Bel ons op +31 88 23 02 300



Raet’s entire package of services provides the safest possible service by taking responsibility for protecting your systems and data. The approach we take is recorded in the Raet Information Security Policy. Our information security policy was drawn up in accordance with international standard ISO27001.

Youforce and protection

Youforce gives you the option of tailoring many security measures to your own security policy:

  • Unique user names, enabling relevant activities in Youforce to be traced back directly to a specific person.
  • Restriction on the number of faulty login attempts.
  • Extensive password configuration.
  • Possibilities for multi-factor authentication.
  • Passwords are always stored encrypted.

When developing and managing our software we always use best practices, such as:

ISO27001/ ISO27002: the ISO standard for information security systems.

COBIT: Control Objectives for Information and Related Technology is a framework for the structured design and assessment of IT control environments.

Documentation from the Dutch National Cyber Security Centre: ICT security guidelines for web applications.

OWASP top 10: The ten main security risks for web applications compiled by the Open Web Application Security Project (OWASP).

Microsoft SDL and the CWE/SANS Top 25: Microsoft’s list of the 25 most dangerous programming errors and vulnerabilities encountered in software development.

Access to Youforce

You can only access your data by entering a valid user name and password. At your request, we can also support multi-factor authentication. An SSL/TLS encrypted connection is used to protect your data during transport. 

After logging on, you obtain access to the Youforce functionality for which you have been authorized. This means that different rights may be assigned to managers, employees, HR staff or administrators.

As an additional security measure, financial and medical transactions, and transactions by professional users, are only allowed subject to logging on using an electronic user certificate (2-factor authentication). 

Security monitoring 

The safety of your data is monitored 24/7. We work with specialists in the market to ensure this and we rely on our intrusion detection systems.

In order to be able to retrospectively trace what has happened to your information, we ensure that:

  • access to systems, system usage and system errors are recorded. We always log the user name, date and time for all events as well as the actual event. These log details can only be accessed for forensic research.
  • logged data is stored for 90 days.
  • logging has been set up such that logged data cannot be removed or changed.
  • any changes to Youforce’s systems and components (incl. firewalls, routers, network switches) are also logged.

Managing security incidents

We ensure strict compliance with our security measures. Any deviations from these measures are detected, studied and classified. We record any infringements of security measures and additional security measures are introduced on the basis of incidents and their records.


Certification and testing

The quality, safety and privacy of our software and services are demonstrated by different audits and certifications.

ISO27001 and ISO9001 certificates

Raet has acquired certification for its Information Security Management System (ISMS) and quality management system in accordance with the international ISO27001 and ISO9001 standards for "Developing, delivering, implementing products and SaaS service provision for e-HRM, Payroll and Outgoing Cash Flows processing, HR and Payroll Accounting and BPO Services”.

Download the ISO27001:2013 certificate

Download the ISO9001:2015 certificate

ISAE3402 type II report

Raet has an ISAE3402 type II assurance report from an independent auditor for “The operation of Raet control measures regarding HR, Payroll, Pension Payments and BPO Services”. This report is available to our customers, subject to a confidentiality statement. Send an e-mail to if you want to receive the report.

Penetration test

We test the Youforce infrastructure and software at least once a year for vulnerabilities and whenever any major functional or technical changes have been made. We do not only do these tests ourselves, but have them conducted also by a qualified external organization. Their findings are then classified and resolved. Furthermore, we conduct an internal penetration test for every new release, based on a test approach that is reviewed on a monthly basis.


In order to prevent failures on technical grounds, we supply our services from duplicated environments in two locations that are impervious to failures. If a component fails, tasks are taken over automatically.

If an emergency occurs, Raet can immediately modify its production environment in Apeldoorn and switch to its environment in Aalsmeer. This is the reason why the production environment in Apeldoorn is technically identical to the infrastructure at the backup center in Aalsmeer. Any data that is changed is also updated in the backup environment within a matter of seconds.

To safeguard historic data, daily, weekly and monthly backups of the systems and the data are made.

To safeguard historic data, daily, weekly and monthly backups of the systems and the data are made. These backups are kept apart from the production and stored at our location in Almere. The backup logs are checked and any problems are corrected. This backup facility serves to enable systems recovery in the event of an emergency; its purpose is not to archive individual customers' data.

Disaster recovery plan

Our continuity planning is aimed at making sure that all our activities, the SaaS environment of Youforce and the outsourcing service provision as well as the support from the Service Desk, can take place without interruption. Furthermore, we use business-recovery plans in order to be able to guarantee our own business operations in the event of an emergency. We test the technical aspects of a backup operation at least once a year and the organizational aspects once every two years.

In the event of major technical emergencies, the maximum switch over time is 48 hours and the maximum data loss is 24 hours. 


We have also made agreements with our suppliers about the continuity of their services. We carry out backup tests at least once a year at all suppliers that are part of our production process.

You are 'in control' when Raet is 'in control' 

This document shows you how Raet achieves this in practice.

Download Raet in Control