Skip to content

Security and compliance

This page is designed for IT, security, and procurement teams evaluating the Peopletree Group platform. It covers cloud architecture, encryption standards, access controls, compliance certifications, and integration capabilities.

SOC 2 Type II Certified
TLS 1.2 + AES-256
Annual Penetration Testing
Compliance posture

Certifications and audits

Peopletree Group undergoes independent third-party audits on an annual basis. Full reports are available to prospective customers and IT teams under NDA.

SOC 2 Type II

Security and Confidentiality -- independently audited

Audited by Laika Compliance LLC under AICPA Trust Services Criteria. Controls for security and confidentiality were suitably designed and operated effectively throughout the audit period. No significant incidents recorded.

Annual Penetration Testing

Grey-box -- all findings remediated

Annual grey-box penetration test conducted by an independent security firm covering web applications and APIs. All identified findings are remediated and validated before the report is closed.

GDPR / POPIA

Data processing agreements available

Data processing agreements available for all clients. Customer controls data classification and retention policies.

Azure Security Centre

Continuous threat detection active

Microsoft Defender for Cloud provides continuous vulnerability scanning and threat detection across the entire platform infrastructure.

Cloud infrastructure

Platform architecture

The Peopletree platform runs entirely on Microsoft Azure in the Germany West Central region. All components are deployed within a private virtual network with no public-facing management ports.

Primary region
Azure Germany West Central
High availability
Multi-zone redundancy
Disaster recovery
Geo-redundant + point-in-time restore
Uptime SLA
99.9% (Azure-backed)
Azure App Service
Serverless compute -- application hosting
Azure SQL Server
Relational data storage -- AES-256 TDE encrypted
Azure MySQL Server
Assessment data storage -- AES-256 encrypted
Azure Key Vault
Cryptographic key management
Azure Cache for Redis
Session and performance caching
Azure Virtual Network
Network isolation -- private endpoints, no public IPs
Network Security Groups
Inbound/outbound traffic control with port allowlists
Azure Application Gateway
Load balancer with WAF v2 -- OWASP 3.2 ruleset
Azure OpenAI (EU-hosted)
AI narrative generation -- no PII in prompts
Azure CDN
Static asset delivery -- global edge network
Azure Monitor / Log Analytics
Infrastructure monitoring -- 90-day+ log retention
Microsoft Defender for Cloud
Threat detection and vulnerability management
Data protection

Encryption and data handling

Data in transit: TLS 1.2 on all connections
Data at rest: AES-256 / FIPS 140-2 compliant
Database encryption: Transparent Data Encryption (TDE) on all instances
Key management: Azure Key Vault -- dedicated per environment
Certificate management: Azure-managed SSL with automated renewal
Data isolation: Logically isolated per tenant; no cross-tenant access
AI data handling: Azure OpenAI prompts contain only structured data -- no PII
Identity and access

Access management

Authentication: Auth0 -- OIDC/JWT, SAML, ADFS, MFA enforced
SSO providers: Auth0, Microsoft Entra ID, ADFS/SAML -- enterprise federation
Authorisation: Role-based access control (RBAC)
API authentication: JWT bearer tokens with expiration and rotation
Admin access: VPN-gated management plane -- no public ports exposed
Access provisioning: Manager-approved; revocation within 24 hours of termination
Operational controls

Security procedures

Change and vulnerability management

  • All changes reviewed, tested, and approved before deployment
  • Continuous vulnerability scanning -- critical patches within 24 hours
  • Microsoft Defender for Cloud -- real-time threat detection

Incident response

  • Documented plan: identification, containment, remediation, and communication
  • Notification to affected parties within agreed windows
  • 90-day+ log retention via Azure Monitor and Log Analytics

Business continuity

  • Documented BC/DR plan with defined resumption steps
  • Geo-redundant storage with point-in-time restore
  • Redundant infrastructure with load balancing on Azure

Personnel and vendor security

  • Security awareness training and background checks for all employees
  • Role-based access provisioning -- revoked within 24 hours of termination
  • All vendors assessed for security compliance before onboarding

Need the full security documentation?

Request Security Pack Contact Us