Legal

Privacy Policy

As Layers Software and Human Resources Services Inc. (“Layers”), we are committed to protecting your privacy on the www.layersup.com website (“Site”) and the Layers Human Resources and Personnel Management Platform (“Platform”). This Privacy Policy explains what personal information we collect, how we use it, how we protect it, and your rights regarding your data.

1. Information We Collect

Layers collects personal information in the following ways:

• Information You Provide: When you fill out a demo request form, register for the Platform, or contact us, you provide your name, email address, phone number, company name, and employee count.
• Information Collected Automatically: When you visit the Site, we automatically collect technical data such as your IP address, browser type, operating system, referring URLs, pages visited, and time spent on the Site.
• Information from Third Parties: We may receive information from business partners or service providers in connection with the services we offer.

2. How We Use Your Information

We use your personal information for the following purposes:

• To provide and maintain the Platform and its services
• To process and respond to your demo requests and inquiries
• To send you service-related notifications and updates
• To send marketing communications (only with your explicit consent)
• To analyze usage patterns and improve our services
• To ensure the security of our Site and Platform
• To comply with legal obligations

3. Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Consent: Where you have given us explicit consent (e.g., for marketing emails)
• Contractual Necessity: Where processing is necessary to perform a contract with you or to take pre-contractual steps at your request
• Legal Obligation: Where we are required to process your data by law
• Legitimate Interest: Where processing is necessary for our legitimate business interests, provided these are not overridden by your rights

4. Third-Party Services

Layers may share your personal data with trusted third-party service providers who assist us in operating the Site and Platform. These third parties are bound by contractual obligations to keep your data confidential and use it only for the purposes we specify. For a complete list of our sub-processors, please refer to our Sub-processor List.

5. International Data Transfers

Your personal data may be transferred to and processed in countries outside of Turkey and the European Economic Area. When such transfers occur, we ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission or other legally recognized transfer mechanisms.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, or as required by law. When your data is no longer needed, we securely delete, destroy, or anonymize it.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data
• Right to Restriction: Request limitation of processing of your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

8. Data Security

Layers implements industry-standard technical and administrative measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. Your data is transmitted over encrypted connections (SSL/TLS) and stored on secure servers.

9. Policy Updates

Layers may update this Privacy Policy at any time. The current policy takes effect on the date it is published on the Site. In case of significant changes, notification will be provided through the Site.

10. Contact

For questions regarding our privacy policy:

Cookie Policy

This Cookie Policy explains how Layers Software and Human Resources Services Inc. (“Layers”) uses cookies and similar tracking technologies on the www.layersup.com website (“Site”) and the Layers Platform. By continuing to use the Site, you consent to the use of cookies as described in this policy.

1. What Are Cookies?

Cookies are small text files that are stored on your device by the websites you visit through your computer or mobile device. Cookies are used to ensure the proper functioning of the website, to facilitate its use, and to obtain visitor statistics.

2. Types of Cookies

By Storage Duration

By Purpose of Use

3. Cookies We Use

4. Purposes of Cookie Use

Layers uses cookies for the following purposes:

• To ensure the secure and uninterrupted operation of the Site and Platform
• To identify visitor usage habits and improve services
• To measure the performance of the website by obtaining statistical data
• To remember user preferences and provide personalized content

5. Third-Party Cookies

Layers may use cookies from third-party analytics and service providers on the Site. Data collected through these cookies may be transmitted to third parties only to the extent required by the relevant analytics services.

6. Cookie Control

You can control cookies by changing your browser settings:

• Block all cookies: You can reject all cookies from your browser’s settings section
• Selective blocking: You can block only third-party cookies
• Receive notifications: You can choose to be notified when a cookie is sent
• Delete existing cookies: You can delete cookies stored in your browser at any time

7. Policy Updates

Layers may update this Cookie Policy at any time. The current policy takes effect on the date it is published on the Site.

8. Contact

For questions regarding our cookie policy:

Terms of Use

These Terms of Use regulate the terms and conditions regarding the use of the website www.layersup.com (“Site”) and the Layers Human Resources and Personnel Management System (“Platform”) operated by Layers Software and Human Resources Services Inc. (“Layers”).

