GDPR is not a feature. It is our foundation.
Every decision we make starts with one question: does this protect our customers' data? PersoHR was built in the EU, for the EU, by people who believe employee data deserves better than American cloud servers and vague privacy policies.
Data residency
All data is stored in Hetzner Cloud data centres in Falkenstein and Nuremberg, Germany. No data leaves the European Union. No exceptions. No US-based sub-processors with EU data access.
Encryption
All data in transit is encrypted with TLS 1.3. Sensitive employee data (salaries, health information, personal identifiers) is encrypted at rest with AES-256. Database backups are encrypted.
Access control
Role-based access control with four levels: Owner, HR Admin, Manager, Employee. Strict tenant isolation ensures no cross-tenant data leakage. Every data access is logged.
Employee rights
- Right to access (Article 15): employees can view all their data
- Right to rectification (Article 16): employees can correct their data
- Right to erasure (Article 17): full data deletion on request
- Right to data portability (Article 20): export data in standard formats
AI processing
Our AI features are powered by Mistral AI, a French company with EU-based inference. No employee data is sent to OpenAI, Google, or any US-based AI provider. Employees can opt out of AI processing entirely.
Sub-processors
Hetzner Cloud: Infrastructure (Germany)
Mistral AI: AI processing (France)
Brevo: Transactional email (France)
Stripe: Payment processing (Ireland)
Audit logging
Every data access, modification, and deletion is logged. Retention periods vary by plan: 30 days (Free), 1 year (Starter), 2 years (Growth), unlimited (Business).