Security
Find all information about our security processes, server locations and best practises in place.
Data
Data collection
BuddiesHR will only collect the data needed for the operation of its apps.
Data encryption
We follow the OWASP best practices and encrypt data (both at rest and in transit).
Data storage
We do not store any data that we don’t need for our operations.
Data deletion
All data related to the Slack workspace are automatically deleted 12 months after any app is removed from the Slack workspace.
Servers location
AWS data center located in Paris, France (eu-west-3).
Data hosting country
France
Data hosting company
AWS
Security policies
Contact us to receive any of these security policies. (security@buddieshr.com)
- Acceptable Use Policy
- Access Control and Termination Policy
- Business Continuity and Disaster Recovery Plan
- Change Management Policy
- Code of Conduct
- Configuration and Asset Management Policy
- Data Classification Policy
- Data Retention and Disposal Policy
- Encryption and Key Management Policy
- Information Security Policy
- Internal Control Policy
- Network Security Policy
- Performance Review Policy
- Physical Security Policy
- Risk Assessment and Treatment Policy
- Secure Development Policy
- Security Incident Response Plan
- Vendor Management Policy
- Vulnerability and Patch Management Policy
Certifications
HIPAA
No
SOC2
No
The CTO of BuddiesHR has previously overseen SOC2 certification and continues to adhere to all SOC2 principles.
Security Questionnaire
$500, on-demand
Before starting any security review process, please make sure to test the apps you want to install using a test Slack workspace (it is free to create a Slack workspace and free to try BuddiesHR apps).
Sub-processors
We use a small number of trusted sub-processors to operate BuddiesHR. Each provider is vetted for GDPR compliance and bound by equivalent data protection obligations.
Last updated: October 2025
| Name | Purpose | Location | Legal basis |
|---|---|---|---|
| AWS | Cloud hosting and infrastructure | EU (Paris) | GDPR compliant (Data Processing Addendum) |
| Hetzner | Hosting and storage | EU (Germany) | GDPR compliant |
| Mailjet | Transactional email delivery | EU (France) | GDPR compliant (Data Processing Agreement) |
| MongoDB Atlas | Managed database service (hosted on AWS Paris) | EU (Paris) | GDPR compliant (DPA + SCC) |
| Rollbar | Error monitoring and application performance tracking | EU (Ireland) / US | Standard Contractual Clauses |
| PostHog | Product analytics | EU hosting (Frankfurt) | GDPR compliant |
| Crisp | Customer support chat | EU (France) | GDPR compliant |
We may update this list as we add or remove sub-processors. Any new providers will be bound by the same data protection obligations as those listed above.
Useful links
Any question?
Contact us at security@buddieshr.com