A SaaS "Software As A Service" program, whether in the field of human resources, finance or project management software, is an online web service, billed on a consumption basis.
These services are accessible from any location, from a PC, a tablet or even via Android and iOS mobile apps. Employees appreciate being able to take their holidays from home or submit their expenses immediately after payment, with the receipt in hand. All they need is an internet connection.
In the field of human resources software with a SaaS model, data protection is crucial. In order to protect itself from external attacks and to secure the connections between software, Lucca is continuously developing its access security systems. Our solutions are regularly audited by specialized external organizations, and we have implemented an observability of all traffic on our platform.
From the customer's point of view, data security follows a three-way approach:
From Lucca's point of view, customer data security implies:
Internal teams and external independent organizations regularly conduct penetration tests to assess the security level of applications and infrastructure. These tests are either commissioned by our customers or by us and carried out by approved third-party security actors or directly by the internal security department. Each year the level of testing increases, allowing us to perfect the set of security measures that protect user data.
Since the end of 2018, we have been in the process of obtaining ISO 27001 certification (international standard for information system security). We identify and analyze risks, associated scenarios and protection measures. This process is at the basis of Lucca's security policy: its platform, applications and infrastructure.
On an ongoing basis, Lucca improves and reinforces the protection measures, traceability and impact analysis of its platform, and has set up a validation process for any new development inherent to the life of a Saas provider, in order to guarantee data protection at all times.
The application firewall protects Lucca against common attacks (such as SQL injection, XSS, etc.) which are the most dangerous for companies. This firewall analyzes incoming requests and blocks any attempted attacks. Today, we are able to detect this type of operation instantaneously, and to qualify whether this attack is legitimate or not (security audit for example).
Lucca has set up a configurable password policy to meet the requirements of each customer's security policy.
We are also compatible with the different SSO (Single Sign-On) schemes on the market, which allows us to delegate the authentication of our solutions to third party services (Google, Microsoft, etc.) for customers who wish to centralize all their login credentials.
Mobile application security inherits the security policy configured in Lucca. If an SSO is configured, we propose a bounce authentication, based on a one-time, ephemeral code.
All the protocols used are secure.
Focus on passwords
Lucca uses a proven and known hash algorithm (encryption) for setting the encryption slowness. From the encrypted password (fingerprint or hash) stored on our platform, it is impossible to retrieve the original password. These password hashes are therefore unusable for tracing the original password. They only allow to confirm that a password is correct.
In other words, passwords are never stored on our platform.
Last but not least, we offer our customers the opportunity to set their password security policy (minimum number of characters, types of characters imposed, expiry date, reuse of old passwords, etc.).
A SaaS solution is by definition remote from the customer's information system. Integration with the latter is therefore a major factor in the success of the project.
Our web and mobile solutions are based on REST (Representational state transfer) APIs (application programming interface). These APIs are usable by our customers, via dedicated security tokens, whose rights are configurable in the application, thus allowing us to create integrations with our customers' information systems.
In parallel with these APIs, our applications can be synchronized with the customer's information system via file import and export mechanisms, deposited on secure FTP servers or generated directly by authorized users at our clients' premises.
Lucca rolls out updates to its HR software every week and improvements every evening or even during the day in a transparent manner. This performance is in part due to the fact that all customers use a single source of code. Lucca's responsiveness on both the security and application sides enables it to offer the best possible experience to its customers.
A QA (Quality Assurance) cell guarantees non-regression on the main functionalities of our solutions. This automatic validation is carried out before each release of upgrades and is accompanied by manual recipes created by the product design teams.
The security of the data collected by the Lucca product range is essential to ensure the reliability of the data transmitted to the payroll and accounting software.