Security

Enterprise-Grade Security for Your Staff Data

Your data security and privacy are our top priorities. The Staff Service is built with enterprise-grade security features to protect your organisation's sensitive information. We implement industry-standard security practices to ensure your data remains safe, secure, and under your control.

Explore Security Features
Enterprise-grade security

Core Security Features

Enterprise Authentication

Strong password requirements, secure password storage using bcrypt, and secure session management with HttpOnly cookies.

Multi-Tenant Isolation

Complete data separation between organisations. Zero cross-organisation access, even for administrators. API keys are automatically scoped to the organisation that created them, ensuring external integrations can only access that organisation's data.

CSRF Protection

All forms protected against Cross-Site Request Forgery attacks with token-based validation.

SQL Injection Prevention

All database queries use parameterized prepared statements, eliminating SQL injection risks.

XSS Protection

All user-generated content properly escaped and validated to prevent Cross-Site Scripting attacks.

Secure File Uploads

File type validation, size limits, directory traversal protection, and access control for all uploads.

API Security

Secure API key authentication with key hashing, expiration support, and usage tracking. Each organisation's API keys are automatically scoped to their organisation - your API key can only access your organisation's data, ensuring complete isolation even when integrating with external systems.

Role-Based Access

Granular permissions ensure users only access what they need based on their role.

Rate Limiting

Protection against brute force attacks and API abuse with intelligent rate limiting on authentication endpoints and API calls.

Data Ownership & Control

You maintain complete ownership and control over all your data. There's no vendor lock-in, no external dependencies that could compromise your information. When you use the Staff Service, your data stays yours - you can export it at any time in standard formats, and you have the option to deploy the system on your own infrastructure for even greater control.

Every organisation's data is completely isolated at the database level. This means that even if you're sharing the same system with other organisations, there's zero possibility of cross-organisation data access. Staff from one organisation cannot see, access, or modify data from another organisation, even if they're administrators. This isolation is enforced at the database query level, not just in the application interface, providing an extra layer of security.

This isolation extends to API integrations as well. When you create an API key in Staff Service, it is automatically linked to your organisation. When that API key is used by external systems (like Digital ID or HR platforms), it can only access your organisation's data. Each organisation has separate API keys, and there's no way for one organisation's API key to access another organisation's information, even if they're using the same external system.

Data ownership and control

Audit & Compliance

Audit and compliance

We understand that compliance and audit requirements are critical for organisations handling sensitive staff data. That's why the Staff Service includes comprehensive tracking and logging capabilities. Every change to a staff profile is tracked, creating a complete audit trail that shows what was changed, when it was changed, and who made the change.

Access logging ensures you can track who accessed what data and when, which is essential for compliance reporting and security audits. API usage is also logged, allowing you to monitor how external systems are accessing your data. The system is designed with GDPR principles in mind, helping you meet your data protection obligations while maintaining the flexibility to work the way your organisation needs.

Security Best Practices

Security best practices

The Staff Service implements security best practices aligned with industry standards, providing protection against the most common web application vulnerabilities identified in the OWASP Top 10. This means you're protected against SQL injection, cross-site scripting, cross-site request forgery, and other common attack vectors that could compromise your data.

Security is built into the system from the ground up, with environment-based security settings that automatically adapt based on whether you're running in development or production. Secure defaults are applied throughout, so even if you don't configure every setting, you're still protected. All user inputs are validated on the server side, and all outputs are properly encoded based on their context - whether that's HTML, JSON, or other formats.

Error handling is designed to be secure as well. In production, detailed error messages are hidden from users to prevent information disclosure that could aid attackers. Instead, errors are logged server-side where they can be reviewed by administrators, while users see friendly, generic messages that don't reveal system internals.

For Your Organisation

IT & Technical Teams

For IT and technical teams, the Staff Service reduces the security burden by providing built-in security features that would otherwise require custom implementation. Instead of spending time building authentication systems, CSRF protection, and input validation from scratch, you can focus on configuring the system to meet your organisation's specific needs.

The security features are designed to support regulatory compliance requirements, making it easier to demonstrate that you're meeting your obligations. Comprehensive logging and access controls mean you're always audit-ready, with detailed records of who accessed what data and when. This makes security audits straightforward, as all the information you need is already being tracked.

Data Protection Officers

Data Protection Officers will appreciate the complete data isolation between organisations, which directly supports data protection requirements. The granular access controls allow you to demonstrate that you have appropriate measures in place to protect personal data, with clear audit trails showing who has access to what information.

Comprehensive logging provides the documentation you need for compliance reporting, showing exactly how data is being accessed and used. The system is designed with GDPR principles in mind, helping you meet your data protection obligations while maintaining the operational flexibility your organisation needs.

End Users

For staff members using the system, security means peace of mind. Strong password requirements protect your account from unauthorised access, while privacy protection ensures you can only see and edit your own data. This means you don't have to worry about accidentally seeing someone else's information, or about others seeing yours.

When you upload photos or signatures, you can be confident that the system validates the files to ensure they're safe. The file upload process includes type checking, size limits, and security scanning to prevent malicious files from being uploaded. Your data is protected at every step, giving you confidence that your personal information is secure.

Have Security Questions?

We believe in security transparency. If you have questions about our security practices or need more information, please get in touch.

Contact Us