Peopletree Group

Confidential Document

This technical overview is prepared exclusively for authorised recipients. Please enter the access code to continue.

Incorrect access code. Please try again.

TalentPrint Platform — Technical Security Overview

Infrastructure, Data Security, AI Governance & Compliance Reference

Peopletree Group
Document Version: 1.2  |  Classification: Confidential
Audience: IT Security, Infrastructure & Compliance
Issued: March 2026  |  Peopletree Group
Microsoft Azure — Germany Central West
SOC 2 Type II Certified (Security, Availability, Confidentiality)
GDPR Compliant
TLS 1.2+ In Transit
AES-256 At Rest
Zero AI Data Retention
Auth0 SSO + MFA
FIPS 140-2 Storage
OWASP 3.3 WAF
Document Purpose
What This Document Covers

This reference document is intended for IT security, infrastructure, and compliance reviewers evaluating the TalentPrint platform and TAILA (Talentprint AI for Learning & Adapting) for enterprise deployment. It provides a factual, high-level overview of hosting infrastructure, data handling, encryption standards, authentication architecture, AI processing governance, and compliance posture. No client-specific configuration details are included.

Scope note: This document covers the TalentPrint SaaS platform and the TAILA AI module. It does not include client-specific network configurations, IP addresses, or integration credentials. A dedicated technical architecture diagram and integration specification can be provided under NDA upon request.
Infrastructure & Hosting
Azure Dedicated Subscription — Germany Central West

The TalentPrint platform is hosted on a dedicated Microsoft Azure subscription within a Landing Zone architecture in the Germany Central West region. All services are deployed within a private virtual network using Hub-and-Spoke topology, with private endpoints enforced wherever possible. No public IP addresses are exposed to production application services.

Hosting Environment
  • Cloud ProviderMicrosoft Azure (Dedicated Subscription)
  • RegionGermany Central West (EU data residency)
  • Network ArchitectureHub-and-Spoke VNET with private endpoints
  • Public IP ExposureNone on production application services
  • Traffic ProtocolHTTPS enforced on all internal and external traffic
  • DNSPrivate Endpoints DNS Zone for internal resolution
Core Platform Components
  • TalentPrint AppAzure App Service (Linux/Apache PHP); Auth0 integrated
  • MasterPortal APIAzure App Service (.Net Core 3.1 Linux); Auth0 integrated
  • TalentProfile APIAzure App Service (.Net 6 Linux); Auth0 integrated
  • Analytics (Tableau)Azure VM (CentOS); Auth0 SAML SSO
  • Static Web Apps / CDNGlobal CDN with WAF (OWASP 3.3)
  • Email DeliverySendGrid (transactional SMTP; TLS 1.2+)
Data Security
Encryption, Storage & Data Handling
Encryption Standards
  • In TransitTLS 1.2+ enforced on all connections
  • At RestAES-256 encryption on all databases and storage
  • Database EncryptionTransparent Data Encryption (TDE) on SQL Server
  • Blob / File Storage256-bit AES; Zone Redundant Storage; FIPS 140-2 compliant
  • Certificate ManagementAzure Key Vault
Data Classification & Residency
  • Data ResidencyAll data stored within EU (Germany Central West)
  • Database ServicesAzure SQL Server and Azure MySQL (private endpoints; no public IP)
  • Data Processed by AIStrengths, development areas, learning focus data, role context only
  • Excluded from AIDemographics, gender, and sensitive personal data
  • PseudonymizationAll personal identifiers removed prior to AI processing
Authentication & Access Control
Identity, SSO & Role-Based Access

All platform services are protected by Auth0 as the IAM/IDP SSO provider. Enterprise SSO integration is supported via ADFS, SAML, and OpenID Connect (OIDC) claims. Management plane access is authenticated via Azure AD with MFA enforced. RBAC is applied at both Subscription and Resource level across the Azure environment.

Layer Technology Details
Application SSO Auth0 ADFS / SAML / OIDC / MFA; enterprise identity federation supported
Management Access Azure AD + MFA Authenticates management users; MFA enforced; private endpoint access only
Role-Based Access Control Azure RBAC Applied at Subscription and Resource level; Liberty governance policies enforced
API Access Auth0 (all APIs) MasterPortal API, TalentProfile API, TalentPrint App — all Auth0 integrated
Analytics Access Auth0 SAML SSO Tableau analytics layer; SAML-based SSO; restricted to authorised HR administrators
AI Layer Access Private Endpoint Azure OpenAI accessed via private endpoint only; no public API connections permitted
Network Security
Perimeter Controls, WAF & Traffic Management
Web Application Firewall
OWASP 3.3 Ruleset
WAF V2 applied at the Application Gateway layer and on the Global CDN. OWASP 3.3 ruleset enforced. DWASP 3.2 ruleset applied as secondary layer. All inbound web traffic inspected before reaching application services.
Network Monitoring
Microsoft Defender + Log Analytics
Microsoft Defender for Cloud and Azure Security Center Standard deployed as default for vulnerability and threat protection. Network Watcher analyses web, application firewall, and network flow logs. Log retention: 91 days.
Azure Policy Enforcement
Governance at Subscription Level
Azure Policies enforce Liberty governance and security standards at Subscription and Resource level. All services use private endpoints. SSL offloading at the Application Gateway layer (TLS v1.2). Continuous credential rotation under Peopletree IT governance.
AI Module — TAILA
How TAILA Processes Data: A Four-Step Workflow

TAILA (Talentprint AI for Learning & Adapting) is an assistive AI module integrated via Peopletree's proprietary middleware. It does not create new data, make autonomous decisions, or retain any information at the AI layer. Each interaction is stateless and session-isolated. No employee data is used to train or improve OpenAI's base models.

