MyPay allows the HR Managers to have complete control over the payroll processes and offers a high degree of customization to accommodate the unique requirements, specially for organizations operating in multiple locations and pay in different currencies.
Security FAQComprehensive answers to your security, compliance, and data protection questions about MyPay.
We have an Information Security Management System (ISMS) in place derived from ISO standards, which takes into account our security objectives and the risks and mitigations concerning all the interested parties. We have achieved ISO 27001 certification to demonstrate our compliance with the standards.
Access to your data is restricted to a small number of employees on a need-to-know basis in order to provide you technical support. This access is reviewed periodically.
We encrypt customer data both in transit and at rest. Data at rest is encrypted using industry-standard AES-256. All customer data is encrypted in transit over public networks using Transport Layer Security (TLS) 1.2/1.3
Our framework distributes and maintains the cloud space for our customers. Data of multiple customers is logically separated from each other and our framework ensures that no customer's service data becomes accessible to another customer.
We use technologies from well-established and trustworthy service providers, who offer multiple DDoS mitigation capabilities to prevent disruptions caused by such attacks.
Yes, we conduct Vulnerability assessment & penetration testing annually by third party.
We have a dedicated Incident Response Team which is responsible for incident detection, assessment, and recovery activities. In cases where we are controllers of data and an incident leads to a data breach, the affected customers will be notified within 72 hours after we become aware of it. In cases where we are processors of data and an incident leads to a data breach, the respective controllers will be informed without undue delay. For incidents specific to an individual user or an organization, we will notify the concerned party through email (using their primary email address). The Complete report will be provided to customers on request within 5 to 7 working days.
We notify the incidents that apply to you, along with suitable actions that you may need to take. We track and close the incidents with appropriate corrective actions. Whenever applicable, we provide you with necessary evidences regarding incidents that apply to you. Root Cause Analysis will be provided on request.
Additional security features that can be availed by customers:
We hold the data in your account as long as you choose to use MYND Services. Once you terminate your MYND user account, your data will eventually get deleted from active database immediately and we will share the destruction certificate to the client.
We have a business continuity plan and Disaster Recovery Plan in place. Our Data Center in Mumbai and DR in Delhi with RTO (8 hours) and RPO (2 hours)
We have a risk assessment policy and procedure to identify, analyze and mitigate risks by implementing appropriate controls. We perform risk assessment for every major change that happens in our environment. The overall risks are reviewed and updated once in a year.
Each employee undergoes a process of background verification. We hire reputed external agencies to perform this check on our behalf. We do this to verify their criminal records, previous employment records if any, and educational background. Until this check is performed, the employee is not assigned tasks that may pose risks to users.
We are certified in ISO 27001:2022 and ISO 27701:2019, and compliant with SOC 1 Type II and SOC 2 Type II across Security, Confidentiality, Processing Integrity, Availability, and Privacy. Annual ISO and SOC audits are conducted, covering all critical and essential controls.
Yes, We have documented change Management Policy in place and all changes are captured in JIRA application.
Development are done only in dev environment. Testing will be done on UAT Environment along with client confirmation. Finally move into production Environment to go with live features.
Yes, data at rest is encrypted with AES256 bit encryption
Yes, data is transit is encrypted with TLS 1.3/SSL 2.23 with RSA2048
Yes, we have maker – checker workflow based controls implemented.
While working from home, MYND user will connect the VPN to access the data. USB is blocked for employees for data security.
Yes, MYND has documented and approved Information Security policy in place. MYND is committed to protect the Confidentiality, Integrity, and Availability of information entrusted to it by its stakeholders, and will strive to be compliant to all relevant and applicable legal, regulatory, statutory and contractual obligations. We are also committed to continually improving the ISMS by adopting the best practices and Technology prevalent in the Industry.
Yes, we have Information Security Steering Committee is in place and half yearly meeting is being conducted to ensure the information security is being followed and maintained
a. MYND network is accessible by employees only if authorized by an appropriate login and password. We have a password protected screen saver and desktop locking mechanism is activated when the workstation is unattended. USB are blocked for the users and Acceptable use policy is in place. Data at rest is encrypted with AES256 bit.
b. Under ISO 27001 information security framework we have included all IT Systems Controls to maintain the Data Security at each layer, and each data state: - Data security policy includes to cover Data Integrity, Confidentiality, and Availability. - Data in rest: - All data in rest is encrypted at our systems with AES algorithm mechanism. - Data in Transit: - is encrypted at transport layer using TLS strong encryption over.
External audit of ISO27001:2013 done by third party (BSI). MYND has done surveillance audit of Information Security Management System in Dec'24.
a. All portal user related access is managed using configurable policies. The system allows the following roles.
b. --Employee: Default role, allows data access for self only and in case the employee is a manager, allows limited data access for subordinates. What managers can view about their subordinates is configurable.
c. --- HR User: This is a customizable role where rights can be assigned to names users for specific actions within the application for specific set of employees. Configuration parameters include company, business unit, function, role, grade, employee type, location, etc
d. --- HR Head: This role gives access to data across all employees across al modules.
e. --- Administrator: This role gives access to view/define/update settings and configurations for the application.
f. --Upon login, the application logic follows the above defined roles and rights to allow access to view/edit actions at various places. The authentication process involves two methods using username / password for portal login and API keys for web services access and remote authentication.
a. Password policy configured with minimum password length of 6 char and max is 20 characters following criteria: letters, capital letters, number and special character. Last 5 passwords can not be reused. MFA is available for applications/systems and remote user can connect through VPN.
b. There are five bad attempts, the account would be locked and we have forget password option in the application.
We follow best practice "lock your system while leaving your desk" within the organization and If employee forgets to lock their session prior to leaving their desk then system will be locked automatic after 5 minutes
We have Data Classifying and asset management is in place. Based on type of information, it is labelled as restricted, confidential, internal, and public
All electronic scrap items like Hard disk, compact disk, magnetic tapes, computer accessories etc. are handed over to government approved e-recycler agency for safe disposal and paper records shall be disposed of as per the framed retention and destruction schedule using the paper shredder.
We have background verification process and NDA is signed for all employees. For contractors, we have an NDA and Background verification clause with the contracting company in our agreement.
PII attributes are Bank Details, Aadhar Card, UAN and PAN detail
Mypay Application uses ASP .net for front end. MyPay tech stack is .net
| Component Name | Version | Description | License | Source / Repository |
|---|---|---|---|---|
| ASP.NET | 4.8 / .NET | Frontend web framework using C# | MIT / Microsoft | https://github.com/dotnet/aspnetcore |
| C# | 13.0 | Programming language used for ASP.NET | Microsoft | https://docs.microsoft.com/enus/dotnet/csharp/ |
| SQL Server | 2022 | Relational database backend | Proprietary | https://www.microsoft.com/enus/sql-server |
| Bootstrap | 5.3.2 | Responsive UI framework | MIT | https://getbootstrap.com |
| jQuery | 3.7.1 | JavaScript library for DOM manipulation | MIT | https://jquery.com |
| CSS (Custom Styles) | N/A | Custom stylesheets | N/A | Local project files |
| Tool Name | Version | Description | License | Source / Repository |
|---|---|---|---|---|
| Visual Studio | 2023 | IDE for .NET development | Proprietary | https://visualstudio.microsoft.com |
| NuGet Package Manager | Latest | Dependency manager for .NET | MIT | https://www.nuget.org |