Security

Sagacity Payroll handles sensitive payroll, identity, and bank data for thousands of employees across India. Security is not a feature for us — it is a foundation. This page describes the controls we have today and our certification roadmap.

1. Data encryption

• In transit: All traffic between your browser, our API, and our sub-processors uses TLS 1.2+ with strong cipher suites. We enforce HSTS with a 1-year max-age.
• At rest: Our PostgreSQL database uses AES-256 encryption at rest. Daily encrypted backups are stored in a separate region (Mumbai, ap-south-1).
• Passwords: Hashed with bcrypt (cost factor 10). We never log, email, or display passwords.
• Secrets: API keys, webhook signatures, and tokens are stored encrypted and rotated quarterly.

2. Authentication & access

• Email + password with password strength checks and history (no reuse of last 5).
• Optional TOTP 2FA (Google Authenticator, Authy, 1Password) plus backup codes.
• SSO (SAML / Google Workspace / Microsoft Entra) available on the Enterprise plan.
• Role-based access control — 17 distinct roles with permission enforcement at both route and record level.
• Multi-tenant isolation — every API request is scoped to the requesting user's company via a dedicated TenantGuard in addition to role checks.
• Idle session timeout: 30 minutes. Active sessions listed in-app, individually revocable.
• Rate limiting and brute-force protection on authentication endpoints.

3. Infrastructure

• Primary hosting: DigitalOcean, Bengaluru (blr1) data centre — ISO 27001, SOC 2 Type II, PCI DSS certified.
• Database: PostgreSQL with daily snapshots, point-in-time recovery.
• Backups: Daily encrypted backups retained 30 days; monthly backups retained 1 year; cross-region copy to Mumbai.
• DDoS protection: Cloudflare in front of all public endpoints.
• WAF: Rule-set blocking SQLi, XSS, CSRF attempts.

4. Application security

• Input validation on all API endpoints with class-validator.
• CSRF protection for state-changing operations; CORS strictly restricted to approved origins.
• Content Security Policy headers; X-Content-Type-Options, X-Frame-Options enabled.
• Dependency scanning: automated Dependabot alerts plus manual quarterly audits.
• Quarterly external penetration testing (results available to Enterprise customers under NDA).
• Secure SDLC with code review on every change and blocking CI checks for TypeScript, ESLint, and tests.

5. Monitoring & incident response

• 24×7 uptime monitoring (target: 99.5% monthly).
• Application-level audit logs for all state-changing operations — retained 12 months.
• Immutable login history visible to users in their Security tab.
• Incident response: defined runbook with 4-hour acknowledgement, 24-hour containment, and customer notification within 72 hours of confirmed breach (DPDPA §8(6)).

6. Backups & disaster recovery

Disaster recovery drills are performed twice a year.

7. Data residency & compliance

• India — primary data residency. Full compliance with DPDPA 2023 and IT Act 2000.
• EU visitors — GDPR rights respected (see Privacy Policy).
• Statutory filings to EPFO, ESIC, Income Tax portals strictly over government-approved channels.

8. Compliance roadmap

9. Responsible disclosure

If you discover a security vulnerability, please report it privately to security@sagacitypayroll.com. We acknowledge within 48 hours and work with you on a fix timeline. Please do not publicly disclose details until we confirm a patch is deployed. We recognise researchers in our Hall of Thanks and, where appropriate, offer a token bounty.

10. Customer controls

Your administrators can:

• Enforce 2FA for all users
• Configure password policies and session timeout
• Review active sessions and login history per user
• Export audit logs
• Manage role-based permissions
• Enable IP allowlists (Enterprise plan)

11. Contact

Security team: security@sagacitypayroll.com