1. Acceptance and Consent

By using the Site and Platform, you are deemed to have declared that you have read, understood, and accepted these Terms of Use. If you do not accept these terms, please do not use the Site and Platform.

2. Service Description

Layers provides a cloud-based Human Resources and Personnel Management System. The Platform offers comprehensive HR solutions including recruitment, performance management, workforce management, payroll, analytics, and IT operations. The Site is used for informational purposes about the Platform, demo requests, and pricing calculations.

3. User Responsibilities

Users accept the following responsibilities:

• To commit that the information provided is complete, accurate, and up-to-date
• To maintain the confidentiality of account information and not share it with third parties
• To use the Site and Platform in compliance with applicable laws
• Not to engage in actions that may jeopardize the security of the Site
• To respect the rights of other users
• To update information promptly in case of any changes

4. Intellectual Property Rights

All content, design, software, logos, trademarks, text, graphics, databases, and other materials on the Site and Platform are the property of Layers and are protected under applicable intellectual property laws.

Without the prior written consent of Layers, all or part of the Site and Platform content may not be copied, reproduced, republished, or distributed.

5. Limitation of Liability

While Layers exercises the utmost care regarding the accuracy and currency of the information on the Site and Platform, it does not guarantee that this information is complete and error-free. Layers shall not be held liable for damages arising from the following situations:

• Temporary inaccessibility of the Site or Platform
• Technical failures or maintenance activities
• Data losses caused by user error
• Disruptions in third-party services
• Force majeure events

6. Third-Party Links

If links to other applications or websites are provided through the Site and Platform, Layers bears no responsibility for the privacy policies and content of these sites.

7. Governing Law and Jurisdiction

These Terms of Use shall be interpreted and applied under the laws of the Republic of Turkey. Istanbul Anadolu Courts and Enforcement Offices shall have jurisdiction over any disputes that may arise from these terms.

8. Right to Amend

Layers may update these Terms of Use at any time without prior notice. The current terms take effect on the date they are published on the Site. Users’ continued use of the Site constitutes acceptance of the updated terms.

9. Fair Use Policy

Use of the Platform is subject to fair and reasonable usage. Layers reserves the right to:

• Set and enforce limits on API calls, storage capacity, concurrent users, and other resource usage
• Throttle, suspend, or restrict access in cases of excessive or abusive usage that impacts platform performance for other customers
• Apply additional charges for usage exceeding the limits defined in the applicable subscription plan

All references to “unlimited” features are subject to reasonable use and do not permit usage that adversely affects other customers or platform stability.

10. Payment, Renewal & Suspension

• Invoices are due within the period specified in the applicable order form. Layers reserves the right to suspend account access if payment is not received within 15 days of the due date
• In case of early termination by the Customer, Layers may invoice the remaining balance of the current subscription term
• Subscriptions renew automatically at the end of each term. Layers may adjust pricing upon renewal with at least 30 days prior written notice
• During periods of non-payment, Layers may restrict access to Customer data until outstanding balances are settled
• Layers reserves the right to charge interest on overdue amounts at the maximum rate permitted by applicable law

11. Data Accuracy & Customer Responsibility

• The Customer is solely responsible for the accuracy, completeness, and legality of all data entered into the Platform
• Layers shall not be liable for any consequences arising from inaccurate, incomplete, or unlawful data provided by the Customer
• The Customer is responsible for obtaining all necessary consents and authorizations from data subjects (including employees) before processing their personal data through the Platform
• The Customer shall ensure that its use of the Platform complies with all applicable employment, tax, and data protection laws in its jurisdiction

12. Service Modification Rights

Layers reserves the right to:

• Add, modify, or discontinue features, modules, or functionalities of the Platform at any time with reasonable notice
• Adjust pricing for new subscription terms or renewals with at least 30 days prior notice
• Modify API specifications, integrations, or technical interfaces without obligation to maintain backward compatibility
• Migrate the Platform to different infrastructure providers or technologies as deemed necessary

Material changes that significantly reduce functionality included in the Customer’s current plan will be communicated with reasonable advance notice.

