Privacy
How we handle your data.
Workstead runs payroll and HR for small operators. That means we handle sensitive information — names, addresses, Social Security numbers, bank details. This page explains what we collect, why we collect it, how it is protected, and what rights you have over it.
Effective date: 2026-06-10 · Questions: support@worksteadhr.com
What we collect
Workstead collects information needed to run payroll and manage your crew. Depending on your role, that includes:
- Identity: legal name, date of birth, Social Security Number or taxpayer ID — required for payroll tax filings.
- Contact: email address, home address, phone number — used for account access and required on tax forms.
- Compensation and payroll: pay rate, hours worked, withholding elections, pay history — the core data the platform runs on.
- Bank details: routing and account numbers, collected during direct-deposit setup and verified via Plaid.
- Identity documents: images of W-4, I-9, and similar forms uploaded during onboarding — processed to extract structured data into the wizard.
- Account credentials: password hash and multi-factor authenticator state — never stored in recoverable form.
- Operator account details: company name, contact email — used to provision your workshop and communicate about your account.
Why we collect it
Every category above has a direct operational purpose. We do not collect data speculatively or sell it. The reasons are:
- Running payroll: calculating wages, withholding taxes, and generating pay stubs requires name, SSN, compensation, and bank details.
- Tax compliance: federal and state filings (940, 941, W-2, 1099-NEC) require employee identity and earnings data.
- Account security: passwords and multi-factor state protect access to sensitive records.
- Service communications: we send transactional emails (invite links, confirmations, alerts) — not marketing unless you opt in explicitly.
- Fraud and error prevention: IP address and device information are logged alongside sensitive actions for audit and incident response.
How it is protected
We treat encryption as a baseline, not a feature. The controls in place:
- In transit: TLS 1.2+ on all public endpoints, with publicly-trusted certificates renewed automatically.
- At rest — field level: Social Security numbers and bank account/routing numbers are encrypted before the database write, using a centralised key management service (OpenBao/Vault Transit) with per-tenant encryption keys. Database access alone does not expose this data.
- Tenant isolation: every customer runs with its own database, database credentials, object-storage bucket, and encryption keys. Cross-tenant access is structurally impossible at the credential level.
- Access control: role-based least-privilege (Owner, Office Manager, Payroll Admin, Accountant, Employee) enforced server-side on every endpoint. Employees access only their own records.
- Step-up re-verification: viewing or changing bank account details requires an additional short-lived (5-minute) verification step, separate from your normal login session.
- Secrets management: all API keys, database credentials, and signing keys are stored in a high-availability secrets manager and delivered to workloads via the External Secrets Operator — never committed to source control or embedded in container images.
How long we keep it
We keep data as long as needed to provide the service, then delete it on a defined schedule:
- Incomplete onboarding drafts are automatically purged 30 days after the last activity. We notify the account owner before purge.
- When a customer cancels, their tenant database, database roles, object-storage bucket, and encryption keys are destroyed — verified by automated teardown procedures.
- Bank-verification data from Plaid is retained only as long as needed for active direct-deposit enrollment and is destroyed with the tenant.
- Operational audit logs and email delivery records are kept for accountability and incident reconstruction. The retention period for these records is reviewed annually.
Who we share with
Workstead minimises third-party data sharing. The complete list of current subprocessors — companies that receive any portion of your data as part of operating the service:
| Subprocessor | Purpose | Data involved |
|---|---|---|
| Mailgun / configured SMTP provider | Transactional email delivery (invites, confirmations, notifications) | Recipient email address, message content |
| Plaid | Bank account verification only. Workstead never moves money through Plaid. | Bank account details required to confirm routing + account numbers |
| Smarty (US Census Geocoder fallback) | Address verification and standardisation during onboarding | Street address entered during worker onboarding |
| AI document extraction (self-hosted) | Assisted parsing of uploaded identification documents (W-4, I-9, etc.) | Document images submitted during the onboarding wizard |
Each integration is config-gated, server-side only, credentialed via the secrets manager, and scoped to the minimum data necessary. We do not sell data to, or share it with, any third party for advertising, analytics, or any purpose beyond operating the service.
Your rights
You have the right to access, correct, and delete your personal information. You may also request a copy of the data we hold about you. Employees can view their own payroll and personal records directly in the platform. For anything the platform does not surface, or to request deletion, contact:
- General data requests and privacy questions: support@worksteadhr.com
- Security disclosures: security@worksteadhr.com
We will respond to verifiable requests within 30 days.
Changes to this policy
This policy is maintained in version control alongside the Workstead codebase — every revision is dated and attributable. Material changes (new data categories, new subprocessors, changes to retention) will be communicated to active account owners before they take effect.
Effective date: 2026-06-10
Document owner: Workstead (security@worksteadhr.com)
Review cadence: annual, or after any material architecture change