API Security & Use Policy

API Security Policy and API Use Policy
The API Security Policy and API Use Policy apply in addition to the terms and conditions set out in the Marketplace Terms of Service Agreement concluded between the Partner and Personio.

If the Partner has not entered into a Marketplace Terms of Service Agreement agreement yet, e.g. uses the API for testing and evaluation purposes only, the Partner shall already comply with sections 4.1, 4.2, 4.4, 6.4, 7 and 9 of the Marketplace Terms of Service Agreement accordingly.

A) API Security Policy

  • You will maintain the security of the Personio API and will not make available to a third party, any token, key, password or other login credentials to the Personio API.
  • You will use industry standard security measures to prevent unauthorized access or use of any of the features and functionality of the Personio API, including access by viruses, worms, or any other harmful code or material.
  • Additionally, you will keep content accessed via the Personio API (including, where applicable, personal data) confidential and secure from unauthorized access by using industry-standard organizational and technical safeguards for such data, and with no less care than it uses in connection with securing similar data you store.
  • You must instruct customers of your Integration to create a dedicated API credential for this Integration (e.g. one API key per integration activated) with only the needed permissions for its use. When entering these credentials on configuring the integration in a UI, any input form should hide them.
  • The API credentials have to be encrypted both in transit (TLS) and at rest (e.g. using AES-256 when stored on disk).
  • API credentials must not be stored in the browser (or local storage w/o encryption).
  • When you use the API for testing and evaluation purposes, you must use anonymous testing data (i.e. no personal data, no production data).
  • If you become aware of a security vulnerability of the API, you will keep it strictly confidential and inform Personio immediately.

B) API Use Policy

  • You will not attempt to exceed or circumvent limitations on access, calls and use of the Personio API ("Rate Limits"), or otherwise use the Personio API in a manner that exceeds reasonable request volume, constitutes excessive or abusive usage, or otherwise fails to comply or is inconsistent with any part of the Marketplace Terms of service Agreement. In particular you will not conduct denial of service attack tests or tests to measure performance limits of the Personio API.
  • You will not impersonate any other person or falsely state or imply that you are associated with another person or entity.
  • You will not populate through the API content that would be considered inappropriate (e.g. harassing, defamatory, abusive, lewd, pornographic, obscene or otherwise objectionable) or entry that Interferes with the operation of the API or its purpose as described within the API documentation;