Our secure methods of storing HR data

Patching

We have automated systems in place that monitor the versions and vulnerabilities in all the projects that power Charlie.

Encryption at rest

Our database has automatic encryption at rest, cloaking your data in another layer of protection.

CROSS SITE REQUEST FORGERY TOKENS

We verify CSRF tokens at every point possible to help ensure your data can’t be tampered with by malicious 3rd parties.

HTTP STRICT TRANSPORT SECURITY

Our application forces all requests over HTTPS, ensuring all traffic is secured in transit and protecting against protocol downgrade attacks.

Regular external pen tests

We test our own product regularly by hiring specialist security friendlies to attack us from the outside and in.

Security checks on build

We have automated safeguards in place to check our code for potential issues before anything goes live.

File storage

Your uploaded files can only be accessed through Charlie, and team members can only get access to the files intended for them.

2 FACTOR AUTHENTICATION

We support (and encourage) Charlie users to use our two factor authentication mechanism for additional user account protection.

PRIVATE KEY AUTHENTICATION

Where supported, we always use trusted certificate based private key authentication.

Code review

We draw on industry experience both internal and external to ensure our code is readable and maintainable. This helps us develop secure systems with ease and confidence.

Password salting and hashing

We use the most secure cryptographic libraries throughout Charlie. Passwords are salted and hashed using bcrypt and never stored in the clear.

High availability

We've designed Charlie to ensure high availability throughout the platform. At every layer of the stack we have a suite of contingency mechanisms, including automatic failover, to ensure 24/7 application availability.

SSL/TLS

All traffic between Charlie and the user's browser is encrypted in transit. We support TLS exclusively and only utilising strong cipher suites.

THIRD PARTY SECURITY AUDITS

We give trusted source code auditors visibility of the code so there’s absolutely nowhere to hide. That’s the standard we set ourself.

SECURE SOFTWARE DEVELOPMENT LIFE CYCLE

We put security at the heart of all our feature design and builds to ensure we are always maintaining our standards at 100%.

Automated tests

We have automated test suites to verify that team members can only see what they are supposed to.

Key management

We keep our keys secret and out of version control, to ensure access to critical resources cannot be compromised.

Customer data regulation

We never move user data out of the secured environment for testing or any other reason. Your data always stays where it’s put.

Bug bounty

We run a bug bounty where we allow security researchers to continuously test our application. If someone helps us become that bit more secure, we pay them!