Security & Compliance

PeopleFlow takes data security seriously with enterprise-grade protection: • Encryption at Rest — All data is encrypted using AES-256 encryption • Encryption in Transit — TLS 1.3 for all communications • Database Security — PostgreSQL with row-level security policies • Backup & Recovery — Automated daily backups with point-in-time recovery • Data Residency — Choose your data storage region

Multi-layered access control protects your sensitive data: • Role-Based Access Control (RBAC) — Granular permissions per module • Two-Factor Authentication (2FA) — Optional but recommended for all users • Session Management — Configurable session timeouts and concurrent limits • IP Allowlisting — Restrict access to trusted networks • Single Sign-On (SSO) — SAML 2.0 and OAuth 2.0 support

Every action in PeopleFlow is tracked for accountability: • User Actions — Login, data changes, approvals, and exports • System Events — Payroll runs, scheduled tasks, and integrations • Data Access — Track who viewed sensitive information • Search & Filter — Find specific events by user, action, or date • Export — Download audit logs for compliance review Audit logs are retained for the duration configured in your data retention policy.

PeopleFlow helps you meet regulatory requirements: • Caribbean Data Protection — Compliant with regional data protection laws • GDPR Alignment — Data subject rights and consent management • Labor Law Compliance — Built-in rules for Caribbean employment laws • Record Retention — Configurable retention periods by document type • Right to Access — Employees can view and export their personal data

In the unlikely event of a security incident: • 24/7 Monitoring — Automated threat detection and alerting • Incident Response Plan — Documented procedures for containment • Notification — Timely communication to affected parties • Post-Incident Review — Root cause analysis and remediation • Transparency — Public status page for service availability