How we keep each tenant's data isolated.
We don't yet hold SOC 2 or ISO 27001 — we'll say so plainly. What we do hold is strict multi-tenant isolation at the ORM layer, role-based access enforced on every API, and an audit log on every administrative change. Here's the detail.
Tenant isolation
Every entity carries a tenant ID. Cross-tenant access via the ORM is impossible.
Row-level isolation at the ORM
Hibernate injects a `WHERE tenant_id = current` clause on every JPA query automatically. Application code cannot accidentally cross tenants.
Unfiltered queries are explicit
The only way to query across tenants is to mark a native query as unfiltered. Those are platform-level only, and the surface is intentionally tiny.
Self-scope enforcement
Employees can only access their own data through `/mine`, `/me`, and `/balances` endpoints. Manager-and-above access is gated server-side, not by hiding UI.
Per-tenant cache
RBAC lookups are cached in a tenant-scoped Redis namespace and invalidated immediately on any role edit.
Access & identity
Eight standard roles per tenant, plus custom roles. Strict authorisation on every API.
Eight standard roles
TENANT_ADMIN, HR_MANAGER, ASSISTANT_HR, HR_EXECUTIVE, PAYROLL_ADMIN, HR_ADMIN, MANAGER, EMPLOYEE — seeded per tenant. SUPER_ADMIN exists at the platform level.
Custom roles, granular permissions
Tenant admins can define custom roles. Permission codes follow `{resource}.{action}` and are enforced via `@PreAuthorize` on every controller method.
JWT authentication
Stateless JWT auth across the API. Tenants may restrict user creation to a configured email domain; mismatches are blocked at create time.
API keys per tenant
Scoped programmatic access for tenant admins. Each key can be revoked or rotated from tenant settings.
Audit
An audit log on every administrative mutation. Role changes record before-and-after permission diffs.
Tenant-wide activity feed
Administrative actions write to an immutable, tenant-scoped audit log.
Role-change diffs
Every change to a role captures the before and after permission sets, so an external reviewer can see exactly what was added or removed and when.
Lifecycle event snapshots
HIRE, TRANSFER, PROMOTE, SEPARATE, and CONFIRM each write a LifecycleEvent record with the before-and-after state of the employee.
Data protection
Encryption in transit and at rest, on managed Azure infrastructure.
In transit
TLS for all client and service-to-service traffic.
At rest
Postgres and Azure Blob Storage encryption at rest, as provided by the underlying cloud platform.
Document vault
Per-tenant, per-employee paths in Azure Blob with tenant-scoped access.
Right-to-be-forgotten
Recruitment candidates can be hard-deleted on request, satisfying GDPR data-subject delete obligations for that flow.
What we don't claim (yet)
We'll only say it once we've done it.
- SOC 2 and ISO 27001 are not certified today.
- SSO, SAML, and SCIM are on the roadmap; default auth is JWT.
- Customer-managed encryption keys are not offered today.
- No defined uptime SLA is published.
When any of the above changes, this page will be the first to say so.
Ready to see it?
Ready for your IT review?
We'll share our security overview and walk your team through the tenant-isolation model, RBAC, and audit trail.