Trust
Security at Workstead
Workstead handles payroll data — SSNs, bank accounts, compensation records. Here’s how we protect it.
01Tenant isolation
Every customer workspace runs with its own database, its own database credentials, its own object-storage bucket, and its own encryption keys. Cross-tenant access is structurally impossible at the credential level — not merely filtered in application code.
02Encryption
The most sensitive fields — Social Security numbers and bank account and routing numbers — are encrypted before they are written to the database, using per-tenant keys managed by a dedicated secrets service (Vault Transit engine). Database access alone does not expose this data; decryption requires the key service. Third-party API tokens (e.g., bank-verification tokens) receive the same treatment.
| What | Protection | Notes |
|---|---|---|
| Transport | TLS 1.2+ on all public endpoints | ACME certificates, auto-renewed; internal CA for in-cluster traffic |
| SSNs | Field-level encryption before database write | Per-tenant key via Vault Transit; DB access alone doesn't expose the value |
| Bank account & routing numbers | Field-level encryption before database write | Same per-tenant key isolation; also applies to third-party access tokens |
| Backups | Private, access-controlled object storage | Reachable only over internal network |
03Authentication & access control
Multi-factor authentication (TOTP) is enforced for all application users. Before viewing or changing bank account details, users must complete a step-up re-verification with a short-lived (5-minute) token — a second friction point on the highest-risk operation.
Role-based access control with least-privilege roles (Owner, Office Manager, Payroll Admin, Accountant, Employee) is enforced server-side on every API endpoint. Employees can access only their own records.
Administrative access to production infrastructure is restricted to a private network (VPN/firewalled), uses key-based authentication, and is limited to the operator.
04Vulnerability management
Every change ships via pull request with review and required automated test gates (unit, integration, and end-to-end browser tests). Container images are rebuilt frequently to pick up upstream patches and are automatically deployed across all tenant workspaces — security fixes reach every customer without manual rollout.
A CI dependency-audit gate and daily image vulnerability scans (Trivy) flag new CVEs before and after code ships. The Kubernetes hosts and edge firewall receive regular OS-level updates.
05Data retention & deletion
Abandoned onboarding drafts (which may contain PII) are automatically purged after 30 days of inactivity, with advance notice to the account owner.
When a workspace is closed, we destroy the tenant database, both database roles, the object-storage bucket and all its contents, and retire the tenant’s encryption keys — verified by automated teardown procedures. See the Terms of Service for the full data-deletion commitment.
06Secrets management
All application secrets — database credentials, API keys, signing keys, SMTP credentials — are stored in a highly-available secrets manager (OpenBao/Vault, 3-node Raft cluster) and delivered to workloads via the External Secrets Operator. Secrets are never committed to source control, embedded in container images, or exposed to browser-side code.
07Infrastructure & monitoring
Infrastructure state is declarative (GitOps): the deployed configuration is continuously reconciled against version-controlled manifests, and drift is self-corrected and visible. Application audit logs record sensitive actions — authentication events, PII access, bank-detail changes, administrative operations. Real-time operational alerting notifies the operator immediately of provisioning failures, secret-sync failures, or delivery failures.
08Third-party sub-processors
Workstead minimises third-party data sharing. Current sub-processors are limited to: transactional email delivery, bank-account verification (Plaid — verification only; Workstead never moves funds through Plaid), address verification, and AI-assisted document extraction. Each integration is server-side only, credentialed via the secrets manager, and scoped to the minimum data necessary.
09Responsible disclosure
Found something? Email security@worksteadhr.com. We ask for a reasonable window to investigate and remediate before public disclosure. We’ll acknowledge receipt within one business day and keep you updated.
This page is a summary of our Information Security Policy, which lives in version control. Request the full document at security@worksteadhr.com. Also see: Privacy Policy · Terms of Service