Tenant Isolation
Row-level security at the database level. Every company data is isolated — no cross-tenant leakage is possible, verified by automated audit.
Security
Bank-grade security by default
Payroll data is the most sensitive information in your business. We protect it with layered isolation, encryption, access controls, and immutable audit trails.
AES-256 Encrypted RLS Isolated MFA Protected SOC 2 Ready GDPR Aligned
Six layers of protection
Defense in depth — from database isolation to application-level controls.
Encryption Everywhere
AES-256 field-level encryption for sensitive data (salaries, bank details, tax numbers). TLS 1.3 in transit. Encrypted TOTP secrets.
Role-Based Access
Five role tiers (admin, HR, payroll, manager, employee) with granular permissions. Self-service scoping prevents data overexposure.
Audit Trail
Immutable, field-level audit logs on every model. Payslip audit trail, login audit, security event logging — all retained for compliance.
MFA & Authentication
Multi-factor authentication via TOTP and email OTP. Rate-limited login with brute-force protection. Session management with concurrent session limits.
Controlled Support
Platform support access is time-limited (60-min JIT), reason-based, ticket-tracked, and visible to tenant users via banner notification.
Security controls in production
Every control below is implemented, tested, and active in production today.
Multi-factor authentication (TOTP + email OTP) for privileged roles
Four-step segregation of duties: process → approve → finalize → reverse
Row-Level Security (RLS) policies on 80+ tenant-scoped database tables
AES-256 encryption at rest for salaries, bank accounts, and tax IDs
Rate-limited authentication with Axes brute-force protection
Tenant-scoped API access with JWT authentication
HMAC-SHA256 signed webhook delivery with retry and audit
Concurrent session limiting (max 2 per user)
Immutable audit logs on payroll lifecycle, employee changes, and security events
Soft-delete with retention policy enforcement and legal hold support
CSP headers, HSTS, secure cookies, X-Frame-Options DENY
IP-based rate limiting on API, login, and password reset endpoints
Payroll Governance
Four-step segregation of duties
Different users must process, approve, finalize, and reverse payroll runs. No single person can move money without independent oversight. Every transition is logged with actor, timestamp, and reason.
Process Approve Finalize Audit
Support Access
Just-in-time tenant access
Platform support engineers can never silently access your data. Tenant access requires a support ticket, explicit reason, and time-limited session (60 minutes). You see a banner when support is active.
60-minute TTL · Ticket required · Reason logged · Tenant-visible banner
Questions about security?
Talk to our team about tenant isolation, encryption, audit trails, and compliance readiness for your specific requirements.
Free tier · No credit card · Cancel anytime