[HR] Discover How Cangaroo Protects Your Data!

Click on the icon located above this line to open this article in your browser. 

This article concerns the following role(s): MEM

This article requires the following module(s): N/A

Before starting:

In this article, we will provide you with essential information regarding the protection and security of your data within our web and mobile application, Cangaroo HR.

At Cangaroo, we understand the importance of the confidentiality and security of your personal and professional data. Our dedicated team works tirelessly to implement cutting-edge security measures, ensuring that your information is always protected from potential risks.

In this article, you'll discover in detail the different layers of security we have in place, including the use of robust encryption to protect your data, restricted access to sensitive data for authorized persons only, and our regular backup procedures to ensure the continued availability of your data.

We'll also explain how we manage access authorizations, security audits and application updates to maintain optimum security. In addition, we'll advise you on best practices for further strengthening the security of your data within our application.

If you have any further questions or concerns, please do not hesitate to contact us. Your security and satisfaction are at the heart of our mission.

Acces to Employee Data

In order to consult an employee's personal data in their file, the user must submit an “access request”. Once the request has been completed, the corresponding information will be unlocked and made available to the requester for consultation. All “access requests” are logged in a report called the “Access Request Report”, ensuring complete and transparent traceability of every request made.

In the event that a Cangaroo employee (MSA) submits an “access request” to assist a client with an issue (ticket), a training process, or the loading of your data, this request will also be logged in the report. This practice guarantees traceability and complete documentation, ensuring transparent and efficient management of these requests within Cangaroo HR.

When a user performs a batch data export using the “Customized Employee View” module, this request will be automatically logged in the report. In addition, an e-mail notification will be sent to the address defined in your settings, informing you of the data export, thus ensuring complete transparency in the data export process.

It is possible for a member of the HR team to make a “full access request”. This request automatically expires after 8 hours.

The following fields, taken from the employee file, require an “access request” in order to be consulted by the user: Marital status, Personal email, Cell phone, Social Insurance Number (SIN), Driver's license, Addresses, Postal code, Home telephone number, Date of birth, and Banking information. Some custom fields.

This list may be modified to reflect new realities or legal limitations.

Advanced Security Module

Our Cangaroo HR solution includes an advanced security module offering our clients full control over authorization levels for their internal users. With this feature, our clients have the freedom to choose and customize access levels for each user and can adjust them at any time according to their needs. This flexibility allows our clients to maintain optimal security while easily adapting to changes in their organization.

For our clients who have not opted for the advanced security module, we provide several “Text and Numeric” settings. While these settings may be slightly less flexible than the advanced security module, they still offer various options to restrict access to information and features. These options are designed to ensure data security while providing customizable restrictions tailored to the needs of our clients.

WEB Application Access (Login)

Our customers can activate two-factor authentication, use mobile app authentication, and manage their password expiration period. These features give our customers greater control over the security of their access and enable them to personalize their experience according to their preferences and security needs.

Two-factor authentication allows a one-time code to be sent by SMS or e-mail to the user after entering their password, based on a configurable number of days without logging into the application. This number of days can be configured in the “Text and Numeric” settings.

Authentication with the mobile app allows users who have activated their mobile account to log in to Cangaroo (WEB version), without a password, using a one-time code received via push notification on their phones or tablets registered to their account.

The minimum length of the password, its expiration period, and its repeatability can be configured by the administrator in the portal.

When a connection is made under Cangaroo HR, the password is systematically removed from the “client” and processed using hashing and salting (security techniques that encode the password) so that a comparison can be made. No password is stored in Cangaroo HR. 

The web server accepts HTTPS connections only. 

The connection uses RSA 2048 Bits - SHA256 with a mandatory internal redirection in HTTPS.

No connection is allowed to the portal from Linux except with specific agreement from the customer and specification of the customer's IP address (router).

Cangaroo HR administrators (MSA) can only access their Cangaroo HR Administrator account (MSA portal) from certain authorized IP addresses. In addition, each access by a Cangaroo HR administrator is logged.

