NaasflowSecurity
Trust

Payroll data is the most sensitive data your company holds.

Encryption, isolation, audit logs, and a clear chain of custody — from the moment an employee is added to the moment a bank file leaves the building.

Our posture

Honest, not theatrical.

Some HR platforms ship a "trust page" full of logos for certifications they never earned. We'd rather tell you what's actually true: the controls we have, the controls we don't, and the timeline for closing the gap. Read the architecture below and ask us anything that's missing.

For procurement and vendor questionnaires: security@naasflow.pk. We turn most around in two business days.

Architecture

Eight controls that protect every record.

Encryption everywhere

Every byte of payroll and identity data is encrypted in transit and at rest. No internal service ever sees data in the clear except for the brief moment it's processed in memory.

TLS 1.3 in transitAES-256 at restManaged Postgres

Tenant isolation at the database

Every query is filtered at the database, not the app layer. A bug in the app can't accidentally leak one company's payroll to another — the row simply doesn't return for the wrong tenant. This is Postgres Row-Level Security, enforced by the database itself.

RLS on every workforce tableService-role bypass loggedPer-tenant policies

Audit log for every action

Who ran the payroll. Who approved it. Who changed a salary. Who downloaded the bank file. Every action that touches money or identity data lands in an immutable audit log — readable in the app, exportable for your auditor.

Append-onlyActor + timestamp + IPCSV export

Least-privilege roles

Six built-in roles — Owner, Admin, HR, Manager, Employee, Auditor — each with a tight permission set. The default is to grant nothing extra. Sensitive actions like payroll finalization or bank-file generation can be locked behind a second approver.

6 RBAC rolesOptional two-step approvalAuditor read-only role

Backups & recovery

Daily managed backups with point-in-time recovery on the last 7 days. We test restore quarterly. If a tenant deletes data by mistake, we can roll their workspace back without touching anyone else.

Daily backupsPITR 7 daysTested quarterly

Infrastructure

Application on Vercel's edge network. Postgres and storage on Supabase, EU region. cPanel SMTP for transactional email — no third-party email provider holds your payslip attachments.

Vercel + Supabase EUcPanel SMTP, not ResendDNSSEC on naasflow.com

Sub-processors

We publish a complete sub-processor list. Today: Supabase (database + storage), Vercel (hosting), cPanel SMTP (email), Anthropic (AI features when explicitly opted in). No analytics tracker has access to PII.

4 sub-processorsAI opt-in onlyNo third-party PII analytics

Incident response

If something breaks or someone breaks in, you'll hear from us — fast. Critical incidents trigger customer notification within 24 hours with what happened, what data was touched, and what we're doing about it.

24-hour critical noticesecurity@naasflow.pkPost-mortem published

What we do and don't claim

The honest list.

What we have today, and what we don't. The "don't" side is on a roadmap — but until we're certified, we don't put a badge on this page.

  • Row-Level Security on every workforce table

    Tenant isolation enforced by Postgres, not the app.

    In place
  • Regional data residency on request

    EU primary today. Other regions available on request for enterprise customers.

    In place
  • Daily backups + 7-day point-in-time recovery

    Restore tested quarterly.

    In place
  • Audit log on every sensitive action

    Payroll, salary changes, downloads, role grants — all logged.

    In place
  • SOC 2 Type I

    On roadmap. We're not certified — and we won't put a fake badge on this page.

    On roadmap
  • ISO 27001

    Not in scope until SOC 2 lands. Honest answer: not before late 2026.

    On roadmap
  • Penetration test by third party

    Planned post-launch. Until then, internal review only.

    On roadmap

If something breaks

What you can expect from us during an incident.

  1. 1Detection & triage. Health checks, error monitoring, and on-call rotation flag anomalies within minutes. Severity assigned in the first 60 minutes.
  2. 2Customer notification within 24 hours. For any incident that touched customer data, you get an email with what happened, what data was affected, and what we're doing.
  3. 3Fix, then post-mortem. We publish a public post-mortem for every critical incident — root cause, fix, and prevention steps. No spin.
  4. 4Responsible disclosure. Found a vulnerability? Email security@naasflow.pk. We acknowledge in 48 hours and won't take legal action against good-faith research.

For procurement teams

Need a security questionnaire turned around?

Send your vendor form to security@naasflow.pk. Most come back inside two business days with sources cited, not placeholders.

Talk to us