Security at PayrollPro
Last updated: May 25, 2026
PayrollPro handles Social Security Numbers, bank credentials, and tax filings. Treating that data carelessly would be unforgivable. This page is the public summary of how we protect it. Our full security policy set lives in version control alongside the source code — every change is auditable.
At a glance
- 🔐AES-256 encryption at rest (database + backups)
- 🔒TLS 1.2+ in transit, HSTS preload
- 🛡️NIST SP 800-63 AAL2 on the firm dashboard (password + TOTP)
- 🚫SMS-MFA not offered (NIST SP-deprecated)
- 🔑SSN encrypted column-level with pgcrypto; key never in browser bundle
- 🤖Cloudflare Turnstile bot challenge on signup
- 📜Every signature captures IP + UA + SHA-256 doc hash (E-SIGN)
- 🏦ACH origination compliant with NACHA Operating Rules
- 🗑️GDPR / CCPA right-to-erasure with 30-day cooling-off
- 📋Dependabot + manual SLAs for vulnerability patching
Encryption
At rest. All customer data lives in a PostgreSQL database (Supabase, AWS us-east-1) with full-disk AES-256 encryption managed by AWS KMS. Sensitive fields — Social Security Numbers, bank-account metadata — are additionally encrypted at the column level with pgp_sym_encrypt (pgcrypto) using a separate 256-bit key that is never bundled into the browser. Decryption only happens in server-side code paths that have passed authentication + tenant-ownership checks.
In transit. All traffic uses TLS 1.2 or higher with modern cipher suites. We set Strict-Transport-Securityand request HSTS preload. Database connections are TLS-only. Webhook deliveries are signature-verified (Stripe HMAC, Telnyx Ed25519) and rejected outside a 5-minute replay window.
Authentication
- Firm dashboard (
/dashboard/*): password + TOTP enforced server-side. AAL1-only sessions are rejected by the edge middleware on every request — not just at sign-in. - Password policy: minimum 10 characters, rejected against the well-known breached-password list, no arbitrary composition rules (per NIST SP 800-63B guidance).
- Second factor: TOTP (RFC 6238) only. Compatible with Google Authenticator, Authy, 1Password, etc. SMS-MFA is explicitly disallowed.
- Trusted device (optional): a 30-day HMAC-SHA-256 signed cookie lets a user skip TOTP on a remembered browser. Bound to the user ID, revocable from the profile page.
- Single source of truth: Supabase Auth is the only identity provider — no shadow user tables, no per-feature auth. Add or remove access in one place.
- Bot protection: Cloudflare Turnstile gates public signup to keep automated abuse off the funnel.
Authorisation & tenant isolation
Every table in the payrollschema enforces PostgreSQL Row-Level Security policies that scope reads and writes to the requesting user's tenant. RLS is the last line of defence — application code also checks tenant ownership on every API route as defence in depth.
The Service Role key (which bypasses RLS) lives only in Vercel production environment variables; it is never bundled into the browser and never used by code that has not first validated the request context (webhook signature, tenant ownership, etc.).
Vulnerability & patch management
Our patch SLAs:
- Critical (CVSS 9.0+): patched within 24 hours
- High (7.0–8.9): within 7 days
- Medium (4.0–6.9): within 30 days
- Low (≤3.9): within 90 days
Dependabot runs weekly across npm + GitHub Actions, grouped by ecosystem and severity. End-of-life software is tracked quarterly; deprecated packages are removed or upgraded within one minor release of EOL announcement.
Privacy & data subject rights
Right to access, rectify, delete, and port your data is honoured under both CCPA § 1798.105 and GDPR Art. 17. Deletion requests run through a 30-day cooling-off window with a cancellation token emailed to the requester. After 30 days, a service-role job hard-deletes the tenant and all foreign-key-cascaded children. Tax records that we are legally required to retain (IRS Pub. 583, typically 4 years) survive the deletion and are listed explicitly in the receipt.
Full details: Privacy Policy.
Sub-processors
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Database + Auth | AWS us-east-1 |
| Vercel | Web hosting | Global edge |
| Stripe | Billing + ACH | USA |
| Resend | Transactional email | USA |
| Telnyx | Outbound fax (IRS) | USA |
| Cloudflare | DNS + bot challenge | Global edge |
| Google (Gemini) | In-app help chat (optional) | USA |
| Google (OAuth) | Optional social login | USA |
Plaid will be added when ACH Transfer integration ships; 30-day in-app notice before activation.
Incident response
In the event of a confirmed data exfiltration:
- Affected customers notified within 72 hours of confirmation
- Regulatory disclosure (IRS, SSA, state AGs) as legally required
- Post-incident report published within 30 days
Suspected (not confirmed) exposure: customers notified within 5 business days. Lower-severity incidents are summarised in the monthly change log inside the admin dashboard.
Compliance frameworks referenced
- NIST SP 800-63B — passwords, MFA, AAL2
- NACHA Operating Rules — ACH origination & authorisation
- E-SIGN Act (15 U.S.C. § 7001) — electronic signatures
- IRS Pub. 1474 — Reporting Agent authorisation (Form 8655)
- IRS Pub. 583 — records retention for business taxes
- GDPR Art. 17 / CCPA § 1798.105 — right to erasure
- Plaid Risk & Compliance requirements (for upcoming Plaid Link integration)
Report a security issue
Email: sales@espartan.net. Please include reproduction steps and any proof-of-concept. We acknowledge within 2 business days and provide status updates every 5 business days until resolution. Good-faith research is welcomed and will not result in legal action, provided you avoid privacy violations, service disruption, and data exfiltration.