1
Data Extraction
TalentPrint retrieves approved L&D data: strengths, development areas, learning focus, and role context. No demographic or sensitive data included.
2
Prompt Construction
Peopletree middleware converts data into predefined, secure prompt structures. Personal identifiers are replaced with masked placeholders before transmission.
3
AI Processing
Masked prompts transmitted via private endpoint to Azure OpenAI Service (Germany Central West). GPT model generates text responses. No PII in prompts.
4
Output Generation
Responses validated and rendered as narrative insights or coaching prompts within TalentPrint. Outputs are recommendations — not automated decisions.
AI Governance Requirement Status Detail
Model training on client data ✓ Not applicable No fine-tuning or model retraining occurs. Client data is never used to improve base models.
Data retention at AI layer ✓ Zero retention Data processed transiently. Not retained by Azure OpenAI or Microsoft.
Session isolation ✓ Stateless Each interaction is stateless and session-isolated. No cross-user data exposure.
PII in AI prompts ✓ Pseudonymized All personal identifiers masked before prompt construction. No PII transmitted to AI layer.
Autonomous decision-making ✓ Human-in-the-loop TAILA outputs are recommendations only. Final interpretation remains with employees and managers.
AI hosting environment ✓ GDPR compliant Azure OpenAI hosted in Germany Central West; GDPR-compliant environment; private endpoint only.
Compliance & Certifications
Standards, Frameworks & Audit Controls
Data Protection
GDPR
Full EU data residency (Germany Central West). Client organisation retains Data Controller status. Peopletree acts as Data Processor under MSA/SLA. Data Processing Agreements available upon request.
Security Audit
SOC 2 Type II
Peopletree Group is SOC 2 Type II certified. The audit covers the Security, Availability, and Confidentiality trust service criteria — providing independent, third-party assurance that controls are not only designed correctly but operating effectively over time. Certification reports are available to qualified prospects under NDA upon request.
Storage Standard
FIPS 140-2
Zone Redundant Storage and Blob Storage comply with FIPS 140-2. 256-bit AES encryption applied. CDN repository for static assets also covered under the same standard.
Data Governance
Roles, Responsibilities & Data Ownership
Role Party Responsibilities
Data Controller Client Organisation Owns all employee data. Defines privacy and usage policies. Governs data access and consent. All rights and obligations documented in MSA/SLA with Peopletree Group.
Data Processor Peopletree Group Processes data strictly in accordance with client instructions and MSA/SLA. Oversees secure processing, compliance, and governance. Maintains SOC 2 Type II controls and GDPR obligations.
Model Provider OpenAI / Microsoft Azure Hosts and operates the AI model within Azure's GDPR-compliant environment (Germany Central West). Bound by Microsoft's enterprise data protection commitments. No data retained or used for model training.
Responsible AI
Seven Governing Principles

TAILA is built on Peopletree Group's Responsible AI framework — seven principles that govern every aspect of how AI is designed, deployed, and monitored within the platform.

01
Strengthen Human Trust
AI is designed to improve the quality of human relationships and help people trust each other's intentions and decisions.
02
Challenge Bias
Data and evidence are used to identify, minimise, and counteract cognitive bias in talent decision-making.
03
Elevate Talent Value
AI highlights and grows the unique value each person brings, ensuring talent is recognised, developed, and leveraged.
04
Contextual Intelligence
Research-based models are combined with organisational data and business context to deliver actionable, tailored recommendations.
05
Promote Cultural Integrity
AI makes it easier for people to act in ways that strengthen company culture, and harder to act in ways that harm it.
06
Be Transparent
Clear reasoning is provided behind all AI recommendations, so people understand why a suggestion is made.
07
Protect Data
All people data is safeguarded, ensuring it is used ethically, securely, and in alignment with applicable privacy regulations and the client organisation's data governance policies.
Human Oversight: TAILA operates under a human-in-the-loop model. Outputs are recommendations, not decisions. Final interpretation remains with employees and managers. Regular audits ensure fairness, accuracy, and ethical compliance.
Integration & IT Requirements
What IT Needs to Know About Deployment
What the Client IT Team Provides
  • SSO ConfigurationADFS / SAML / OIDC federation details for Auth0 integration
  • HR Data FeedStructured employee data export (CSV/SFTP or API) for initial load and periodic sync
  • Network AllowlistingOutbound HTTPS (443) to Peopletree platform endpoints (provided during onboarding)
  • Email DomainSPF/DKIM records for transactional email delivery via SendGrid
What Peopletree Manages
  • InfrastructureAll Azure hosting, patching, scaling, and availability management
  • Security OperationsMonitoring, threat detection, credential rotation, and incident response
  • AI GovernancePrompt engineering, pseudonymization, output validation, and model oversight
  • ComplianceSOC 2 Type II controls, GDPR obligations, and audit readiness
  • Backups & DRZone Redundant Storage; backup and recovery managed by Peopletree
Peopletree Group
Initial Enquiries: Shania Haffajee — Customer Success Manager  |  shania@peopletreegroup.com
Technical Contact: Rob Heymann — Head of Technology  |  rob@peopletreegroup.com
Confidential · Peopletree Group · 2026 · For authorised recipients only