13. Limitation of Liability

• To the maximum extent permitted by applicable law, Layers’ total aggregate liability arising out of or related to this agreement shall not exceed two (2) times the monthly subscription fee paid by the Customer under the applicable plan
• In no event shall Layers be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, loss of revenue, loss of business opportunities, loss of data, or business interruption
• Layers shall not be liable for any damages arising from the Customer’s failure to maintain adequate security measures, including but not limited to weak passwords, shared credentials, or failure to enable multi-factor authentication
• The limitations set forth in this section shall apply regardless of the form of action, whether in contract, tort, strict liability, or otherwise

14. Customer Indemnification

The Customer agrees to indemnify, defend, and hold harmless Layers, its officers, directors, employees, and agents from and against any and all claims, demands, damages, losses, liabilities, costs, and expenses (including reasonable attorney fees and court costs) arising out of or relating to:

• The Customer’s use of the Platform or any content uploaded to the Platform
• Any breach of these Terms of Use by the Customer or its authorized users
• Any claims by the Customer’s employees, contractors, or third parties related to data processed through the Platform
• The Customer’s violation of any applicable law, regulation, or third-party rights
• Any intellectual property infringement arising from content uploaded by the Customer

15. Data Backup Responsibility

The backup of all information, documents, and data uploaded to or created within the Platform is entirely the Customer’s responsibility. While Layers maintains system-level backups for disaster recovery purposes, Layers shall not be liable for any data loss resulting from the Customer’s failure to maintain independent backups of their data.

16. Regulatory Suspension & Recourse

Layers provides only the technical infrastructure of the Platform and is not responsible for content created or uploaded by the Customer. If Layers receives any request, complaint, or inquiry from governmental authorities, regulatory bodies, or law enforcement regarding content uploaded by the Customer, Layers reserves the right to:

• Temporarily or permanently suspend the Customer’s account until the matter is resolved
• Cooperate with authorities as required by applicable law
• Seek full recourse against the Customer for any penalties, fines, damages, or costs incurred by Layers as a result of the Customer’s non-compliant activities

The Customer acknowledges that all responsibility for compliance with applicable laws, including but not limited to employment law, social security regulations, tax obligations, and data protection requirements, rests solely with the Customer. In accordance with Law No. 5651 on the Regulation of Publications on the Internet, the Customer bears full legal and criminal liability for all content uploaded to the Platform.

17. No Refund Policy

In the event of termination or expiration of the subscription for any reason, including but not limited to cancellation by the Customer, termination by Layers, or mutual agreement, no refunds shall be issued for any prepaid fees, unused portions of the subscription period, or any other amounts previously paid to Layers.

18. Post-Termination Data Retrieval

Upon termination of the agreement, the Customer may request the delivery of all information, documents, and records uploaded to or created within the Platform within thirty (30) days of the termination date. If no such request is made within this period, Layers may — subject to any data retention obligations under applicable law — permanently delete all Customer data. Layers shall bear no liability for any data deleted after the expiration of this retrieval period.

19. Reference & Logo Usage Rights

For the purpose of improving and promoting the Platform, Layers may use the Customer’s company name and logo as a reference in marketing materials, case studies, and on the Layers website, provided such use is limited to factual reference and does not imply endorsement. The Customer may opt out of such usage by providing written notice to Layers.

20. Suspension of Services

Layers reserves the right to suspend the Customer’s access to the Platform, with or without prior notice depending on the severity, in the following circumstances:

• Detection of security threats or malicious activities
• Risk of damage to Layers’ systems, data, or infrastructure
• Use of the Platform in violation of applicable laws or regulations
• Unauthorized or unlicensed use of the Platform
• Non-payment of fees as described in the Payment section

Suspension of services does not relieve the Customer of any obligations under this agreement. If the suspension is temporary and subsequently lifted, the suspended period shall be added to the Customer’s remaining license term.

