Security

How we protect your data and maintain platform security

PeopleCore – Security

Last updated: 23 January 2026

Executive Summary

At PeopleCore, we take security seriously. Our platform is designed with a defence-in-depth approach, protecting every layer of the system, including authentication, authorisation, data storage, APIs, and infrastructure.

As a multi-tenant HR management system, PeopleCore ensures robust tenant isolation, role-based access control, and comprehensive audit logging. Our security measures are built to keep your data private, compliant, and secure.

Authentication & Session Management

  • Secure Authentication: We use industry-standard frameworks to verify user identity.
  • Password Protection: All passwords are hashed using bcrypt with automatic salting.
  • Session Security: Cookies are HttpOnly, Secure, and set with appropriate SameSite policies to prevent XSS attacks.
  • Enterprise Single Sign-On: Integration with Google and Microsoft Entra ID (Azure AD) allows seamless SSO for businesses.
  • Immediate Access Revocation: User sessions can be invalidated instantly during offboarding or credential changes.

Authorisation & Access Control

  • Role-Based Access Control (RBAC) ensures that users only see and act on data relevant to their role.
  • Four-tier role hierarchy: SUPER_ADMIN, ADMIN, MANAGER, EMPLOYEE.
  • Granular permissions: Screens and actions can be restricted at a fine-grained level for extra security.
  • Tenant Isolation: Users can never access data belonging to other companies. All operations are scoped to the user's organisation.

API Security

  • Rate Limiting: All API endpoints are protected to prevent abuse or brute-force attacks.
  • Input Validation: Strict validation ensures only properly formatted and safe data enters the system.
  • SQL Injection Prevention: All database queries are parameterised to avoid injection attacks.
  • Authentication Enforcement: Protected routes require valid sessions, preventing unauthorised access.

Data Protection

Encryption

  • Passwords are one-way hashed.
  • Sensitive fields are encrypted with industry-standard AES-256-GCM encryption.
  • All data in transit is encrypted using TLS 1.3.

Audit Logging

Every action within the platform is recorded with full attribution, creating an immutable trail for accountability.

Sensitive Data Handling

Partial masking of private data, such as bank accounts, and secure transmission prevent accidental exposure.

Frontend Security

  • Cross-Site Scripting (XSS) Prevention: All user inputs are validated and sanitised to prevent malicious scripts.
  • Cross-Site Request Forgery (CSRF) Protection: Mutating requests require secure tokens to ensure authenticity.
  • Input Validation: Both client and server-side checks prevent invalid or dangerous data.

Infrastructure Security

  • Content Security Policy (CSP) and strict HTTP headers protect the platform against web-based attacks.
  • Environment Variable Security: Sensitive configuration is never exposed to the client.
  • Serverless and CDN Protection: Hosted on Vercel with automatic HTTPS, global CDN, and DDoS protection.

File Storage and Deployment

Secure File Uploads

Files are stored with signed URLs and tenant-scoped paths, with validation to prevent malicious content.

Database Security

Hosted on Railway PostgreSQL, encrypted in transit, patched automatically, with automated backups and private networking.

Deployment Isolation

Preview and production environments are separated to protect against accidental leaks or misconfigurations.

Compliance Considerations

PeopleCore's security practices align with:

  • Privacy Act 2020 (NZ): Controlled access and audit logging.
  • Holidays Act 2003 (NZ): Accurate leave tracking.
  • GDPR Principles: Data minimisation, purpose limitation, and access controls.

Continuous Improvement

Security is an ongoing commitment. Our current initiatives include:

High Priority

  • Enforcing server-side CSRF validation
  • Monitoring authentication failures
  • Implementing Subresource Integrity (SRI) for third-party scripts

Medium Priority

  • Strengthening password policies
  • Session timeouts
  • API versioning

Low Priority

  • Reviewing additional security headers
  • Automating vulnerability scans in our CI/CD pipeline

Contact

For security concerns or vulnerability reports, please contact our dedicated security team through the official channels.

hi@peoplecore.co.nz