SECURITY

How we protect your HR & payroll data

Payroll, salary, and employee data are some of the most sensitive things a company keeps. Here's a plain-English account of how TracefyHR handles yours — and the things we deliberately don't do.

TLS 1.3 in transit
Stripe PCI-DSS Level 1
Multi-tenant isolation
Daily backups

HOW WE PROTECT YOUR DATA

The six layers

Encryption in transit & at rest

All traffic is forced over TLS 1.3. Your database is encrypted at rest by our managed Postgres provider.

Card data never touches us

Stripe (PCI-DSS Level 1) handles every payment. We store a customer ID — never a card number, CVC, or expiry.

Authentication built on JWT

Sessions use signed JWTs scoped to your company. Role-based access controls separate Manager, HR, and Employee actions.

Strict multi-tenant isolation

Every database query is scoped by companyId at the ORM layer. There is no path for one tenant to read another tenant's records.

Daily backups

Your database is backed up automatically every 24 hours. Point-in-time recovery is available on Enterprise.

GDPR data export & deletion

You can export your full dataset or request permanent deletion at any time. Get in touch via our contact page — we respond within 30 days.

WHAT WE DON'T DO

Honest about our limits

The HR software market is full of vague trust language. We'd rather be specific about what we don't do:

  • We do not claim SOC 2 Type II — we haven't earned it yet.
  • We do not store raw card numbers, CVCs, or expiry dates. That all lives with Stripe.
  • We do not sell, share, or train models on your employee or payroll data.
  • We do not have a public uptime page yet. We're working on it.

COMPLIANCE

Where we are, and where we're going

TracefyHR is built by a small, focused team. We don't have a SOC 2 Type II report yet — and we won't claim one we haven't earned. Here's our honest status:

Today

  • GDPR-aligned data handling, export, and deletion
  • Stripe PCI-DSS Level 1 for all card processing
  • Daily backups of customer databases
  • Encryption in transit (TLS 1.3) and at rest

On the roadmap

  • SOC 2 Type II readiness program
  • Public status page
  • SSO & SCIM for Enterprise

Available on request

  • Data Processing Agreement (DPA)
  • Sub-processor list
  • Security questionnaire

RESPONSIBLE DISCLOSURE

Found something? Tell us.

If you believe you've found a security issue in TracefyHR, please report it privately before disclosing publicly. We commit to a 90-day coordinated disclosure window and will credit you in our release notes if you'd like.

How to report

Use our contact form with the subject line “Security report” and we'll route it to the right person within one business day. PGP key available on request.

Uptime

We monitor uptime continuously and aim to post any customer-facing incident within one hour of detection. A public status page is on the roadmap.

Ready to transform your HR?

Set up your company, invite your team, and see if TracefyHR fits. Free for 30 days — no charge until day 30, cancel any time.

Start Free TrialSchedule a Demo