Security and Privacy

Frequently asked questions

Have a question about security or privacy at Pento?

What network security is in place to help Pento respond to common methods of attack?

What network security is in place to
help Pento respond to common
methods of attack?

What network security is in place to help Pento respond to common methods of
attack?

Pento adheres to all foundational network security (encryption through TLS) on all public networks. We also deploy a WAF that adheres to OWASP security standards and all ingress traffic is monitored through this. We have runtime security scanners that monitor outbound calls to suspicious destinations.

Where is the system hosted?

The system is hosted on Google Cloud Platform (GCP) and data is stored in the following data centre locations; Europe-west1-b (Belgium), Europe-west1-c (Belgium), Europe-west1-d (Belgium). There is an additional failover data centre location in Europe-north1 (Finland) which stores backups.

What physical security measures are in place?

What physical security measures
are in place?

What physical security measures are in place?

Physical security is maintained by GCP at their server centres. More information on GCP’s Data and Security Infrastructure can be found here.

How secure is Pento’s network?

All transmissions between the Customer and server and to external systems are performed through end-to-end encryption. Pento separates testing and production environments. Isolation of Pento network from the Internet, with the exception of a single entry point (proxy). Each point inside the network follows strict firewall rules.

What is Pento’s software maintenance/patching strategy?

What is Pento’s software
maintenance/patching strategy?

What is Pento’s software maintenance/patching strategy?

All of Pento’s in-house applications are run through vulnerability scanners including SAST and third party dependency scanners. Pento endeavours to keep a N-1 version update cadence on open source software Pento uses, security patches are flagged and updated immediately.

Will data be encrypted at rest?

Yes, GCP does this as standard.

Will data be encrypted in transit?

Yes, all data is encrypted in transit on any public network through TLS.

What user activity auditing does Pento have in place?

What user activity auditing does
Pento have in place?

What user activity auditing does Pento have in place?

Pento has an onboarding and offboarding process for all users in addition to carrying out monthly user reviews and audit logs. The deployment of audit logs trace authentication and monitor logical system access, as well as data access and modifications. Systems technical events, such as errors are monitored and logged separately.

How does Pento manage any shared passwords or credentials used to support or administer the
system.

How does Pento manage any shared
passwords or credentials used to
support or administer the system.

How does Pento manage any shared passwords or credentials used to support or
administer the system.

Pento utilises 1Password for password management. Any shared passwords at Pento are managed in 1Password vaults. GCP and Kubernetes rights management and limits to the principle of least privilege. Background checks are carried out on staff that will be accessing a Customer’s employees’ personal data.

What does Pento do around multi-factor authentication to access the system?

What does Pento do around multi-
factor authentication to access the
system?

What does Pento do around multi-factor authentication to access the system?

Pento mandates the use of MFA for the support and/or administration team.

What Disaster Recovery provision does Pento have in place?

What Disaster Recovery provision
does Pento have in place?

What Disaster Recovery provision does Pento have in place?

Pento has Disaster Recovery systems and processes to allow replication to another GCP region, initial backups and notification to the Customer base. In the event of impact on payment, backup file may be uploaded to the Customer’s bank to allow payment.

What is Pento’s uptime and availability?

What is Pento’s uptime and
availability?

What is Pento’s uptime and availability?

To view our latest uptime and available data you can visit our dedicated status page at https://status.pento.io and subscribe to receive service updates.

How does Pento handle the Customer onboarding process?

How does Pento handle the
Customer onboarding process?

How does Pento handle the Customer onboarding process?

Pento has strict internal guidelines to ensure no data leakage of personal data in the onboarding process. All personal data files are immediately deleted from our systems and Pento employee computers after the data has been successfully imported onto Pento cloud infrastructure.

Can you provide details of any security certifications and penetration tests of your systems?

Can you provide details of any
security certifications and
penetration tests of your systems?

Can you provide details of any security certifications and penetration tests of your
systems?

Pento is ISO 27001 certified. We are audited annually and conduct annual pentests.

What is your data retention policy?

Personal data is deleted 12 months after the agreement expires/terminates, unless necessary to retain in accordance with law. Customers are required to ensure that they retain and back up any personal data separately for their own record keeping purposes.

How does Pento securely identify and delete any data the Customer requests Pento delete?

How does Pento securely identify
and delete any data the Customer
requests Pento delete?

How does Pento securely identify and delete any data the Customer requests Pento
delete?

Pento only stores Customer data for the purpose of simplifying the payroll process. In the event of a data deletion request Pento has an automated deletion process that can be started through its support channel. Any service data that is retained would be anonymised and irreversibly stripped of any PII or other customer identifiers.

How does Pento ensure that its sub-processors meet its security policies?

How does Pento ensure that its sub-
processors meet its security policies?

How does Pento ensure that its sub-processors meet its security policies?

All sub-processors are required to enter into legal agreements with Pento that include appropriate security provisions, including appropriate clauses related to international transfers. Pento’s procedures include reviews of a sub-processors security credentials to ensure use of industry standard security methods.

What measures does Pento have in place to prevent the accidental or deliberate publication of
protected information, data corruption or loss?

What measures does Pento have in
place to prevent the accidental or
deliberate publication of protected
information, data corruption or loss?

What measures does Pento have in place to prevent the accidental or deliberate
publication of protected information, data corruption or loss?

The environment is designed to manage access and any changes are carefully controlled and tested Any Pento employees who use the applications are trained and undertake security training Additional controls, such as sharing documents encrypted and via Box are designed to mitigate the risk of accidental release of personal data.

Is Pento a data processor or data controller?

Is Pento a data processor or data
controller?

Is Pento a data processor or data controller?

