Security Policy

Last updated: 12 May 2026 · Version 1.0

1. Hosting and isolation

Production runs on Railway managed services in an EU-West region with a managed PostgreSQL primary. Cloudflare sits in front of all traffic providing DDoS protection, WAF, and TLS termination. The application is multi-tenant with logical (row-level) isolation — every per-tenant record carries a companyId and is gated byCompanyAccessGuard on the API. Cross-tenant reads by the Platform Administrator require an activeDataAccessConsent grant from the tenant unless the subscription is MANAGED.

2. Encryption

• In transit: TLS 1.2+ enforced end-to-end. HSTS preload-eligible.
• At rest: AES-256 for the managed Postgres volume and for Cloudflare R2 object storage.
• Secrets: JWT signing keys, Razorpay keys, and storage credentials are stored as Railway environment variables; never committed to git.
• Passwords: bcrypt with cost factor 12. Plain-text passwords are never logged or persisted.

3. Access control

• JWT-based session with 15-minute access tokens and 30-day refresh tokens; refresh rotation on every use.
• Role-based access (HR_ADMIN, PAYROLL_ADMIN, BOARD_MEMBER, MANAGER, EMPLOYEE) with 27 fine-grained permission keys and per-role overrides.
• Platform-owner reads of tenant data are logged in DataAccessLog.
• Production database access is restricted to two named operators with hardware-key MFA on Railway.

4. Audit logging

Sensitive write operations — login, password change, role grant, permission override, payslip finalize, data-access grant — emit immutable rows to AuditLog. Audit logs are retained for 7 years to satisfy Indian tax and EU GDPR record-keeping obligations.

5. Vulnerability disclosure

If you believe you have found a security vulnerability, please email security@staffixhr.com with a description, reproduction steps, and any proof-of-concept artefacts. Do not file a public GitHub issue. We commit to:

• Acknowledging receipt within 2 working days.
• Triage and severity assessment within 5 working days.
• Remediation timelines: Critical ≤ 7 days · High ≤ 14 days · Medium ≤ 30 days · Low ≤ 90 days.
• Public credit (with your consent) once the issue is fixed.

We do not currently run a paid bug-bounty programme but offer goodwill rewards (₹ amounts at our discretion) for confirmed High / Critical reports.

6. Incident response

On confirmation of a security incident affecting tenant data, we will notify the affected tenant's primary HR_ADMIN within 72 hours (GDPR Art. 33 alignment), describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed.

7. Sub-processors

See our Data Processing Addendum, Annex C, for the current list of sub-processors.

8. Penetration testing & compliance

We engage an external CERT-In-empanelled testing firm for an annual penetration test (next scheduled: Q4 2026). SOC 2 Type II and ISO 27001 certification are planned for 2027; the underlying control framework is being built out today.

9. Backups & business continuity

• Managed Postgres: continuous WAL archiving + daily snapshots, 30-day retention.
• Object storage (Cloudflare R2): cross-region replication; versioning enabled.
• RTO target: 4 hours · RPO target: 15 minutes.