At MiHCM, trust is not a feature — it is a responsibility. Every solution is built with security, privacy, and compliance at its core, enabling organisations to operate with certainty in an increasingly complex regulatory landscape.
MiHCM follows a privacy-by-design approach across all products and services, ensuring personal data is handled lawfully, transparently, and responsibly.
As MiHCM expands AI capabilities through MiA ONE, SmartAssist, and Syntra, responsible and transparent AI use remains a core principle.
Trust extends beyond technology — reinforced through resilient systems, strong governance, and open, accountable practices.
MiHCM aligns its operations, processes, and technology with internationally recognised standards. ISO certificates are available for immediate download to support vendor onboarding.
100% Completed
HR platforms carry some of the most sensitive data in any organisation. MiHCM applies enterprise-grade security controls across every layer — from architecture and development to deployment and operations.
Comprehensive answers to common vendor onboarding, security assessment, and compliance questions — organised by domain from our security vendor questionnaire covering 111 controls across 11 security domains.
MiHCM is compliant with Sri Lanka's Personal Data Protection Act No. 9 of 2022, Malaysia's Personal Data Protection Act 2010, and Indonesia's Law No. 27 of 2022 on Personal Data Protection.
MiHCM strictly uses personal data only for the purposes defined within the contractual scope and does not reuse or process such data for any independent business purposes.
MiHCM collects consent at the point of data collection through explicit opt-in mechanisms such as consent tick boxes on forms. Consent is documented and stored, and individuals are informed of the purposes for which their data will be used. Where consent is the legal basis, individuals may withdraw consent and MiHCM provides a mechanism to honour such requests, including unsubscribe management and data removal through the designated Data Protection Officer (DPO).
Data is collected only where necessary. Processing is limited to defined HR, payroll, and workforce management purposes. Retention aligns with contractual and regulatory requirements.
MiHCM provides equivalent audit evidence, including relevant certifications (e.g., ISO 27001) and third-party audit reports. Additionally, MiHCM relies on trusted cloud service providers such as Microsoft Azure, which offer comprehensive compliance and audit documentation to customers.
MiHCM maintains a formal Information Security Management System (ISMS) aligned with ISO 27001. The organization also runs regular security awareness programs and shares daily security-related awareness messages with employees to strengthen security culture and practices.
MiHCM adheres to multiple industry-recognized security frameworks, including ISO/IEC 27001, ISO/IEC 27701, and SOC 2 Type II, to ensure strong information security and privacy controls across its services.
MiHCM has a SOC 2 Type II report, which independently assesses and validates the effectiveness of its security controls over a defined period of time.
MiHCM maintains a formal Incident Response and Management process aligned with ISO 27001. In the event of a confirmed security breach or personal data incident, MiHCM follows a structured response lifecycle: detection and triage, containment, investigation, notification, and post-incident review. Affected customers are notified in accordance with contractual obligations and applicable data protection laws. A dedicated internal team is responsible for coordinating incident response, and all incidents are documented and reviewed to drive continuous improvement.
MiHCM conducts security assessments of third-party vendors and suppliers that handle or have access to customer data or critical systems. This includes reviewing security practices, contractual data protection obligations, and ongoing monitoring of critical suppliers. All approved vendors are listed in an authorised tools and vendor register, and Data Processing Agreements (DPAs) are in place with third-party processors where applicable.
Azure Front Door is used for front-end protection. The application maintains full audit trails for all configuration changes and privileged activities. Each log entry captures the user performing the action (Who), timestamp (When), the specific action (What), the source or location (Where), and the method used (How).
MiHCM's development environment uses a CI/CD pipeline with GitHub Advanced Security integrated. GHAS provides automated SAST, secret scanning, and dependency scanning during the build and integration process.
MiHCM conducts annual Vulnerability Assessment and Penetration Testing (VAPT) performed by qualified third-party security firms, following OWASP ASVS methodology. Internal vulnerability assessments are also conducted monthly. Findings are tracked against a documented remediation SLA with defined timeframes for Critical, High, Medium, and Low severity findings.
Patching and upgrade cycles for the infrastructure and platform are managed by the cloud provider, Microsoft Azure. Microsoft handles all security updates and patches according to their formal patch management policies.
