Where the data lives. How it's encrypted. Who can access it. How fast we recover. What's certified, what's in progress, what's still on the roadmap. Without the marketing varnish.
The one screenshot your security team will paste into the review. We tell you what's done, what's in progress, and what's a target — not a single one of these is wishful.
Compliant with India's Digital Personal Data Protection Act. Consent flows, purpose limitation, data subject rights all built in.
Information security management certification. Audit firm engaged, control framework documented, evidence collection underway.
US-focused audit standard. Not yet started — committing for 2027 after ISO 27001 is in place. Most India-only buyers don't need this; we'll have it for those who do.
AES-256 for data at rest in databases, backups, and object storage. TLS 1.3 for all data in transit, including internal service-to-service traffic.
All customer data stored in AWS regions in India. Production in Mumbai (ap-south-1), DR replica in Hyderabad (ap-south-2). No cross-border data transfer.
Daily automated backups with 35-day retention. Cross-region replication to Hyderabad. RTO 4 hours · RPO 1 hour — tested quarterly with documented runbooks.
MFA on all plans. SSO (SAML 2.0, OIDC) on Enterprise. Role-based access control with audit logging on all admin actions. Session timeout and IP allowlisting on Enterprise.
Annual third-party penetration test by CERT-In empanelled firm. Findings remediated and re-tested. Latest report available under NDA for Enterprise prospects.
24×5 monitoring with on-call rotation, automated alerting on anomalies. 72-hour breach notification per DPDP Act 2023. Public status page with subscribe.
Customer data — employee records, payslips, documents, Aadhaar references — is stored in AWS regions in India. The production database runs in Mumbai (ap-south-1). The disaster recovery replica is in Hyderabad (ap-south-2). Logs, backups, and search indexes follow the same residency rule.
No data is transferred outside India for processing or storage. The full sub-processor list — including which inference provider serves AI requests — is published in our DPA.
Every byte of customer data is encrypted at rest with AES-256 using AWS KMS. Encryption keys are scoped per-tenant and rotated annually. Backups are encrypted with separate keys.
In transit, every connection uses TLS 1.3. The application enforces HSTS with preload; older TLS versions are refused. Service-to-service traffic inside our VPC is also TLS-encrypted — no plaintext on any network, internal or external.
MFA is mandatory on all plans — TOTP via authenticator app, with SMS fallback. SSO (SAML 2.0 + OIDC) is included on Enterprise; supported IdPs include Okta, OneLogin, Google Workspace, and Microsoft Entra.
Inside the platform, role-based access control governs every action. Custom roles available on Enterprise. Every admin action — viewing a payslip not your own, exporting data, changing a salary — is recorded in an audit log accessible to admins.
≥12 chars · no reuse · breach-checked against HaveIBeenPwned.
Employee · Manager · HR · Admin · Finance. Custom roles on Enterprise. Permission check on every API call.
365-day retention standard, longer on Enterprise. Exportable.
Automated daily backups with point-in-time recovery, retained for 35 days. Backups are stored cross-region in Hyderabad, encrypted with separate keys. We run a full disaster recovery drill quarterly, with documented runbooks reviewed each cycle.
The numbers we commit to: RTO 4 hours · RPO 1 hour. The last drill (Mar 2026) recovered a full tenant in 2 hours 18 minutes. The drill report is available to Enterprise customers under NDA.
Found a vulnerability? We want to hear about it. Email security@hrplanr.com with details — we acknowledge within one business day and triage within three.
We commit not to take legal action against good-faith security research that follows our disclosure policy.
Read the full disclosure policy →Send us your CAIQ, SIG, or in-house security questionnaire. We complete most in 3-5 business days. Pen-test summary, sub-processor list, DPA, and architecture diagrams available under NDA.
We'd rather answer them now than during procurement.