21. Disclaimer of Warranties

The Platform and all services, content, and features are provided on an “as is” and “as available” basis. Layers makes no warranties, whether express, implied, statutory, or otherwise, including but not limited to warranties of merchantability, fitness for a particular purpose, performance, or non-infringement. Layers does not warrant that the Platform will be uninterrupted, error-free, or completely secure.

22. Customer Security Obligations

The Customer shall:

• Maintain strong passwords and enable multi-factor authentication (MFA) for all user accounts
• Promptly deactivate accounts of employees or contractors who no longer require access
• Not share account credentials with unauthorized third parties
• Immediately notify Layers of any suspected unauthorized access to their account
• Ensure that all authorized users comply with these Terms of Use and the Acceptable Use Policy

Layers shall not be liable for any unauthorized access or data breach resulting from the Customer’s failure to comply with these security obligations.

23. Force Majeure

Layers shall not be liable for any failure or delay in performance resulting from causes beyond its reasonable control, including but not limited to:

• Natural disasters, epidemics, pandemics, wars, terrorism, or civil unrest
• Cyber attacks, distributed denial-of-service (DDoS) attacks, or other malicious activities
• Failures or outages of third-party infrastructure providers, cloud services, or telecommunications networks
• Changes in applicable laws, regulations, or government orders
• Power outages, internet service disruptions, or hardware failures beyond Layers’ control

During a force majeure event, Layers’ obligations under this agreement shall be suspended for the duration of the event. Layers will use commercially reasonable efforts to minimize the impact and resume normal operations as soon as practicable.

24. Intellectual Property & Derived Data

• All intellectual property rights in the Platform, including software, algorithms, designs, and documentation, are and shall remain the exclusive property of Layers
• Layers may use anonymized and aggregated data derived from Customer usage for the purposes of improving the Platform, generating industry benchmarks, and conducting research, provided that such data cannot be used to identify the Customer or any individual
• Any customizations, configurations, or workflows created within the Platform using Layers’ tools and interfaces are built upon Layers’ proprietary technology and do not transfer intellectual property rights to the Customer
• The Customer shall not reverse engineer, decompile, disassemble, or attempt to derive the source code of the Platform

25. Notices & Communication

• All formal notices under this agreement must be in writing and delivered via email to the addresses on record
• Notices sent by email shall be deemed received on the date of transmission, provided no delivery failure notification is received
• The Customer is responsible for maintaining current and accurate contact information in their account settings
• Layers may provide general notices and updates through the Platform dashboard, email, or the Layers website

26. Dispute Resolution

In the event of any dispute arising out of or relating to this agreement:

1. Good Faith Negotiation: The parties shall first attempt to resolve the dispute through good faith negotiation for a period of thirty (30) days from the date written notice of the dispute is given
2. Mediation: If the dispute is not resolved through negotiation, the parties shall submit the dispute to mediation before an agreed-upon mediator
3. Litigation: If mediation fails, the dispute shall be submitted to the exclusive jurisdiction of the Istanbul Anadolu Courts and Enforcement Offices of the Republic of Turkey

Nothing in this section shall prevent Layers from seeking injunctive or other equitable relief in any court of competent jurisdiction to protect its intellectual property rights or confidential information.

27. Contact

For questions regarding the terms of use:

Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) forms part of the agreement between Layers Software and Human Resources Services Inc. (“Processor” or “Layers”) and the entity or person agreeing to these terms (“Controller” or “Customer”) for the provision of the Layers Human Resources and Personnel Management Platform (“Services”).

This DPA applies where and only to the extent that Layers processes Personal Data on behalf of the Customer in the course of providing the Services, and such Personal Data is subject to applicable Data Protection Laws including the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Turkish Personal Data Protection Law No. 6698 (“KVKK”).

