Compensation data is among the most sensitive information in any organization. We treat it with the highest level of care. This page describes the technical and organizational measures we use to protect your data.
1. Encryption
Data at Rest
All stored data is encrypted using AES-256 encryption. Database volumes, backups, and file storage are all encrypted by default with keys managed through a dedicated key management service. Encryption keys are rotated regularly and are never stored alongside the data they protect.
Data in Transit
All connections to the Service use TLS 1.3 with strong cipher suites. We enforce HTTPS for all traffic, including API calls and web interface access. HSTS (HTTP Strict Transport Security) is enabled with a minimum max-age of one year.
2. Tenant Isolation
Each client's data is logically isolated at the database level. Our architecture ensures:
- No cross-tenant data access is possible through the application layer
- Each client's data is stored with unique encryption keys
- Database queries are scoped to the authenticated tenant at every layer
- Automated tests verify isolation boundaries on every deployment
3. Infrastructure Security
- Cloud hosting — the Service runs on industry-leading cloud infrastructure with SOC 2 and ISO 27001 certified data centers
- Network security — firewalls, VPC isolation, and network segmentation restrict traffic to only what is necessary
- DDoS protection — automatic mitigation of volumetric and application-layer attacks
- Intrusion detection — continuous monitoring for anomalous activity and known threat patterns
4. Application Security
- Secure development lifecycle — all code undergoes peer review before deployment
- Dependency management — automated scanning for known vulnerabilities in third-party libraries
- Input validation — strict server-side validation to prevent injection attacks
- CSRF protection — all state-changing operations require valid anti-forgery tokens
- Rate limiting — API and login endpoints are rate-limited to prevent brute-force attacks
5. Access Control
- Role-based access — granular permissions ensure users only access what they need
- Multi-factor authentication — available for all accounts, required for admin roles
- Session management — automatic timeout, single-session enforcement available
- Audit logging — all access to sensitive data and administrative actions are logged with timestamps, user identity, and action details
6. Employee Access
T-Systemm personnel access to client data is strictly limited:
- Access is granted on a need-to-know basis and requires explicit authorization
- All access is logged and auditable
- Production database access requires multi-factor authentication and VPN
- All team members undergo background checks and sign confidentiality agreements
7. Backups and Recovery
- Automated daily backups with point-in-time recovery capability
- Backups are encrypted and stored in a geographically separate location
- Recovery procedures are tested quarterly
- Target Recovery Point Objective (RPO): 1 hour; Recovery Time Objective (RTO): 4 hours
8. Incident Response
We maintain a formal incident response plan that includes:
- Detection — automated alerting on security anomalies, 24/7 monitoring
- Containment — immediate isolation of affected systems
- Notification — affected clients are notified within 48 hours of a confirmed data breach
- Remediation — root cause analysis and corrective measures documented and implemented
- Post-incident review — lessons learned shared with the team to prevent recurrence
9. Compliance Roadmap
| Framework | Status | Target |
|---|---|---|
| GDPR | Compliant by design | Ongoing |
| SOC 2 Type I | Controls implemented | Q4 2026 |
| SOC 2 Type II | Planned | 2027 |
| ISO 27001 | Planned | 2027 |
10. Vulnerability Reporting
If you discover a security vulnerability, please report it responsibly to security@t-systemm.net. We commit to acknowledging your report within 24 hours and providing a resolution timeline within 72 hours. We do not pursue legal action against good-faith security researchers.
11. Questions
For security-related inquiries or to request our security documentation package: security@t-systemm.net