Security, in detail.
HR Assist holds some of the most sensitive data in your company — salaries, bank details, IDs. Here's exactly how we protect it.
Architecture
HR Assist is multi-tenant, but every row of customer data is isolated by Postgres row-level security. There is no scenario under which workspace A can query workspace B's rows, even with a bug in application code — the database itself enforces the boundary.
Encryption
- In transit: TLS 1.3 everywhere. HSTS with 1-year max-age. No TLS 1.0 / 1.1 accepted.
- At rest: AES-256 on all application and backup storage.
- Sensitive fields: bank account numbers, PAN, and Aadhaar are additionally encrypted at the field level with per-workspace keys.
Authentication
- Passwords are hashed with Argon2id.
- Optional two-factor authentication (TOTP) on all plans; enforced org-wide on Canopy.
- SSO via SAML 2.0 and OIDC on Canopy.
- SCIM 2.0 provisioning on Canopy.
Access control
Internal access to production follows least privilege. Engineers need a signed ticket and a peer approval to access any customer data, and every access is logged, reviewed weekly, and surfaced to Canopy customers in their audit log on request.
Backups & disaster recovery
Full backups daily, incremental backups hourly. Backups are encrypted and stored in a geographically separate region. RPO: 1 hour. RTO: 4 hours. We run DR drills quarterly.
Uptime & SLA
- Grove: 99.9% monthly uptime target. Service credit of 10% for the month if we miss it.
- Canopy: up to 99.99% monthly uptime, per contract. Financial credits up to 50%.
Compliance & audits
- SOC 2 Type II — in progress, expected Q3 2026.
- ISO/IEC 27001 — scoped for 2027.
- GDPR-compliant processing agreements available on request.
- India DPDP Act 2023 — compliant as of January 2026.
Responsible disclosure
If you find a vulnerability, please email info@hrassistconsulting.com with details. We acknowledge within 24 hours, fix critical issues within 72 hours, and recognize reporters publicly (with permission). We do not pursue good-faith researchers.