Hrmony places great importance on the protection of personal data. The legal basis is the Data Processing Agreement (DPA), which is part of the General Terms and Conditions and meets the requirements of Art. 28 para. 3 and 4 GDPR.
Data Processing Agreement (DPA)
Hrmony concludes a DPA with each customer, which automatically becomes part of the contract as part of the General Terms and Conditions (Part B). It regulates:
- Which personal data is collected and processed
- For which purposes the data processing takes place
- Which technical and organizational measures (TOM) are taken to protect the data
- Which sub-processors are used
In the relationship between Hrmony and the customer, the following applies: The customer is the controller within the meaning of the GDPR, Hrmony acts as processor. Hrmony processes personal data exclusively on documented instructions from the customer.
Which data is processed?
Hrmony generally processes the following categories of data:
| Data Category | Details |
|---|---|
| Personal master data | First name, last name, email address, personnel number |
| Account data | Email address, password |
| Receipt data (meal subsidy) | Issuer, date, invoice data, amounts |
| Receipt data (mobility) | Transport company, date, ticket price, validity period |
| Receipt data (internet subsidy) | Provider, invoice date, invoice amount |
| Gift data | Occasion, voucher amount, date of redemption |
Hrmony aligns processing and systems with the principle of data minimization and processes personal data only to the extent necessary for the contractually owed purposes.
Technical and organizational measures (TOM)
Hrmony implements extensive security measures based on proven IT and cloud security standards:
Infrastructure and Hosting
- The platform is operated exclusively in a dedicated cloud environment at Amazon Web Services (AWS)
- Data processing takes place exclusively in data centers within the European Economic Area โ specifically in Frankfurt am Main and Dublin
Encryption
- All data is encrypted during transmission using TLS 1.2 or higher
- Encryption at rest is done with AES-256
Access and access protection
- Two-factor authentication (2FA) for all relevant systems
- Role-based access control according to the least privilege principle
- Complete audit-proof logging of all accesses
Data backup
- Complete database backups weekly, incremental backups daily
- Backups are stored for 4 weeks
Further measures
- Firewalling, network segmentation, intrusion detection & prevention (IDS/IPS)
- Regular external penetration tests
- Documented internal data protection and security management system (DSMS)
Sub-processors
Hrmony uses the following approved sub-processors:
| Company | Location | Service |
|---|---|---|
| Amazon Web Services EMEA SARL (AWS) | Luxembourg (processing: Frankfurt/Dublin) | Cloud hosting & computing |
| Sendinblue GmbH | Berlin, Germany | Email service for newsletters |
| Zendesk Inc. | USA (processing: EU, Dublin) | Support & help center platform |
Changes to the list of sub-processors will be communicated to the customer at least 30 days in advance. Customers have the right to object.
International data transfers
For third-country transfers (e.g., Zendesk/USA), Hrmony uses EU standard contractual clauses (SCCs) according to Art. 46 GDPR as well as additional technical and organizational measures such as EU data storage, encryption, and role-based access concepts.
Data Protection Officer
Appointed as Data Protection Officer in writing is:
Simpliant GmbH, Boris Arendt Fasanenstr. 12, 10623 Berlin ๐ง datenschutz@hrmony.de
Further information
- ๐ More information about data protection at Hrmony
- ๐ How long are my employees' receipts retained?
- ๐ What happens to archived receipts in case of contract termination?
Questions about data protection? Our Operations Team is happy to assist you: ๐ง operations@hrmony.de