1. Definitions

• “Personal Data” means any information relating to an identified or identifiable natural person processed by Layers on behalf of the Customer.
• “Data Subject” means the individual to whom the Personal Data relates.
• “Processing” means any operation or set of operations performed on Personal Data, including collection, recording, storage, alteration, retrieval, use, disclosure, erasure, or destruction.
• “Sub-processor” means any third party appointed by Layers to process Personal Data on behalf of the Customer.
• “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Scope and Purpose of Processing

Layers shall process Personal Data only for the purpose of providing the Services as described in the main service agreement, including:

• Hosting and operating the HR management platform
• Processing employee records, payroll data, performance data, and other HR-related information
• Providing analytics and reporting features
• Maintaining backups and ensuring data recovery capabilities
• Providing technical support and maintenance

Categories of Data Subjects

The Customer’s employees, contractors, candidates, and other individuals whose data is entered into the Platform by the Customer.

Types of Personal Data

Name, contact details, employment information, compensation data, performance evaluations, attendance records, and other data categories as determined by the Customer’s use of the Platform.

3. Obligations of the Processor

Layers shall:

• Process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
• Respect the conditions for engaging Sub-processors as set out in this DPA
• Assist the Customer in fulfilling its obligation to respond to Data Subject requests
• Assist the Customer in ensuring compliance with security, breach notification, impact assessment, and consultation obligations
• At the choice of the Customer, delete or return all Personal Data upon termination of the Services
• Make available to the Customer all information necessary to demonstrate compliance with this DPA

4. Obligations of the Controller

The Customer shall:

• Ensure that it has a lawful basis for processing Personal Data and transferring it to Layers
• Provide documented processing instructions to Layers
• Ensure compliance with applicable Data Protection Laws in its use of the Services
• Inform Layers promptly if it becomes aware of any Data Breach or security concern
• Ensure that Data Subjects are informed about the processing of their Personal Data

5. Sub-processing

The Customer acknowledges and agrees that Layers may engage Sub-processors to assist in providing the Services. A current list of Sub-processors is available in the Sub-processor List.

Before engaging a new Sub-processor, Layers will use commercially reasonable efforts to:

• Notify the Customer with reasonable advance notice of the intended change
• Provide the Customer with the opportunity to raise concerns regarding the new Sub-processor
• Ensure that the Sub-processor is bound by data protection obligations no less protective than those in this DPA

If the Customer raises concerns regarding a new Sub-processor and Layers cannot reasonably accommodate the concern, either party may terminate the affected Services.

6. International Data Transfers

Where Personal Data is transferred outside the European Economic Area or Turkey, Layers shall ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) as approved by the European Commission
• Adequacy decisions by the relevant data protection authority
• Other legally recognized transfer mechanisms under applicable law

7. Data Breach Notification

In the event of a Data Breach, Layers shall:

• Notify the Customer without undue delay after becoming aware of the breach, and where feasible, within 72 hours
• Provide sufficient information to enable the Customer to meet its breach reporting obligations
• Take reasonable steps to mitigate the effects of the Data Breach
• Cooperate with the Customer in investigating and remedying the breach

The notification shall include, to the extent available: the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address the breach.

8. Audit Rights

The Customer may request compliance information regarding Layers’ obligations under this DPA. Layers will provide relevant documentation such as SOC 2 reports or equivalent certifications upon reasonable request.

9. Data Retention and Deletion

Upon termination or expiry of the Services:

• Layers shall, at the Customer’s election, return or delete all Personal Data within a commercially reasonable timeframe following termination
• The Customer may request a data export in a standard, machine-readable format prior to termination
• Layers may retain Personal Data where required by applicable law, and shall inform the Customer of such retention
• Backup copies will be retained as required by applicable law and deleted in accordance with Layers’ standard backup rotation schedule

10. Term and Termination

This DPA shall remain in effect for the duration of the main service agreement. The obligations of Layers with respect to the protection of Personal Data shall survive the termination of this DPA for as long as Layers retains Personal Data.

11. Contact

Acceptable Use Policy (AUP)

This Acceptable Use Policy (“AUP”) governs the use of the www.layersup.com website (“Site”) and the Layers Human Resources and Personnel Management Platform (“Platform”) provided by Layers Software and Human Resources Services Inc. (“Layers”). By using the Site or Platform, you agree to comply with this AUP.

