period, we are evaluating additional requirements or restrictions imposed by the GDPR and will take any action necessary to ensure that we handle customer data in compliance with applicable law by the 2018 deadline. We'll be updating this Security page with more information over the coming months.

Application terms of use

We are committed to handle all data in our application carefully, safe, and confidentially. We process data exclusively in accordance with existing guidelines, restricted exclusively to HR- and payroll related practice. When using our application, one agrees with the use of his or her data as outlined in our privacy policy.

Privacy statement

 

 
 
 

How do we secure your data?

We have taken measures to make Nmbrs® both secure and convenient for our partners and users. We use several tools for application, infrastructure and user monitoring that alert our operations team to act in critical situations. For the complete picture, the Nmbrs® IT whitepaper offers an elaborate explanation of the efforts and policies that help secure our data.

 

Infrastructure

Data traffic to our servers is controlled 24/7 from a central control room. Within 30 minutes, Nmbrs® will respond to unauthorized attempts to access to the web service, irregular traffic or other attempts to subvert Nmbrs®. The Nmbrs® infrastructure is protected by a Firewall managed by hosting partners that continuously identify potential threats. Each server that is accessible from the Internet (web-servers) is also protected by an extra Operating System Firewall. 

SSL Encryption

The client/Server communication is done with HTTPS, which guarantees data integrity and prevents data tampering. The Nmbrs® certificate uses a 2048 bit encryption. The HTTPS transport layers uses a standard TLS without fallback to SSLv2/SSlv3, which are disabled because of security reasons. Internet users are able to recognize the SSL-secured status by the lock icon before the website URL, and Extended Validation SSL-secured websites by the green address bar.

User Authentication

Nmbrs® offers a range of policies for password requirements, including options for periodical password resets and pin codes. Furthermore, Two-factor authentication provides an optional second authentication level. Nmbrs® does not store user's passwords itself in the database, but instead, a salted hash of the password. This prevents password stealing even with database access.

IP Validation

Every user has a whitelist with approved IP addresses to access the system. When users access the system from a new IP address an email is sent to verify the new IP. It is also possible to restrict access to Nmbrs® to a list of IP’s or IP ranges. This measure helps to to prevent third parties from entering Nmbrs® accounts from alien locations and devices.

Download IT whitepaper

Who verifies our quality?

We rely on external parties to verify our operational excellence, procedures and methodologies. Nmbrs® maintains a set of compliance certifications that provide independent verification of our quality.

 

ISAE 3402 Type II

Nmbrs® has produced an ISAE 3402 report. One of the purposes of this ISAE 3402 Type II report is to provide Nmbrs® customer with information to obtain an understanding of the design and implementation of controls implemented by Nmbrs®, which are relevant to the control of the user organisation’s internal processes for the purpose of the audit of their financial statements.

ISAE 3402 Type II

 

 

What policies do we deploy?

A number of legal documents is important to both us at Nmbrs®, as well as our customers, our prospects, and users of our application. To make it easy to find the information you’re looking for, we’ve assembled them here under one roof, provided with a quick rundown of the individual regulations.

 

Data Processing Agreement

This document involves agreement about confidentiality, security, sub processors, privacy, data elimination, and other obligations between two or more parties that share responsibility for personal data. Nmbrs® provides a signed agreement on our knowledge base.  

Data processing agreement

Responsible Disclosure Policy

In the unfortunate event that a user or hacker identifies a vulnerability in our product, the Responsible Disclosure Policy provides instructions that ensure that information about the weakness will be handled confidentially, and investigated with high priority.

Responsible disclosure policy

How can we work even safer?

To be an online software means that online crime is a risk of our service. Cyber criminals may attempt to obtain sensitive information by accessing individual accounts or using our name and image. We believe that the most forceful weapon against this form of crime is shared knowledge. Therefore, we aim to provide all our users and partners with clear knowledge and instructions on how to deal with possible attempts to online crime.

 

 
 
 
 

Phishing and malicious emails

Phishing is a deceptive form of online fraud. For example, criminals send out misleading emails or messages appearing to come from Nmbrs® or another trusted sender, in order to acquire confidential information. However, Nmbrs® will never request sensitive information; So do not leave your data under any circumstance. Furthermore, a phishing mail might request the login credentials of your Nmbrs® account. Make sure to fill in these login information only within a Nmbrs® domain whose SSL encryption is recognizable. Additionally, the goverment website provides valuable information on things like identifying phishing emails.
If you’ve received a suspicious email that contains the Nmbrs® brand, please follow the following steps:
 
1. Don't click on any link or attachment contained in the email
2. Don't reply to the email
3. Report the email to our support team by forwarding it to support@nmbrs.nl. Please make sure to state your suspicion in accompanying text.
4. Delete email
5. Update your anti-malware (anti-virus, anti-spyware) and run a full scan on your computer.