Pento is a data processor for the purpose of providing the Pento Service. Either the Customer or the Payment Service Provider is the data controller. More information on Modulr's position as data controller can be found here. If the Customer chooses to integrate third party services with Pento, the third party service provider will not be a sub-processor, and access and use of those third party services shall be governed by the Customer’s agreement with the third party service provider.

Where can I find out more about how Pento will support our obligations under GDPR, including
provisions to protect the rights of data subjects.

Where can I find out more about how
Pento will support our obligations
under GDPR, including provisions to
protect the rights of data subjects.

Where can I find out more about how Pento will support our obligations under
GDPR, including provisions to protect the rights of data subjects.

More information on this can be found in our Data Processing Agreement, found here.

Pento is a much safer way to run payroll.

Accounting platforms

We follow state of the art security standards

Pento privacy

100% GDPR Compliant Platform

Frequently asked questions

Have a question about security or privacy at Pento?

Pento is a much safer way to run payroll.

Accounting platforms

We follow state of the art security standards

Pento privacy

100% GDPR Compliant Platform

Frequently asked questions

Have a question about security or privacy at Pento?

What network security is in place to help Pento respond to common methods of attack?

What network security is in place to help Pento respond to common methods of attack?

What network security is in place to help Pento respond to common methods of attack?

Where is the system hosted?

Where is the system hosted?

Where is the system hosted?

What physical security measures are in place?

What physical security measures are in place?

What physical security measures are in place?

How secure is Pento’s network?

How secure is Pento’s network?

How secure is Pento’s network?

What is Pento’s software maintenance/patching strategy?

What is Pento’s software maintenance/patching strategy?

What is Pento’s software maintenance/patching strategy?

Will data be encrypted at rest?

Will data be encrypted at rest?

Will data be encrypted at rest?

Will data be encrypted in transit?

Will data be encrypted in transit?

Will data be encrypted in transit?

What user activity auditing does Pento have in place?

What user activity auditing does Pento have in place?

What user activity auditing does Pento have in place?

How does Pento manage any shared passwords or credentials used to support or administer the system.

How does Pento manage any shared passwords or credentials used to support or administer the system.

How does Pento manage any shared passwords or credentials used to support or administer the system.

What does Pento do around multi-factor authentication to access the system?

What does Pento do around multi-factor authentication to access the system?

What does Pento do around multi-factor authentication to access the system?

What Disaster Recovery provision does Pento have in place?

What Disaster Recovery provision does Pento have in place?

What Disaster Recovery provision does Pento have in place?

What is Pento’s uptime and availability?

What is Pento’s uptime and availability?

What is Pento’s uptime and availability?

How does Pento handle the Customer onboarding process?

How does Pento handle the Customer onboarding process?

How does Pento handle the Customer onboarding process?

Can you provide details of any security certifications and penetration tests of your systems?

Can you provide details of any security certifications and penetration tests of your systems?

Can you provide details of any security certifications and penetration tests of your systems?

What is your data retention policy?

What is your data retention policy?

What is your data retention policy?

How does Pento securely identify and delete any data the Customer requests Pento delete?

How does Pento securely identify and delete any data the Customer requests Pento delete?

How does Pento securely identify and delete any data the Customer requests Pento delete?

How does Pento ensure that its sub-processors meet its security policies?

How does Pento ensure that its sub-processors meet its security policies?

How does Pento ensure that its sub-processors meet its security policies?

What measures does Pento have in place to prevent the accidental or deliberate publication of protected information, data corruption or loss?

What measures does Pento have in place to prevent the accidental or deliberate publication of protected information, data corruption or loss?

What measures does Pento have in place to prevent the accidental or deliberate publication of protected information, data corruption or loss?

Is Pento a data processor or data controller?

Is Pento a data processor or data controller?

Is Pento a data processor or data controller?

Where can I find out more about how Pento will support our obligations under GDPR, including provisions to protect the rights of data subjects.

Where can I find out more about how Pento will support our obligations under GDPR, including provisions to protect the rights of data subjects.

Where can I find out more about how Pento will support our obligations under GDPR, including provisions to protect the rights of data subjects.

Pick best-in-class payroll with Pento.

What network security is in place to
help Pento respond to common
methods of attack?

What network security is in place to help Pento respond to common methods of
attack?

What physical security measures
are in place?

What is Pento’s software
maintenance/patching strategy?

What user activity auditing does
Pento have in place?

How does Pento manage any shared passwords or credentials used to support or administer the
system.

How does Pento manage any shared
passwords or credentials used to
support or administer the system.

How does Pento manage any shared passwords or credentials used to support or
administer the system.

What does Pento do around multi-
factor authentication to access the
system?

What Disaster Recovery provision
does Pento have in place?

What is Pento’s uptime and
availability?

How does Pento handle the
Customer onboarding process?

Can you provide details of any
security certifications and
penetration tests of your systems?

Can you provide details of any security certifications and penetration tests of your
systems?

How does Pento securely identify
and delete any data the Customer
requests Pento delete?

How does Pento securely identify and delete any data the Customer requests Pento
delete?

How does Pento ensure that its sub-
processors meet its security policies?

What measures does Pento have in place to prevent the accidental or deliberate publication of
protected information, data corruption or loss?

What measures does Pento have in
place to prevent the accidental or
deliberate publication of protected
information, data corruption or loss?

What measures does Pento have in place to prevent the accidental or deliberate
publication of protected information, data corruption or loss?

Is Pento a data processor or data
controller?

Where can I find out more about how Pento will support our obligations under GDPR, including
provisions to protect the rights of data subjects.

Where can I find out more about how
Pento will support our obligations
under GDPR, including provisions to
protect the rights of data subjects.

Where can I find out more about how Pento will support our obligations under
GDPR, including provisions to protect the rights of data subjects.