P
PeopleCore
Security

Enterprise-grade security
on every plan

HR data is some of the most sensitive information your company holds. We protect it the same way a bank does — not as an afterthought.

AES-256TLS 1.2+bcryptPOPIAJWT + RotationAudit Logged

AES-256 Encryption

Every sensitive field — ID numbers, bank account details, salary figures — is encrypted at rest using AES-256. All data in transit is protected with TLS 1.2 or higher.

ID numbers encrypted at rest
Bank details stored encrypted
Salary data never in plain text
TLS 1.2+ for all API calls

bcrypt Password Hashing

Passwords are never stored. We store only a bcrypt hash with configurable salt rounds — the industry standard that makes brute-force attacks computationally infeasible.

Passwords never stored in plain text
bcrypt with salt rounds
One-way hashing — irreversible
Secure reset via one-time token

Role-Based Access Control

Three distinct roles with strict permission boundaries. Employees see only their own records. HR managers see their company. Admins control everything within their tenant.

Employee — own records only
HR Manager — company-wide HR data
Admin — full company management
Cross-tenant access is impossible

Complete Audit Trail

Every action in the system is logged: who did it, what they changed, when they did it and from which IP address. Tamper-evident and always available.

Every API action logged
User identity on every entry
Timestamp + IP address recorded
Exportable for compliance review

POPIA Compliance

PeopleCore is built from the ground up for South Africa's Protection of Personal Information Act. You are the Responsible Party — we are the Operator processing data on your behalf.

Lawful basis for all processing
Data subject access requests
Right to erasure supported
Information Regulator contact disclosed

Secure Document Vault

Employee contracts, payslips, IDs and HR documents are stored in an encrypted document vault. Access is controlled by role — employees see only their own documents.

Encrypted file storage
Role-based document access
Payslips — employee view only
Contracts — HR and admin only

JWT Session Management

Short-lived access tokens (15 minutes) with refresh token rotation. Sessions can be viewed and revoked at any time by administrators — useful when an employee leaves.

15-minute access token lifespan
Refresh token rotation
View all active sessions
Remote session revocation

Breach Response Protocol

In the event of a security incident we follow a documented breach response protocol — notifying the Information Regulator within 72 hours and affected parties without undue delay.

72-hour regulator notification
Affected party communication
Incident documentation
Post-incident review process
POPIA Compliance

Built for South African data protection law

PeopleCore is designed as a POPIA-compliant operator. We process personal information only on your instruction, with appropriate safeguards, and we assist you in meeting your obligations as the Responsible Party.

Read POPIA Statement
Lawful basisAll data processing has documented lawful basis
Data minimisationWe collect only what is necessary for HR functions
Retention policy5-year retention with secure deletion on request
Data subject rightsAccess, correction and erasure requests supported
Breach notification72-hour notification to Information Regulator
Operator agreementData processing agreement available on request