Information Security Measures
The way Hailey is engineered and operated reflects a single goal: that you can rely on us to manage your most sensitive people data.
From the architecture our engineers chose, to the partners we work with, to the training every employee receives. Every layer of Hailey is designed with security and resilience in mind.
Built and delivered to recognised standards
Hailey is certified against ISO/IEC 27001, an internationally recognised standard for information security management. The accreditation gives our customers independent assurance that we operate a robust information security management system one that systematically protects the confidentiality, integrity, and availability of the customers data, and are dedicated to the continus improvement of our information security managment system. To uphold the certification, our practices are verified each year through audits conducted by an accredited certification body.
Engineered for resilience
Hailey is built on Domain-Driven Design and a modern microservices architecture. The result is a is modular, scalable, and resilient service designed to evolve with your needs without compromising on stability or security. Every change to your data is captured as an immutable event, giving you complete traceability of who did what and when.
Governance with accountability
Internal audits are conducted twice a year, and the policy framework itself is reviewed annually to ensure it keeps pace with the evolving threat landscape.
A disciplined path to production
Every change to Hailey passes through a structured release process before reaching production. New requirements are risk-assessed up front, code undergoes mandatory peer review with additional scrutiny for sensitive functionality, and all changes must clear automated quality and test gates. No single engineer can bypass these controls or push code to production unilaterally. Changes are promoted through staged environments and verified at each step before release.
No outsourcing
Hailey is built entirely in-house. We don't outsource development, which means every line of code that touches your data is written by engineers bound by our security policies, trained to our standards, and accountable to our governance framework. It's a deliberate choice — and one we believe is fundamental to maintaining the integrity of our platform.
Encryption down to the individual
Hailey takes data protection a layer deeper than most. All data is encrypted in transit with TLS 1.2 and at rest with AES-256, but personal data is also encrypted with unique keys assigned per employee record, with keys stored separately from the data itself. This means an individual's data can be made instantly unreadable by removing their key - supporting rapid response to deletion requests and limiting the impact of any single point of compromise.
A fully EU sovergein service
Hailey's infrastructure is built on a small set of carefully selected, sub-processors with both Ultimate Beneficiary owners and datacenters within the EU. This means that customer data is hosted exclusively within the EU and is never transferred outside the EU/EEA. Sub-processor selection is controlled at executive level, with formal data processing agreements in place wherever customer data is involved.
Access by exception, not by default
Hailey is designed so that no one has access to your data unless they need it, weather internally or external to your organisation. This means no Hailey employees have direct access to your account. Technical Production access is restricted to a minimal set of senior technical roles, and any additional access requires dual approval and full audit logging.
Within the customers system environment, role-based access control gives the customer full authority over who can view and make changes. Permissions can be configured against pre-defined or fully custom roles, with all changes captured in an audit log.
Authentication on your terms
Hailey integrates with your existing identity infrastructure. Sign-in is supported via Azure AD, Google Workspace, Okta, and Hailey's native login, all underpinned by the OpenID Connect standard. Multi-factor authentication can be configured and enforced through your identity provider or directly within Hailey, ensuring authentication policy stays aligned with your wider security posture.
People as your first line of defence
Strong technical controls only matter if the people behind them are equipped to use them. Every employee at Hailey completes IT security and GDPR training during onboarding, with annual refreshers, and developers receive additional training tailored to the risks of their role. All staff are background-checked appropriate to their responsibilities and bound by confidentiality terms in their employment contracts.
A risk-aware culture
Security at Hailey is a discipline, not a project. We maintain a centralised risk register with named owners for every identified risk, formal treatment plans where mitigation is required, and mandatory review at least every six months. The same systematic approach extends to our information assets, each assigned an owner accountable for its classification, protection, and lifecycle.
Resilient against disruption
Your data is protected against loss as well as compromise. We maintain a backed up daily and stored offsite in a geographically separate location, with restoration tested twice a year as part of our disaster recovery exercises. Documented Recovery Point and Recovery Time Objectives bound the impact of any disruption, and service availability commitments are set out in our customer agreements.
Tested inside and out
Hailey's security is validated through recurring, independent testing. Third-party penetration tests are conducted at six-month intervals, with automated vulnerability scanning performed as part of each engagement. These are complemented by internal security testing run by our development team under Quality Assurance oversight to identify weaknesses and security gaps. Test reports are available to customers on request under appropriate confidentiality terms.