Payroll data is the most sensitive data your company holds.
Encryption, isolation, audit logs, and a clear chain of custody β from the moment an employee is added to the moment a bank file leaves the building.
Our posture
Honest, not theatrical.
Some HR platforms ship a "trust page" full of logos for certifications they never earned. We'd rather tell you what's actually true: the controls we have, the controls we don't, and the timeline for closing the gap. Read the architecture below and ask us anything that's missing.
For procurement and vendor questionnaires: security@naasflow.pk. We turn most around in two business days.
Architecture
Eight controls that protect every record.
Encryption everywhere
Every byte of payroll and identity data is encrypted in transit and at rest. No internal service ever sees data in the clear except for the brief moment it's processed in memory.
Tenant isolation at the database
Every query is filtered at the database, not the app layer. A bug in the app can't accidentally leak one company's payroll to another β the row simply doesn't return for the wrong tenant. This is Postgres Row-Level Security, enforced by the database itself.
Audit log for every action
Who ran the payroll. Who approved it. Who changed a salary. Who downloaded the bank file. Every action that touches money or identity data lands in an immutable audit log β readable in the app, exportable for your auditor.
Least-privilege roles
Six built-in roles β Owner, Admin, HR, Manager, Employee, Auditor β each with a tight permission set. The default is to grant nothing extra. Sensitive actions like payroll finalization or bank-file generation can be locked behind a second approver.
Backups & recovery
Daily managed backups with point-in-time recovery on the last 7 days. We test restore quarterly. If a tenant deletes data by mistake, we can roll their workspace back without touching anyone else.
Infrastructure
Application on Vercel's edge network. Postgres and storage on Supabase, EU region. cPanel SMTP for transactional email β no third-party email provider holds your payslip attachments.
Sub-processors
We publish a complete sub-processor list. Today: Supabase (database + storage), Vercel (hosting), cPanel SMTP (email), Anthropic (AI features when explicitly opted in). No analytics tracker has access to PII.
Incident response
If something breaks or someone breaks in, you'll hear from us β fast. Critical incidents trigger customer notification within 24 hours with what happened, what data was touched, and what we're doing about it.
What we do and don't claim
The honest list.
What we have today, and what we don't. The "don't" side is on a roadmap β but until we're certified, we don't put a badge on this page.
- In place
Row-Level Security on every workforce table
Tenant isolation enforced by Postgres, not the app.
- In place
Regional data residency on request
EU primary today. Pakistan, Middle East, and other regions on request for enterprise customers.
- In place
Daily backups + 7-day point-in-time recovery
Restore tested quarterly.
- In place
Audit log on every sensitive action
Payroll, salary changes, downloads, role grants β all logged.
- On roadmap
SOC 2 Type I
On roadmap. We're not certified β and we won't put a fake badge on this page.
- On roadmap
ISO 27001
Not in scope until SOC 2 lands. Honest answer: not before late 2026.
- On roadmap
Penetration test by third party
Planned post-launch. Until then, internal review only.
If something breaks
What you can expect from us during an incident.
- 1Detection & triage. Health checks, error monitoring, and on-call rotation flag anomalies within minutes. Severity assigned in the first 60 minutes.
- 2Customer notification within 24 hours. For any incident that touched customer data, you get an email with what happened, what data was affected, and what we're doing.
- 3Fix, then post-mortem. We publish a public post-mortem for every critical incident β root cause, fix, and prevention steps. No spin.
- 4Responsible disclosure. Found a vulnerability? Email security@naasflow.pk. We acknowledge in 48 hours and won't take legal action against good-faith research.
For procurement teams
Need a security questionnaire turned around?
Send your vendor form to security@naasflow.pk. Most come back inside two business days with sources cited, not placeholders.