Selecting Employees: Everybody Needs to Understand Their Responsibility to the Customer.
Erply doesn’t select employees solely based on professional skills but also looks at a potential candidate’s general mindset. We expect our employees to understand the gravity of the responsibility they have to customers when working at Erply.
We employ all legal means to do background research on our employees, conduct in-depth interviews and provide basic training where we cover topics like data confidentiality and secure data processing. All employees are required to get to know the basics of the company’s security policy and sign a document confirming that they will strive to adhere to the policy. Further training will be provided in the course of work. Erply also supports employee interests and initiatives (taking part in professional conferences, etc.).
Employees regularly undergo refresher courses in security during their career at Erply. The aim is to be aware of the newest security risks and best solutions concerning data protection and IT security.
New employees do not have access to confidential information. Employees will be granted gradually more access when they have worked at the company for a certain amount of time (different for different positions) and have proven their diligence and commitment.
Erply’s work culture encourages employees to make possible security threats known and collaborate as a team to solve problems.
The Security of the Product Starts from Secure Development Processes
The security of business software starts from the development process. Only the employees working on the development have access to Erply’s software code. The head of the development team assigns access rights. Each developer can access only the part of the code they’re working on. Employees can’t access the company’s network using personal devices (e.g. tablet or smartphone).
Only reliable hardware at the company’s offices is used for programming. The company’s management can access data from outside the office, just in case, but only when additional security measures are implemented (VPN connection, special access to the intranet, etc.).
The code is tested and reviewed continiously. New functions and other changes in design go through the development team’s security review process. The code is also checked using special analysis software.
All data is stored in a secure cloud server. Erply’s software solution doesn’t grant the customer access to any data before successful authorization. If data needs to be loaded onto the customer’s devices in special circumstances, the data mediated by Erply is never loaded onto the customer’s device in a format that enables unauthorized use.
Erply’s security measures stay with the times and are updated automatically, which means that the customer never has to worry about downloading updates. We post announcements on security updates to Erply’s website.
Erply’s Employees’ Access to Customer Data
A number of rules and control measures regulate how Erply’s employees can access the customers’ data.
- Customer support may require access to a customer’s data in certain scenarios, e.g. to analyze customer requests. This is why the DPA (Data Protection Addendum) the customer and Erply sign stipulates the responsibility of the parties, data processing methods and the company’s guarantee to the customer.
- Only employees whose work requires it have access to the data of a customer’s customers. Even then, Erply’s employees can only access the customer’s account if the customer contacts Erply in writing.
- If the contractual relationship between Erply and a customer comes to an end, we will discuss the customer’s preferences and either transfer the customer’s customers’ data to the customer or delete it. Erply offers the option of deleting all data after a service contract with Erply is terminated. This includes data at Erply and any backup copies. Customers can also request to extract their data from Erply while the contract is valid and can do so using an API request. Since Erply manages the backup copies of the customer’s data, data can be restored if necessary.
We Encourage the Customer to Think of Security
Each customer gets an API key. Once authenticated, the key grants the customer access to their company and customers’ data. We direct the customer’s attention to the first line of defense – basic security requirements like keeping passwords secret (see also “Security Measures We Encourage Our Customers to Use”) – during the introduction phase.