Join the waitlist

Security

How we protect your data.

Security is not a feature we bolt on — it is how we build. Workplace.hr handles sensitive employee data, payroll information, and business documents. We take that responsibility seriously.

Zero-Knowledge Encryption

Sensitive data is encrypted so that even we cannot read it. Your encryption keys are derived from your credentials and never stored on our servers in plaintext.

Database Isolation

Every customer gets their own database. Your data is never co-mingled with another company's data. Full logical isolation at the database level.

EU-Only Infrastructure

All servers, databases, backups, and processing happen within the European Union. No data is transferred to the United States or any non-EU country.

TLS Everywhere

All data in transit is encrypted using TLS 1.2 or higher. Every connection to our services — API, web interface, and internal communication — is encrypted.

Authentication via IdPlace.hr

Authentication is handled by our own identity provider, IdPlace.hr, using OAuth2/OIDC with PKCE. Multi-factor authentication (TOTP) is supported and recommended.

Regular Security Updates

Dependencies are monitored and updated continuously. Security patches are applied promptly. Our CI/CD pipeline includes automated vulnerability scanning.

GDPR Compliance by Design

We do not treat GDPR as a checkbox exercise. Data protection principles are embedded into our architecture from the start:

  • Data minimization — we collect only the data necessary to provide the service.
  • Purpose limitation — data is used only for the purposes stated in our Privacy Policy.
  • Storage limitation — data is retained only as long as necessary, with clear retention periods.
  • Right to erasure — customers can export and delete their data at any time.
  • Data portability — data can be exported in standard, machine-readable formats.
  • Data Processing Agreement — a formal DPA is available for all customers.

Access Controls

Internal access to customer data is strictly limited:

  • Role-based access control with the principle of least privilege.
  • All access to production systems is logged and audited.
  • No employee has standing access to customer data — access is granted on a need-to-know basis for support and debugging.
  • Zero-knowledge encryption means that even with database access, sensitive fields cannot be read in plaintext.

Incident Response

In the event of a security incident:

  • Affected customers are notified within 72 hours, as required by the GDPR.
  • We conduct a thorough investigation and implement corrective measures.
  • Post-incident reports are made available to affected customers upon request.

Responsible Disclosure

If you discover a security vulnerability in Workplace.hr, we ask that you report it responsibly. Please email us at security@workplace.hr with details of the vulnerability.

We will acknowledge your report within 48 hours and work with you to understand and resolve the issue. We will not take legal action against researchers who report vulnerabilities in good faith.