BM Connect is proud to partner with cloud-based payroll provider, Paycircle, which is fully automated and offers our clients a first-class service with transformational productivity tools to streamline payroll processes, harness the power of automation, remove unnecessary admin, empower teams, reduce errors and enable collaborative workflows and bulk processing.

But how secure is Paycircle and what measures are in place to protect my business? 

What information security-specific certifications does Paycircle hold?

Paycircle achieved ISO 27001 certification in May 2022. Additionally, in 2021. They also completed Cyber Essentials certification – a Government-backed scheme which evidences their commitment to safeguarding sensitive and personal information.

What restrictions are applied to passwords for users accessing the Paycircle application?

The following restrictions apply:

• minimum length 12 characters
• at least one number
• at least one upper case letter
• at least one lower case letter
• at least one special character

Optionally, a password expiration policy can be invoked to force a change every 90 days, with restrictions on the re-use of previous passwords.

However, passwords are only a small factor in our authentication regime. Paycircle also offers:

• IP whitelisting (restrict access locations)
• 2FA solution (using SMS or app)
• SSO integration (use your organisation’s own authentication)

Does Paycircle support Single Sign-On (SSO)?

Yes. Whilst Paycircle’s own highly-optimised authentication/authorisation framework is entirely sufficient, they recognise that increasingly many organisations wish to use SSO in order to simplify their operation across multiple cloud-based services. To that end, Paycircle offers solutions implementing the OIDC protocol (currently AAD and OKTA).

What security measures do you have in place for people logging into Paycircle?

Two-factor authentication (2FA) is a security process in which users provide two different authentication factors to verify themselves. This process protects both the individual user and your data stored in the Paycircle system.

Can one restrict team members from logging in from outside our offices?

IP whitelisting functionality is available in the application for limiting and controlling access to users in trusted locations only. We control the IP addresses that define your extended network from where users are allowed to log in.

How is the service monitored, what security logs are kept and for how long and can they be requested?

Paycircle utilises a security and event management (SIEM) application. Each and every API call is logged and available for audit. Security logs are kept indefinitely and can be requested anytime.

What mitigation is in place for DOS/DDOS, Ransomware and Phishing attacks?

Paycircle’s cloud platform has sophisticated traffic monitoring and automatic resource scalability to cope with regular or irregular load increases. They can also reassign their IP address range in response to a targeted attack. Ransomware is not applicable due to the nature of the architecture.

Paycircle has simulated phishing attacks on their own team by third party security specialists to identify any weaknesses and as an internal education process.

Do you undertake penetration testing by a qualified third party?

Yes. It is Paycircle’s policy to independently and regularly verify that their own systems are secure. They engage appropriately qualified agencies to perform penetration testing on a semi-annual basis and when releasing significant platform updates. Where remedial action is recommended it is completed immediately.

Find out more about how BM Connect in partnership with Paycircle can help your business improve payroll efficiency and future-proof your payroll function securely and scalably. Enquire today.