Home/Security & Compliance

Technical overview

Security &
Compliance

This page is designed for IT, security, and procurement teams evaluating the Peopletree Group platform. It covers cloud architecture, encryption standards, access controls, compliance certifications, and integration capabilities.

SOC 2 Type 2 Certified

TLS 1.2 + AES-256

Annual Penetration Testing

SOC 2 Type 2 Certified

Security & Confidentiality

Audited by Laika Compliance LLC (AICPA)

No significant incidents recorded

Compliance posture

SOC 2 Type 2

Security & Confidentiality - independently audited

Annual penetration testing

Third-party assessment - all findings remediated

GDPR / POPIA aligned

DPAs available; customer controls data residency

Continuous vulnerability scanning

Microsoft Defender for Cloud - real-time threat detection

Cloud provider

Microsoft Azure

Primary region

EU-based data centre

Encryption in transit

TLS 1.2

Encryption at rest

AES-256 / FIPS 140-2

Cloud architecture

Microsoft Azure infrastructure

The Peopletree platform runs on a dedicated Microsoft Azure subscription with EU-based data centres. All database infrastructure runs without public IP addresses, accessible only via private endpoints within a dedicated virtual network. Cryptographic key management is handled through Azure Key Vault with HSM backing.

Full technical architecture documentation - including network diagrams, NSG configurations, and component specifications - is available to clients and prospects in the Client Portal.

Access the Client Portal

Cloud provider

Microsoft Azure

Data region

EU (Netherlands)

Network protection

WAF v2 + DDoS

DB isolation

Private endpoints

Key management

Azure Key Vault

Backups

Geo-redundant

Encryption

Data protection standards

Data in transit

TLS 1.2 on all connections

Data at rest

AES-256 / FIPS 140-2 compliant

Database encryption

Transparent Data Encryption (TDE) on all SQL and MySQL instances

Key management

Azure Key Vault - dedicated per environment

Certificate management

Azure-managed SSL certificates with automated renewal

Identity & access

Access management

Authentication

Auth0 - OIDC/JWT, SAML, ADFS, MFA enforced

SSO providers

Auth0, Microsoft Entra ID, ADFS/SAML - enterprise federation supported

Authorisation

Role-based access control (RBAC) at subscription and resource group level

API authentication

JWT bearer tokens with defined expiration and rotation controls

Admin access

VPN-gated management plane access - no public management ports exposed

Access provisioning

Manager-approved access requests; revocation within 24 hours of termination

Data governance

Data handling & residency

Hosting region

Microsoft Azure - EU-based data centre, GDPR-compliant region, with CDN edge nodes globally

Data classification

Formal data classification policy - confidential, internal, and public tiers

Data retention

Defined per customer contract; data purged on request within agreed SLA

Data isolation

Customer data logically isolated per tenant; no cross-tenant data access

Backup

Azure-managed geo-redundant backups with point-in-time restore

AI data handling

Azure OpenAI prompts contain only structured talent data - no personal or identifiable information included

GDPR / POPIA

Data processing agreements available; customer controls data classification and retention

Connectivity

Integrations & interoperability

The Peopletree platform integrates with any data source via REST API, SFTP, or direct database connection. Named integrations below are pre-built and tested; custom integrations are scoped during implementation.

HRIS / Payroll

Payspace

Sage VIP

Oracle Fusion

SAP SuccessFactors

Workday

Any HRIS via API

Identity & SSO

Auth0

Microsoft Entra ID

ADFS / SAML 2.0

OIDC-compatible providers

Data transfer

Secure SFTP (TLS 1.2, key-pair auth)

REST API (HTTPS/TLS 1.2)

Azure ETL pipeline

Direct database integration on request

Analytics

Tableau (embedded analytics)

DataWiz custom dashboards

Export to Excel / CSV

Communication

SendGrid (transactional email - dedicated IP)

Tawk.to (live chat / ticketing)

Monitoring & logging

Sentry.io (exception tracing)

Azure Monitor

Log Analytics Workspace (90-day+ retention)

Compliance

Certifications & audits

Peopletree Group undergoes independent third-party audits on an annual basis. Full reports are available to prospective customers and IT teams under NDA.

SOC 2 Type 2

Laika Compliance LLC / AICPA

Scope

Security & Confidentiality

Outcome

No significant incidents

Independent audit confirming controls for security and confidentiality were suitably designed and operated effectively throughout the audit period. Full report available under NDA.

Annual Penetration Testing

Third-party assessment

Coverage

Web applications & APIs

Findings

All remediated

Annual gray-box penetration test conducted by an independent security firm. All identified findings are remediated and validated before the report is closed. Executive summary available under NDA.

SOC 2 Type 2 - Security & Confidentiality

Audited by Laika Compliance LLC under AICPA Trust Services Criteria. The audit confirmed that Peopletree Group's controls for security and confidentiality were suitably designed and operated effectively throughout the audit period. The full report is available to prospective customers and business partners under NDA.

Operational controls

Security procedures

Change & vulnerability management

All changes reviewed, tested, and approved before deployment

Continuous vulnerability scanning - critical patches within 24 hours

Microsoft Defender for Cloud - real-time threat detection

Incident response

Documented plan: identification, containment, remediation, and communication

Notification to affected parties within agreed windows

90-day+ log retention via Azure Monitor and Log Analytics

Business continuity

Documented BC/DR plan with defined resumption steps

Geo-redundant storage with point-in-time restore

Redundant infrastructure with load balancing on Azure

Personnel & vendor security

Security awareness training and background checks for all employees

Role-based access provisioning - revoked within 24 hours of termination

All vendors assessed for security compliance before onboarding

Full operational security procedure documentation - including incident response SLAs, change management policies, and BC/DR plans - is available in the Client Portal.

Need the full security documentation?

The full SOC 2 Type 2 report, penetration test executive summary, and data processing agreements are available to prospective customers and IT teams under NDA.

Access the Client Portal Request Security Pack

Security &Compliance