Table of Contents

• 1. Security Principles & Program Overview
• 2. Platform Architecture & Infrastructure Security
• 3. Identity, Authentication & Access Control
• 4. Data Protection & Privacy
• 5. Secure Development & Application Security
• 6. Monitoring, Detection & Incident Response
• 7. Business Continuity & Disaster Recovery
• 8. Compliance & Certifications
• 9. Shared Responsibility Model
• 10. Security FAQs (Procurement-Focused)

Security Principles & Program Overview

Our security strategy is built on six core principles:

Governance foundations include:

• Documented policies & ISMS (ISO-aligned)
• Risk assessment & control framework
• Dedicated Security & Privacy leadership
• Third-party oversight and vendor risk management

Platform Architecture & Infrastructure Security

We host our platform on secure, industry-leading cloud providers (AWS/GCP), benefitting from robust physical and environmental controls. Key infrastructure protections:

• Network segmentation & private VPCs
• WAF and DDoS protection
• Hardened OS and secure baseline configurations
• Regular vulnerability scanning & patch management
• Encrypted backups and tested recovery procedures
• Least-privilege IAM roles across cloud resources Our architecture follows best practices for availability, scalability, and isolation, ensuring tenant and data protection at every layer.

Identity, Authentication & Access Control

We enforce strict identity security, applying the Zero Trust model:

• Single Sign-On (SSO) & Multi-Factor Authentication (MFA)
• Mandatory least-privilege and role-based access (RBAC)
• Just-in-Time privileged access (no standing admin rights)
• Provisioning/de-provisioning automation (SCIM)
• Session controls and secure password policies All access to production systems is logged, monitored, and continuously reviewed.

Data Protection & Privacy

Protecting personal and payroll data is central to our security mission.

We comply with GDPR data rights, including access, correction, deletion, portability, and objection. We do not sell or share data for marketing purposes.

Secure Development & Application Security

Our Secure SDLC ensures security is embedded throughout product development.

• Static analysis (SAST) and dependency scanning (SCA)
• Secrets scanning & secure secret storage
• Dynamic testing (DAST) for runtime issues
• Penetration testing by 3rd party at least annually
• Threat modeling for high-risk features
• Secure coding training for engineers All code changes require peer review + CI/CD security gates before reaching production.

Monitoring, Detection & Incident Response

Our internal Security Operations Center (SOC) provides proactive threat detection.

• 24/7 log monitoring through SIEM
• Alerts for anomaly, abuse, and escalation paths
• Documented Incident Response Plan (IRP)
• Root cause analysis and post-incident reviews
• SOAR automation for rapid containment We commit to timely customer communication for security incidents, per contractual and regulatory requirements.

Business Continuity & Disaster Recovery

Resilience is engineered into our platform.

Payroll availability is mission-critical — our DR strategy reflects that.

Compliance & Certifications

We align to and/or maintain:

• SOC 2
• ISO 27001
• GDPR Ready
• Data Processing Agreements (DPA)
• NIST-aligned policies for control design Audit artifacts are available under NDA for customers.

Shared Responsibility Model

Security is a partnership. We secure the platform and infrastructure — customers secure their access, configurations, and internal user practices.

Security FAQs (Procurement-Focused)

1.Do you encrypt data?
Yes — AES-256 at rest, TLS 1.2+ in transit.

2.Do you perform pen tests?
Yes — annually by independent testers.

3.Do you support SSO & MFA?
Yes — both are supported and recommended.

4.Can we sign a DPA?
Yes — upon request.

5.Do you have incident response plans?
Yes — documented, tested, and SOC-monitored.

6.Do you store audit logs?
Yes — centrally stored, monitored, and retained.