Data protection
How we protect your data
Every piece of data you entrust to Paply is protected at multiple layers — in transit, at rest, and at the application level.
🔒
Encryption in transit
All data transmitted between your browser and Paply is encrypted using TLS 1.2 or higher. We enforce HTTPS on all connections and redirect all HTTP traffic.
🗄️
Encryption at rest
All data stored in our database is encrypted at rest using AES-256. Sensitive fields including NI numbers and salary data are additionally encrypted at the application layer.
🛡️
Row Level Security
Every database table uses Row Level Security (RLS). It is architecturally impossible for one organisation to read another organisation's data — the database enforces this, not just the application.
🔑
Access controls
Service role keys are never exposed to the browser. All sensitive API calls are server-side only. Employee data is scoped to the authenticated user's organisation at every layer.
🔐
Authentication
Passwordless authentication via magic link reduces credential theft risk. Sessions are managed securely via encrypted cookies with appropriate expiry. Multi-factor authentication available on request.
💾
Backups
Daily automated database backups with point-in-time recovery. Backups are encrypted and stored in a separate geographic region. We test restoration procedures regularly.
Infrastructure
Our technology stack
We build on enterprise-grade infrastructure from providers with their own rigorous security certifications.
| Component | Provider | Certifications | Data location |
|---|
| Database | Supabase (PostgreSQL) | SOC 2 Type II | EU / US (SCCs) |
| Hosting | Vercel | SOC 2 Type II | EU / US (SCCs) |
| Payments | Stripe | PCI DSS Level 1 | EU / US (SCCs) |
| Email delivery | Resend | SOC 2 | US (SCCs) |
| AI processing | Anthropic | SOC 2 Type II | US (SCCs) |
| CDN / DDoS | Vercel Edge Network | ISO 27001 | Global |
SCCs = Standard Contractual Clauses for GDPR-compliant international data transfers.
Employee data
Special protections for sensitive data
Employee payroll data is among the most sensitive personal data we process. We apply additional protections beyond our standard security baseline.
Olive conversations
Employee conversations with Olive (our wellbeing AI) are completely private. Employers cannot see any conversation content. We do not log or store conversation content beyond the active session unless the employee explicitly saves it.
- Employer has zero visibility
- No content retained after session ends
- Crisis detection routes to external services only
Payroll data
Salary, NI numbers, tax codes, and bank details receive additional encryption. Employees can only see their own data. Employers can only see data for their own organisation.
- NI numbers encrypted at field level
- Bank details never stored by Paply
- Payslips access-controlled per employee
Benchmarking data
When we use your data to improve our benchmarking engine, it is fully anonymised and aggregated. We never contribute data sets with fewer than 5 organisations — making re-identification statistically impossible.
- No PII in benchmark contributions
- Minimum 5 org threshold enforced
- Aggregates only — never individual records
Data minimisation
We collect only what we need to provide the service. Features that don't require personal data use anonymised identifiers. We regularly review what we collect and delete data we no longer need.
- Collect only what's necessary
- Regular data audits
- Automated deletion after retention period
Shared responsibility
What we handle vs what you handle
Security is a shared responsibility. Here is a clear breakdown of who is responsible for what.
Paply is responsible for
- Platform infrastructure security
- Database encryption and access controls
- Secure authentication system
- Penetration testing and vulnerability management
- Sub-processor security and compliance
- Incident detection and response
- UK GDPR compliance as data processor
- Regular security reviews
You are responsible for
- Keeping your account credentials secure
- Managing user access within your organisation
- Deactivating accounts for leavers promptly
- Ensuring employees are informed about data use
- Maintaining your own GDPR compliance as data controller
- Reporting suspected security incidents to us
- Keeping contact email addresses current
Incident response
What happens if something goes wrong
We have a documented incident response process. In the event of a data breach:
⚡
Within 24 hours
We contain the incident, assess the scope, and begin our investigation. Internal incident log created. Key personnel notified immediately.
📋
Within 72 hours
If the breach is likely to result in a risk to individuals, we notify the ICO within 72 hours as required by UK GDPR — regardless of whether the investigation is complete.
📧
Customer notification
We notify affected customers without undue delay. Notifications include: what happened, what data was affected, what we have done, and what you should do.
Found a security issue?
We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue in Paply, please contact us before disclosing it publicly. We will investigate promptly and work with you to address it.
Email us at hello@paply.io with a description of the issue and steps to reproduce. We commit to acknowledging your report within 48 hours and keeping you updated on our progress.
We do not currently offer a bug bounty programme, but we deeply appreciate responsible disclosure and will acknowledge your contribution.