GDPR: frequently asked questions


We value and respect the privacy of your employees, the duties and responsibility your organization has as a data controller and the duties and responsibilities Huma has as a data processor. In the end of the day trust is the core of our business.

In this piece we have collected some of the most frequent questions we get on the topic.

Customer Data and Data processing       

Q: Who owns the employee data? 
A: The employee! Huma only processes employee data on behalf of the customer, who, based on GDPR, controls the procedures and purposes of data usage. Data ownership of employee data is with the employee.
Q: Do I need consent from the employee to store their personal data?
A: This can vary between regions. In most cases, handling of employee data by an employer does not require explicit consent, as it is part of the business normal operation.
Q: What types of data does Huma process? 
A: Depending on what type of subscription, modules and functionality that is activated by the customer, the short answer is relevant data for the customer to perform HR-related activities. More detail around data types and purpose is found in our DPA.
Q: What is the purpose of processing the data?
A: The purpose of the services and the Huma’s processing of personal data is to enable the customer to manage a variety of HR-related activities.
Q: Does Huma process any sensitive personal data? 
A: Only to the extent submitted by the customer. 
Q: How do you secure right permission and authentication? 
A: Access to customer data is limited to authorized employees who require it for their job. Huma is served 100% over https and runs a zero-trust corporate network. There are no corporate resources or additional privileges from being on Huma’s network. We have SAML Single Sign-on (SSO), 2-factor authentication (2FA), and strong password policies on all cloud services used to deliver Huma, to ensure access is protected


Data storage

Q: Where do we store data? 
A: Huma services and data are hosted in Amazon Web Services (AWS), Neo4j Aura and MongoDB Atlas facilities, all in the EU. 
Q: How long do we store data?
A: Only as long as necessary to provide the customer with our services. Any personal data the customer removes from the services through the user interface is deleted from our system. Also, all customer’s personal data is deleted when the customer uses the services to delete their account.


Q: Is Huma handling backups? 
A: All data we store on behalf of our customers is backed up regularly for an added layer of protection.
Q: What kind of encryption does Huma use?
A: All communication with our API and application endpoints are TLS/SSL encrypted in transit. We also encrypt data at rest. 
Q: Does Huma perform regular external testing of the technical security of the platform? 
A: Huma uses third party security tools to regularly scan for vulnerabilities. Our dedicated security team responds to issues raised. We engage third-party security experts to perform regular security reviews and tests, on both the Huma service itself, and our infrastructure and internal processes. 
Q: How do I as a customer get notified if there is a security violation? 
A: Huma shall without undue delay notify you of any deviation that affects or identifies a risk to customer’s data.


Q: Does Huma have data processing agreements with all of its sub-processors? 
A: Yes
Q: What kind of sub-processors does Huma use and where do they store data?
A: You can find the list of our sub-processors here including where data is stored.