Salaries, identities, statutory records — protected by isolation, encryption and an audited ledger, enforced in code.
Every layer — identity, tenancy, data, money — is protected by a control that runs on every request, not a promise in a document.
DecentroHR handles your most sensitive data — salaries, identities, statutory records. Security isn't a feature bolted on; it's how the platform is built. Every design decision below is enforced in code, not policy.
Every tenant's data is separated by Postgres row-level security under a non-superuser role — isolation is enforced by the database, not the application, and verified on boot.
Data is encrypted in transit (TLS) and at rest. Sensitive fields (bank, tax IDs, secrets) are additionally encrypted at the application layer.
Money-critical state posts once through a single choke point into an append-only, hash-chained ledger. A changed row breaks the chain — tamper-evident by construction.
Admin, approver and employee each get their own scoped credentials. TOTP two-factor is available for every privileged role; no shared secrets.
API tokens are scoped, hashed and bounded — a client-org token can only ever touch its own tenant. Partner keys can only target tenants they own.
Every mutation — by a human, the SDK or the AI — is attributed and audited. Money trails (earnings, deductions, reversals) are fully reconstructable.
Built-in personal-data export and erasure flows. You control retention; we never sell data.
Our controls are mapped to SOC 2 and ISO 27001; formal attestation is in progress. Evidence available under NDA on Enterprise.
Found a vulnerability? Email [email protected]. We investigate every report and will work with you on a coordinated fix. Please don't disclose publicly until we've resolved it.
We use a small, vetted set of infrastructure sub-processors. Indian customer data can be kept in-region; contact us for a current sub-processor list and a DPA.
Every figure traceable, every action audited, every tenant isolated — by design.