1. Permitted Use

The Platform is provided for the sole purpose of human resources and personnel management activities. Permitted uses include:

• Managing employee records, onboarding, and offboarding processes
• Processing payroll and compensation data
• Tracking performance evaluations and goal management
• Managing recruitment and candidate tracking
• Generating HR analytics and reports
• Managing work schedules, shifts, and attendance
• Other legitimate HR management activities as supported by the Platform

2. Prohibited Activities

You shall not use the Site or Platform to:

• Violate any applicable laws, regulations, or third-party rights
• Upload, transmit, or store any content that is unlawful, harmful, threatening, abusive, defamatory, or otherwise objectionable
• Attempt to gain unauthorized access to the Platform, other accounts, computer systems, or networks connected to the Platform
• Introduce viruses, malware, worms, trojans, or other harmful code
• Engage in any activity that interferes with or disrupts the Platform or its infrastructure
• Use the Platform for any purpose other than legitimate human resources management
• Reverse engineer, decompile, or disassemble any part of the Platform
• Scrape, crawl, or use automated means to access the Platform without prior written consent
• Resell, sublicense, or redistribute access to the Platform without authorization
• Store or process data that violates applicable data protection laws

3. Account Security

Users are responsible for:

• Maintaining the confidentiality of their login credentials
• Using strong, unique passwords and enabling multi-factor authentication (MFA) where available
• Reporting any suspected unauthorized access or security incidents to Layers immediately
• Ensuring that access is limited to authorized individuals within their organization
• Promptly deactivating accounts of employees who no longer require access

4. Data Handling

When using the Platform, you must:

• Ensure that all data entered into the Platform is collected and processed in compliance with applicable data protection laws
• Obtain necessary consents from data subjects before entering their personal data into the Platform
• Not use the Platform to process special categories of personal data (e.g., health data, biometric data) unless the Platform feature explicitly supports it and appropriate safeguards are in place
• Ensure the accuracy and relevance of data stored on the Platform

5. Enforcement and Consequences

Layers reserves the right to take the following actions in response to violations of this AUP:

• Warning: Notification of the violation with a request to cease the prohibited activity
• Suspension: Temporary suspension of access to the Platform pending investigation
• Termination: Permanent termination of access for serious or repeated violations
• Legal Action: Pursuit of legal remedies, including claims for damages, where applicable

Layers will make reasonable efforts to notify the Customer before taking enforcement action, except where immediate action is necessary to protect the Platform, other customers, or third parties.

6. Reporting Violations

If you become aware of any violation of this AUP, please report it immediately:

7. Changes to This Policy

Layers may update this AUP at any time. Material changes will be communicated through the Platform or via email. Continued use of the Platform after changes constitutes acceptance of the updated AUP.

Sub-processor List

In accordance with our Data Processing Agreement, Layers Software and Human Resources Services Inc. (“Layers”) uses the following third-party sub-processors to deliver the Layers Platform and related services. This list is kept up-to-date and reflects our current sub-processing arrangements.

Infrastructure & Hosting

Communication & Support

Analytics & Monitoring

Payment Processing

Changes to Sub-processors

In accordance with our Data Processing Agreement, Layers will notify customers with reasonable advance notice of any intended changes to its sub-processor list. Customers who have concerns regarding a new sub-processor may raise them as described in the DPA.

Security Policy

Layers Software and Human Resources Services Inc. (“Layers”) aims to maintain the highest standards of information security for the Layers Platform and the data entrusted to us by our customers. This Security Policy outlines the technical and organizational measures we implement to protect your data.

