How PayGrity Protects Your Employee Data (And Why It Matters)
By Priya Nadkarni, VP of Engineering · August 3, 2024 · 8 min read
Payroll software holds some of the most sensitive data a business has: Social Security numbers, bank account details, home addresses, compensation for every employee. We think you deserve to know exactly how we protect it — not in vague marketing language, but in specifics.
Every few months another HR or payroll platform makes the news for the wrong reason. The pattern is depressingly consistent: a forgotten test system, an over-privileged account, a credential that should have been rotated a year ago. The data these systems hold is exactly what attackers want, because it's a direct line to identity theft and payroll fraud. We built PayGrity assuming we are a target, because we are.
Encryption everywhere, by default
All customer data is encrypted in transit with TLS 1.2 or higher, and encrypted at rest using AES-256. Particularly sensitive fields — bank account and routing numbers, government identifiers — get an additional layer of application-level encryption, so that even inside our own systems they are never stored or logged in plaintext. Keys are managed in a dedicated key-management service and rotated on a fixed schedule.
Least privilege, all the way down
The most common cause of a breach isn't an exotic exploit — it's an account that could do far more than it needed to. We design against that. Every internal service runs with the narrowest set of permissions required to do its job and nothing more. A component that needs to read a record cannot modify it; a component that writes telemetry cannot read customer records. Employee access to production is gated behind multi-factor authentication, scoped to specific duties, reviewed quarterly, and logged. No one has standing access to customer payroll data "just in case."
Separation between what's public and what's not
The systems that serve our marketing site, our customer portal, and our internal operations are deliberately isolated from one another. There is no path that lets a visitor to a public page reach the infrastructure that processes payroll. We treat the boundary between "anyone on the internet" and "trusted internal systems" as sacred, and we monitor it continuously for anything that looks like someone testing it.
We assume someone is always probing
Our security team operates on the assumption that our perimeter is under constant, automated probing — because telemetry says it is. Unusual access patterns, credential stuffing against the login, enumeration of endpoints that don't exist: these are everyday background noise on the public internet, and we instrument for them. The point of good monitoring isn't to be alarmed by this; it's to make sure the noise never turns into a foothold, and to learn from the people who try.
Responsible disclosure
We believe security is a collaboration. If you're a researcher and you believe you've found a vulnerability in any PayGrity system, we want to hear from you. Email security@paygrity.co with the details and we'll respond. We don't threaten good-faith researchers, and we credit the people who help us stay honest.
Audited, not just asserted
It's easy to claim good security. We'd rather have it verified. PayGrity maintains a SOC 2 Type II program, undergoes independent penetration testing, and keeps our practices documented and reviewed rather than tribal knowledge in someone's head. If you're evaluating us and your own compliance team needs documentation, your account contact can walk you through it.
Protecting your employees' data is the whole job, not a feature we bolt on. If you have questions about how any of this works for your account, reach our security team directly at security@paygrity.co.
Priya Nadkarni leads engineering and security at PayGrity. This post describes our general approach and is intentionally light on implementation detail — for good reason.
← Read: Why Payroll Compliance Is More Complex Than You Think