Security Policy

1. Our Security Commitment

Peoplova takes data security seriously. We implement industry-standard security practices to protect your sensitive HR and employee data from unauthorized access, modification, and disclosure.

2. Data Encryption

2.1 Encryption in Transit

• TLS 1.2+: All data transmitted between your browser/application and our servers is encrypted using TLS 1.2 or higher
• HTTPS: All pages are served over HTTPS with automatic redirection from HTTP
• API Encryption: All API calls require HTTPS; unencrypted connections are rejected

2.2 Encryption at Rest

• AES-256-CBC: Sensitive fields (SSN, salary, bank information) are encrypted using AES-256-CBC encryption
• Database Encryption: Encryption keys are stored separately from encrypted data
• Per-Tenant Keys: Each tenant's encryption key is unique and isolated

3. Authentication & Access Control

3.1 User Authentication

• Password Hashing: Passwords are hashed using bcrypt with salt
• Session Management: Secure session tokens with HTTP-only, secure flags
• Multi-Tenant Isolation: Sessions are tenant-specific; users cannot access other tenants' data
• OTP Support: One-Time Password (OTP) support for enhanced security

3.2 Role-Based Access Control

• Role Definitions: Super Admin, HR Admin, Manager, Employee, Contractor roles
• Permission Model: Granular permissions tied to roles (view, create, edit, delete)
• Principle of Least Privilege: Users only have permissions required for their role
• Audit Logging: All permission checks and access denials are logged

4. Infrastructure Security

4.1 Hosting & Network

• Cloud Hosting: Hosted on DigitalOcean, a trusted cloud provider
• Firewalls: Network firewalls restrict traffic to required ports only
• DDoS Protection: Integrated DDoS protection against distributed attacks
• Private Networks: Databases run on private VPC networks not exposed to the internet

4.2 Database Security

• Multi-Tenant Isolation: Each tenant has its own MySQL database, fully isolated
• No Direct Access: Databases are not accessible via public internet; only application can access
• Credential Rotation: Database credentials are rotated regularly
• Automated Backups: Daily automated backups with 30-day retention

5. Application Security

5.1 Common Vulnerability Prevention

• SQL Injection: Prepared statements and parameterized queries for all database access
• Cross-Site Scripting (XSS): Input validation, output encoding, Content Security Policy (CSP)
• Cross-Site Request Forgery (CSRF): CSRF tokens on all state-changing requests
• Insecure Deserialization: No use of dangerous serialization methods

5.2 Code Quality & Testing

• Code Review: All code changes reviewed before deployment
• Static Analysis: Automated security scanning for known vulnerabilities
• Dependency Management: Regular updates of third-party libraries and frameworks
• Security Testing: Regular penetration testing and vulnerability assessments

6. Vulnerability Disclosure

If you discover a security vulnerability, please report it responsibly:

• Email [email protected] with details of the vulnerability
• Do NOT publicly disclose the vulnerability until we have had time to patch it
• Include steps to reproduce, impact assessment, and any proof-of-concept code
• We will acknowledge receipt within 24 hours and provide a timeline for a fix
• We commit to patching critical vulnerabilities within 48 hours

7. Incident Response

In the event of a security incident:

1. We will investigate the incident immediately
2. We will notify affected customers within 24 hours of confirmation
3. We will provide details about the incident and steps we're taking
4. We will implement remediation and corrective measures
5. We will conduct a post-incident review to prevent recurrence

8. Third-Party Security

We vet and monitor third-party service providers for security compliance:

• Stripe: PCI DSS Level 1 certified for payment processing
• Mailjet: SOC 2 Type II certified for email delivery
• DigitalOcean: SOC 2, ISO 27001, and HIPAA compliant infrastructure

9. Compliance & Certifications

• GDPR: Compliant with EU General Data Protection Regulation
• CCPA: Compliant with California Consumer Privacy Act
• Data Processing Agreement (DPA): Available upon request for EU customers
• Future Certifications: SOC 2 Type II and ISO 27001 certifications planned

10. Employee Data Handling

• Purpose Limitation: Employee data is used only for HR functions you specify
• Data Minimization: We collect only the minimum data necessary for HR operations
• Retention Limits: Data is deleted after the subscription ends or upon your request
• No Selling: We never sell employee data to third parties

11. User Responsibilities

To maintain security, please:

• Keep your password strong and confidential
• Never share your login credentials
• Log out after using Peoplova, especially on shared computers
• Report suspicious activity immediately to [email protected]
• Keep your browser and operating system updated

12. Security Updates

We release security updates regularly:

• Critical updates are deployed within 24 hours of identification
• Non-critical updates are deployed within weekly maintenance windows
• All updates are tested before deployment
• No downtime is required for most security patches

13. Contact Us

For security-related questions or concerns:

• Email: [email protected]
• Support: [email protected]
• Submit a support ticket