Security at PeopleHQ
Employee data is among the most sensitive data a company holds. We take that responsibility seriously — here's an overview of how we protect it.
Encryption
- ✓AES-256 encryption for all data at rest
- ✓TLS 1.3 for all data in transit
- ✓Field-level encryption for sensitive payroll data (Enterprise)
- ✓Database backups encrypted with separate key management
Access controls
- ✓Role-based access control (RBAC) with least-privilege defaults
- ✓Multi-factor authentication (MFA) enforced for all admin accounts
- ✓SSO support via SAML 2.0 and OIDC (Enterprise)
- ✓Full audit logs for all data access and changes
Infrastructure
- ✓Hosted on enterprise-grade cloud infrastructure (AWS ap-northeast-2)
- ✓Data stored via Supabase on AWS — industry-standard availability and durability
- ✓99.9% uptime target with redundant systems
- ✓Regular security reviews and hardening practices
Development
- ✓Regular security testing and code reviews
- ✓Vulnerability disclosure programme (VDP)
- ✓Code reviews and security scanning on every pull request
- ✓Dependency scanning and automatic security patch deployment
Report a vulnerability
If you believe you have found a security vulnerability in PeopleHQ, please report it responsibly to our security team. We take all reports seriously and aim to respond within 24 hours.
Email: security@peoplehq.site
PGP key: Available on request
We do not pursue legal action against researchers who follow responsible disclosure guidelines.