Security for customers and developers SaaS HRM services

Currently, SaaS services are becoming more and more popular. According to forecasts published by RAEC in 2012, the market volume amounted to 1.89 billion rubles, and the increase was 46%. I would like to pay special attention to SaaS HRM services, since they contain strategically important information about the organization’s personnel, workflow, bonus schemes, and other information, based on which we can draw conclusions about the state of human capital of any company.

* Scientific reference from me:

Human capital is one of the structural elements of intellectual capital, which, in turn, is the "mass" that fills the gap between the gap in the company's market capitalization and the assessment of its value based on financial statements.


In view of the recognition by business of the value of human capital as a driving factor in the economy. HRM market responds quickly to business requests. As a result, new tools are emerging for managing, training, developing, motivating and evaluating staff. Basically, the need for this kind of software arises in the "medium" and "large" business, with the number of employees from 100 to 300 and from 300 people and above and turnovers from 150 million. up to 2.5 billion. rub / year and from 2.5 mln. and above rubles / year. In this regard, there are a number of criteria by which HRM service is selected.

- Firstly, he must solve the tasks set by the personnel management.
- Secondly, due to the territorial and temporal separation of offices and employees, the service should work not only locally, but also be widely available.
- Thirdly, since such services are automated tools, they must solve the problem of processing a large amount of information manually.
- Fourth, a key criterion in the modern world of innovative technologies is that services should be safe in terms of protecting personal data and the interests of the organization.

As a result, a large number of new SaaS tools (software as a service) appear on the market based on these introductory requirements for HRM service. For the most part, SaaS services satisfy the first 3 criteria, but with the last point, namely: protecting personal data and the interests of the organization, difficulties often arise (especially for “young” services), since the data is processed using the Internet.

How can a client company protect itself? And what solutions can the “young” SaaS HRM service development company use?

1. Relations of the development company with the client company.

Relations are regulated by the contract (the name of the contract can be completely different: the provision of services, a non-exclusive license, use, etc.) The main part of the contract is the responsibility, rights and obligations of the parties. Such an agreement should be drawn up and attached separately on the website of the developer company, as proof of the seriousness of intentions and the full responsibility of the developer company to the client.

One of the common types of contracts is an SLA (service level agreement) with a client. But, since we are talking about a SaaS service, where the task is to simplify and speed up the use process to the maximum, it is possible to translate such an agreement into a format for an agreement on the level of the provided service, which will be valid for customers who have concluded a public agreement with the developer company. The agreement spells out service guarantees to the client company. As a rule, such an agreement is an annex to the contract.

Also, when registering in a SaaS service, you can provide the client company with an agreement on the use of the service / user agreement for review. Thus, the developer company will protect itself from possible violations (by notifying the client company) and the client will be notified about what awaits him after the registration procedure.

2. Security of personal data.

The issue of protecting personal data has been extremely acute lately. Client companies believe that if they work through the Internet, the likelihood of data leakage about employees and the company is enormous. But, for a frequent, big threat to the safety of personal data is a data leak through the channels of the client company itself, since it is their employees who are interested parties and sometimes disclose confidential information without even thinking about what could harm the company's reputation. A simple example is staff assessment. Employees share results information. No one is safe from word of mouth. Although this is not personal data, this information directly relates to the client company and may affect its reputation.

In FZ-152 there are a number of features in connection with which certain discrepancies arise. They are as follows - for the processing of personal data, you must have consent to it and provide evidence of this consent. On the Internet, a person is not identified. After all, a person can introduce himself, not Anastasia, but Maria and no one can prove the opposite (on the Internet). Only the use of electronic digital signature (digital signature) allows you to identify a person. But, obtaining an EDS is not a mandatory procedure and few have it. So such an agreement has effect only with a signature.

It is possible to notify the client company and its employees that the developer company is processing personal data by posting consent to the processing of personal data on the website, where it is indicated that after registration, the user agrees to the processing and accepts the conditions specified in the document. It is possible not to draw up an additional document, but to prescribe these provisions in the contract described above.

There is another version of the contract - the NDA (non-disclosure agreement), which is signed by the parties. But, since this option does not suit us again (due to the fact that this type of contract is also difficult to apply), it can be converted into a public contract. It is possible for the developer company to post a public confidentiality agreement, which sets out the confidentiality conditions that enter into force upon registration on the website of the developer company. This is a good tool for both the client company and the development company.

3. Technical security methods.

Of course, the use of "non-paper" means of protection is much more reliable than fixing on paper. There are many different tools that can convince a client company of the safety of a SaaS HRM service. For example, the double-key technique used abroad. In simple terms, the "data folder" of the client company is depersonalized and numbered and the number is divided into components. Part of the number is stored by the developer company, part of the number is stored by the client company. With this approach, even if the data is lost or stolen, it will be impossible to identify them.

It is possible to host the SaaS HRM system on the server of the client company. This solution is naturally more expensive. But, at the same time, the client company itself is responsible for the safety of the data processed by the system. The main document governing such relations will be a license agreement (not an exclusive license) between the development company and the client company.

In general, these are the main points that must be taken into account when creating a scheme for protecting information and data in the SaaS HRM system. Summarizing all of the above, we can say that it is necessary to choose the right document or a package of documents that would regulate the relationship between the client company and the developer company. But, it is worth remembering that not one, even the most correctly drawn up document posted on the Internet, will never replace a document signed by the parties personally.

Also popular now: