How does Lucca secure connections to its HR software?

A SaaS “Software As A Service” program, whether in the field of human resources, finance or project management software, is an online web service, billed on a consumption basis.

These services are accessible from any location, from a PC, a tablet or even via Android and iOS mobile apps. Employees appreciate being able to take their holidays from home or submit their expenses immediately after payment, with the receipt in hand. All they need is an internet connection.

Lucca’s secure platform: a continuous improvement process

In the field of human resources software with a SaaS model, data protection is crucial. In order to protect itself from external attacks and to secure the connections between software, Lucca is continuously developing its access security systems. Our solutions are regularly audited by specialized external organizations, and we have implemented an observability of all traffic on our platform.

From the customer’s point of view, data security follows a three-way approach:

  • authentication ensures that each access of a person to the platform is legitimate (authentication by password or SingleSignOn)
  • a detailed rights management system makes it possible to determine which employee can access which data
  • isolation of customers: each customer environment can only access its own database

From Lucca’s point of view, customer data security implies:

  • application protection of all traffic (Firewall and proactive attack detection)
  • securing all traffic in secure protocol (https)
  • hosting our applications in a secure and certified private cloud (OVH)
  • a continuous audit of the security of the platform by external and independent bodies
  • internal workshops of attempts to hack our platform to discover potential vulnerabilities
  • a security validation and scalability process for each new development
  • permanent monitoring of security flaws in our infrastructure, and the implementation of the associated patches
  • secure backups of all our customers’ data on a remote site for a period of 30 days on a rolling basis
  • the internal safeguarding of the premises, as well as all the employees’ workstations

Lucca’s security policy to safeguard connections between softwares

Internal teams and external independent organizations regularly conduct penetration tests to assess the security level of applications and infrastructure. These tests are either commissioned by our customers or by us and carried out by approved third-party security actors or directly by the internal security department. Each year the level of testing increases, allowing us to perfect the set of security measures that protect user data.

In 2022, Lucca achieved ISO 27001 certification, which demonstrates our ability to identify security threats, control data risks and ensure data protection.

On an ongoing basis, Lucca improves and reinforces the protection measures, traceability and impact analysis of its platform, and has set up a validation process for any new development inherent to the life of a Saas provider, in order to guarantee data protection at all times.

Securing access to the platform with an application firewall

The application firewall protects Lucca against common attacks (such as SQL injection, XSS, etc.) which are the most dangerous for companies. This firewall analyzes incoming requests and blocks any attempted attacks. Today, we are able to detect this type of operation instantaneously, and to qualify whether this attack is legitimate or not (security audit for example).

Authentication, a key element in securing connections for human resources software in a SaaS solution

Lucca has set up a configurable password policy to meet the requirements of each customer’s security policy.

We are also compatible with the different SSO (Single Sign-On) schemes on the market, which allows us to delegate the authentication of our solutions to third party services (Google, Microsoft, etc.) for customers who wish to centralize all their login credentials.

Mobile application security inherits the security policy configured in Lucca. If an SSO is configured, we propose a bounce authentication, based on a one-time, ephemeral code.

All the protocols used are secure.

Focus on passwords

Lucca uses a proven and known hash algorithm (encryption) for setting the encryption slowness. From the encrypted password (fingerprint or hash) stored on our platform, it is impossible to retrieve the original password. These password hashes are therefore unusable for tracing the original password. They only allow to confirm that a password is correct.

In other words, passwords are never stored on our platform.

Last but not least, we offer our customers the opportunity to set their password security policy (minimum number of characters, types of characters imposed, expiry date, reuse of old passwords, etc.).

Secure integration of human resource software in the customer information system

Secure management of Lucca APIs

A SaaS solution is by definition remote from the customer’s information system. Integration with the latter is therefore a major factor in the success of the project.

Our web and mobile solutions are based on REST (Representational state transfer) APIs (application programming interface). These APIs are usable by our customers, via dedicated security tokens, whose rights are configurable in the application, thus allowing us to create integrations with our customers’ information systems.

In parallel with these APIs, our applications can be synchronized with the customer’s information system via file import and export mechanisms, deposited on secure FTP servers or generated directly by authorized users at our clients’ premises.

Data exchanges between Lucca solutions and other software, such as payroll or accounting solutions, are secure.

Reliable and secure updates of HR solutions

Lucca rolls out updates to its HR software every week and improvements every evening or even during the day in a transparent manner. This performance is in part due to the fact that all customers use a single source of code. Lucca’s responsiveness on both the security and application sides enables it to offer the best possible experience to its customers.

A QA (Quality Assurance) cell guarantees non-regression on the main functionalities of our solutions. This automatic validation is carried out before each release of upgrades and is accompanied by manual recipes created by the product design teams.

The security of the data collected by the Lucca product range is essential to ensure the reliability of the data transmitted to the payroll and accounting software.