MiHCM enforces strict logical tenant isolation. Each customer's data is containerised and segmented at the application and infrastructure layers. No tenant can view, access, or query another tenant's data under any circumstances. This isolation is enforced through access control policies, dedicated data namespaces, and infrastructure-level controls on Microsoft Azure.
The system supports a configurable password policy. Passwords must be between 8 and 256 characters, with complexity requirements including uppercase, lowercase, numbers, and symbols. Account lockout occurs after 5 failed attempts. Password expiry is enforced, and all passwords are one-way encrypted (hashed with salt) at rest and in transit.
The system supports creating, modifying, deleting, and revoking user access through a centralised front-end administration interface. Module-level, menu-option-level, table-level, and field-level access control is supported with granular privilege definitions. The Principle of Least Privilege is enforced.
The solution supports SAML 2.0 and OpenID Connect (OIDC) for federated authentication, and integrates with Microsoft Entra ID (Azure Active Directory), AWS IAM/SSO (via SAML 2.0), and Google Cloud Identity. Session protection uses OAuth 2.0.
Data in transit is protected using TLS 1.2 and TLS 1.3, while data at rest is secured using AES-256. MiHCM relies on Azure cloud services, with all stored data and backups encrypted using AES-256 through Azure Storage Service Encryption, with keys managed either by Microsoft or customer-controlled Azure Key Vault.
Credentials and API keys are managed through secure secrets management practices. Secrets are never hardcoded in source code or configuration files. MiHCM leverages Azure Key Vault for centralised, access-controlled storage of secrets and cryptographic keys. Access to secrets is restricted by role and audited. API keys are rotated periodically and revoked immediately upon personnel changes or suspected compromise. GitHub Advanced Security is also used to detect accidental secret exposure in the CI/CD pipeline.
MiHCM operates primarily on cloud infrastructure (Microsoft Azure), where physical media disposal is managed by Microsoft in accordance with their certified secure disposal processes. For any on-premises or portable media within MiHCM's control, data is securely wiped or destroyed prior to disposal, following documented media sanitisation procedures aligned with ISO 27001 controls. Customer data is deleted or anonymised at end-of-contract in line with agreed retention terms.
The mobile application has been assessed covering OWASP MASVS, including code obfuscation and anti-reverse engineering controls. Measures such as obfuscating code, detecting emulators or debuggers, and applying runtime protections are implemented.
The MiHCM mobile application implements jailbreak and root detection to prevent operation on compromised devices. When a jailbroken or rooted device is detected, the application restricts access to protect sensitive HR data. Additional runtime protections include emulator detection, debugger detection, and code obfuscation measures aligned with the OWASP Mobile Application Security Verification Standard (MASVS).
Mobile application security testing is performed regularly as part of MiHCM's security program. Internal vulnerability assessments are conducted monthly, and external VAPT (including mobile application penetration testing) is performed annually.
MiHCM conducts background verification checks as part of the employee onboarding process, particularly for roles with access to sensitive customer data or critical systems. Checks are carried out in accordance with applicable employment laws and privacy regulations in each operating region. The extent of checks is proportionate to the sensitivity of the role and access level involved.
MiHCM maintains regular data backups, defined DR and BCP, high-availability architecture, and structured incident management processes to ensure continuous operations.
MiHCM targets a 99.9% uptime SLA for its cloud-hosted platform, supported by Microsoft Azure's high-availability infrastructure. The platform is built with redundancy and failover capabilities to minimise service disruption. Specific SLA commitments are defined in the customer's Master Service Agreement (MSA). Planned maintenance windows are communicated in advance, and MiHCM maintains incident management and escalation procedures to ensure timely resolution of any service disruptions.
MiHCM signs Data Processing Agreements (DPAs) with customers where MiHCM acts as a data processor on behalf of the customer. DPAs define the scope of processing, security obligations, sub-processor arrangements, data subject rights support, breach notification obligations, and data return or deletion terms. DPAs are aligned with applicable data protection laws including Sri Lanka's PDPA, Malaysia's PDPA 2010, and GDPR requirements where relevant.
Please complete the short form below to download the certificate.