Security as a foundation.

• Encryption in transit. All connections to the service use TLS 1.2 or higher with modern cipher suites. HSTS is enforced.
• Encryption at rest. Sensitive fields — salary, employee identifiers, email addresses, demographic attributes, performance ratings — are encrypted at the column level with a per-tenant data encryption key. Tenant keys are wrapped by a customer-managed key in a hardware-backed key management service. Plaintext keys never leave the boundary of the encryption module.
• Tenant isolation. Every database query is scoped to a tenant identifier through a framework-level guard. Cross-tenant access is treated as a critical-severity bug and covered by dedicated integration tests on every protected endpoint.
• Backups. Encrypted, EU-resident, rotated on a documented schedule. Restore procedures are tested periodically.

• Multi-factor authentication. Available for every role; either an authenticator-app code or a passkey. Admins may enforce MFA organisation-wide via a self-service policy switch.
• Role-based access control. Owner, Admin, HR Lead, Analyst, Viewer. Permissions are evaluated server-side on every protected request — UI hiding is never the sole control.
• Last-Owner protection. The platform refuses destructive role changes that would leave an organisation without an Owner.
• Session controls. Cookies are HTTP-only, secure, and same-site. Sessions expire after 30 minutes of inactivity and 12 hours absolute; re-authentication is required for sensitive operations.
• SSO and SCIM. SAML 2.0 single sign-on and SCIM provisioning are available to enterprise customers; the schema supports per-org auth configuration so SSO can be enforced organisation-wide.

Every read or write of sensitive data is recorded in an append-only audit log. The log captures the actor, the action, the resource, the timestamp, and a request identifier that correlates with application logs. Audit rows cannot be modified or deleted, including by Calbarry. Organisation admins can query their own log via the platform to support self-service compliance obligations under Article 7 of the Directive.

The audit log is retained for seven (7) years, in line with the long-tail evidentiary needs of pay-equity compliance.

• EU-only data residency. Production data is stored and processed exclusively within the European Union. No production data leaves the EEA.
• Least-privilege. The application runs as a database role with no permission to modify or delete audit records; only the migration role can change schema. Privileged access by Calbarry personnel is gated by MFA, justified, and logged.
• Network controls. All inbound traffic terminates behind a managed CDN with TLS, rate limiting, and DDoS protection. Internal services are not exposed to the public internet.
• Secrets management. No secrets are checked into source control. Production secrets are sourced from a managed secrets store and rotated on a documented schedule.

• Type-safe codebase with strict static analysis; security-lint rules block common classes of vulnerability before code review.
• Tests are mandatory for every protected endpoint, including tenancy isolation and role-based access checks. Coverage thresholds gate merges.
• Dependencies are pinned, scanned for known vulnerabilities on every build, and updated on a rolling schedule.
• Secret scanning runs on every commit. Pre-commit hooks block common mistakes (debug logs, hard-coded credentials).
• Database migrations are forward-only by default. Destructive operations require explicit operator approval.

• Incident response. Documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. Personal-data breach notification within 72 hours of becoming aware, as required by GDPR Article 33.
• Logging and monitoring. Structured logs with request-id correlation. PII fields are redacted before they reach the log destination. Alerts fire on authentication anomalies, error spikes, and integrity-check failures.
• Business continuity. Multi-AZ infrastructure within the EU region of operation; documented recovery time and recovery point objectives are provided in the DPA.

The controls above are designed against the requirements of SOC 2 Type II and ISO/IEC 27001. Independent third-party certification is on the roadmap and will be pursued at the revenue threshold where it is commercially justified. Until then, customers can rely on the contractual commitments in the DPA, the controls listed here, and the right to audit defined in our agreement.

If you believe you have found a security issue affecting Calbarry, please report it via the contact form with “Security disclosure” in the message subject line. Please do not publish details until we have had a reasonable opportunity to investigate. We acknowledge reports within two (2) business days and credit researchers who request attribution.