Security at PeopleHQ
Employee data is among the most sensitive data a company holds. We take that responsibility seriously — here's an overview of how we protect it.
Encryption
- ✓AES-256 encryption for all data at rest
- ✓TLS 1.3 for all data in transit
- ✓Field-level encryption for sensitive payroll data (Enterprise)
- ✓Database backups encrypted with separate key management
Access controls
- ✓Role-based access control (RBAC) with least-privilege defaults
- ✓Multi-factor authentication (MFA) enforced for all admin accounts
- ✓SSO support via SAML 2.0 and OIDC (Growth & Enterprise)
- ✓Full audit logs for all data access and changes
Infrastructure
- ✓ISO 27001-certified cloud infrastructure
- ✓SOC 2 Type II report available on request
- ✓Data centres located in the EU (Frankfurt) and US (Virginia)
- ✓99.9% uptime SLA with redundant systems
Development
- ✓Annual independent penetration testing
- ✓Vulnerability disclosure programme (VDP)
- ✓Code reviews and security scanning on every pull request
- ✓Dependency scanning and automatic security patch deployment
Report a vulnerability
If you believe you have found a security vulnerability in PeopleHQ, please report it responsibly to our security team. We take all reports seriously and aim to respond within 24 hours.
Email: security@peoplehq.com
PGP key: Available on request
We do not pursue legal action against researchers who follow responsible disclosure guidelines.