Hosting and Access to Your Data

We perform regular backups of your data, including partial backups and one full backup every day. This end-to-end encrypted data, including backups, is stored securely on our protected servers for predetermined periods. This approach guarantees the availability and security of your information should the need arise, while adhering to strict data preservation standards.

All data, including backups and interface exchanges, is stored and processed in geo-redundant data centers in Canada, by suppliers meeting the highest security standards.

Backups are made every 15 minutes on a differential basis, and one full backup per day. All backups are encrypted.

Data is entered in readable form into the application and transmitted to our multi-key encryption system. No Cangaroo employee is able to access data without obtaining all keys from other Cangaroo employees. No administrator (MSA) is able to access your sensitive data without documenting the access.

Data is stored in our database in encrypted form, which means it cannot be used in its current state by a Cangaroo employee, partner, or external threat. This extra layer of security ensures that sensitive information remains confidential and inaccessible to any unauthorized person.

The database is designed as a silo, and each customer is independent, but within the same structure, so that no update fees are charged to our customers.

Account Closure and Data Handling

When a customer account is closed, all employee data is anonymized and permanently destroyed. This ensures that personal information is no longer associated with specific individuals and becomes completely unusable after the account closure, in line with strict confidentiality and data protection standards

Single Sign-On (SSO)

Cangaroo HR does not offer Single Sign-On (SSO) with Azure or similar systems for several crucial reasons. Firstly, the Cangaroo HR environment requires employees to have access to the application before they are hired, and even after they leave. This access management feature requires a different approach to security management, unlike SSO integration, which centralizes user authentication and authorization.

Moreover, since security within Cangaroo HR is centralized, integrating SSO into a centralized environment can lead to complex challenges in terms of coordinating and managing security policies.

Finally, the threat of a data breach is amplified in the event of a computer attack targeting your servers. Using SSO can potentially create a single point of failure, making sensitive data more vulnerable in the event of a security incident on your end.

Authentication with the mobile app enables users who have activated their mobile account to log in to Cangaroo (WEB version), without a password, using a one-time code received via push notification on their phones or tablets registered to their account.

Automatic Data Deletion

At Cangaroo HR, we are committed to ensuring the security and integrity of our customers' data at all times. As such, we have implemented a strict policy of never automatically deleting data.

Laws and procedures relating to data management vary depending on professional organizations and provinces. As a result, the ultimate responsibility for data deletion lies with the customer.

Other Implemented Measures

A) Cangaroo “Customer Experience” employees have access to your portal only during the initial implementation phase. Once this period is over, access to your portal is no longer possible and is transferred to Cangaroo support. This approach ensures the security and confidentiality of your data, while enabling a smooth transition to the support team to address the long-term needs of our customers.

B) Under no circumstances will a Cangaroo HR employee ask a user to provide their password, the answer to their security question, or a two-factor code. Employees of the Customer Experience team have tools and access rights that do not require this information to assist you with your support requests and training.

C) Cangaroo HR cookies are configured as “https only” and “secure.” This prevents malicious scripts from attacking cookies. No cookies can be used to modify or impact Cangaroo HR.

Other Information

Cross-origin Resource Sharing:
Cangaroo HR content is not accessible through resource sharing.

Subresource Integrity:
All Cangaroo HR scripts are loaded from a common origin.

X-Content-Type-Option:
MIME content sniffing is disabled.

X-Frame-Options:
FRAME loading from a remote source is disabled.

Cross-site Scripting (XSS):
Cross-site scripting protection is enabled.

Content Security Policy (CSP):
Content-based security is enabled and restricted to the most effective level Cangaroo HR can achieve.

Forms:
A configuration is in place to enforce SSL when using forms.

STS & Referrer-Policy:
Additional configurations are implemented to enhance portal security.

DevExpress & Injection:
All portal controls are based on DevExpress. DevExpress controls are designed to block SQL injection. In addition, the Cangaroo HR server code is specifically designed to prevent such attacks.