1. Infrastructure Security

• Cloud Hosting: The Platform is hosted on Microsoft Azure, which maintains industry-leading certifications including ISO 27001, SOC 1/2/3, and CSA STAR
• Geographic Redundancy: Primary data is stored in West Europe (Netherlands) with backup replication to North Europe (Ireland)
• Network Security: Virtual network isolation, network security groups, DDoS protection, and Web Application Firewall (WAF) are deployed
• Firewalls: Application-level firewalls restrict access to authorized traffic only

2. Data Encryption

3. Access Controls

• Role-Based Access Control (RBAC): Access to the Platform and internal systems is granted based on the principle of least privilege
• Multi-Factor Authentication (MFA): MFA is enforced for all Layers employee access to production systems
• Single Sign-On (SSO): Enterprise customers can integrate SSO with their identity provider
• Session Management: Automatic session timeouts and concurrent session controls
• Access Reviews: Regular access reviews are conducted to ensure appropriate access levels

4. Application Security

• Secure Development: All code follows OWASP Top 10 guidelines and undergoes security review before deployment
• Penetration Testing: Periodic third-party penetration tests are conducted, with critical findings remediated immediately
• Vulnerability Management: Automated vulnerability scanning is performed regularly, with target timeframes for remediation based on severity
• Code Review: All code changes undergo peer review before deployment to production
• Dependency Management: Third-party libraries and dependencies are regularly updated and monitored for known vulnerabilities

5. Incident Response

Layers maintains a formal Incident Response Plan that includes:

• Detection: 24/7 automated monitoring and alerting for security events
• Assessment: Rapid triage and severity classification of detected incidents
• Containment: Immediate steps to contain and limit the impact of security incidents
• Notification: Customer notification without undue delay, and where feasible within 72 hours, for incidents involving Personal Data, in accordance with our DPA
• Recovery: Restoration of affected systems and data from clean backups
• Post-Incident Review: Root cause analysis and implementation of preventive measures

6. Business Continuity & Disaster Recovery

• Backup Frequency: Automated daily backups with point-in-time recovery capability
• Recovery Point Objective (RPO): Target of 1 hour
• Recovery Time Objective (RTO): Target of 4 hours
• Geographic Redundancy: Backup data is stored in a separate geographic region
• DR Testing: Disaster recovery procedures are tested at least annually

Layers aims to achieve these targets using commercially reasonable efforts.

7. Employee Security

• All employees undergo background checks before hire
• Security awareness training is provided during onboarding and annually thereafter
• Employees sign confidentiality and non-disclosure agreements
• Access to customer data is limited to employees who require it for their job function
• All employee devices are managed with endpoint protection and encryption

8. Compliance

Layers aims to achieve and maintain the following compliance standards:

9. Responsible Disclosure

If you discover a potential security vulnerability, we encourage responsible disclosure. Please report it to:

Employee Data Privacy Notice

This Employee Data Privacy Notice explains how personal data of employees is processed through the Layers Human Resources and Personnel Management Platform (“Platform”). This notice is provided for transparency and to help employees understand how their data is handled.

1. Roles and Responsibilities

2. What Employee Data Is Processed?

The following categories of employee data may be processed through the Platform, depending on your employer’s configuration:

3. How Is Your Data Used?

Your employer uses the Platform to process your data for purposes including:

• Managing the employment relationship and fulfilling contractual obligations
• Processing payroll and administering compensation and benefits
• Conducting performance evaluations and career development planning
• Managing attendance, leave, and shift scheduling
• Recruitment and onboarding processes
• Generating workforce analytics and reports
• Complying with legal and regulatory requirements

4. Data Security

Layers implements robust security measures to protect your personal data, including encryption in transit and at rest, access controls, and regular security audits. For full details, please refer to our Security Policy.

5. Data Retention

Your personal data is retained on the Platform for as long as your employer maintains it. Data retention periods are determined by your employer in accordance with their policies and applicable law. When your employer requests deletion, Layers will securely delete or anonymize the data in accordance with our Data Processing Agreement.

6. Your Rights

As a data subject, you may have the following rights under applicable data protection laws:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of your data under certain circumstances
• Right to Restriction: Request limitation of data processing
• Right to Data Portability: Receive your data in a portable format
• Right to Object: Object to certain types of processing

7. International Data Transfers

Your data may be stored and processed in locations outside your country of residence. Layers ensures appropriate safeguards are in place for all international data transfers, as described in our Data Processing Agreement.

8. Contact

For questions about how your employer processes your data through Layers, please contact your employer’s HR department.

For questions about Layers’ data processing practices: