Security · how we protect your HR data

Your HR data, treated like ours.

Encryption everywhere, role-based access control, full audit log, tenant isolation, and a compliance roadmap that takes us through SOC 2 Type I by end of 2026. Built for HR teams that handle real, regulated employee data.

Four pillars of Link HR security
Encryption
  • AES-256 encryption at rest for the database and all document storage
  • TLS 1.3 in transit between all clients, the API, and downstream services
  • Per-tenant encryption keys with quarterly rotation
  • Encrypted backups with 30-day retention, restorable to any point in time
Access control
  • Role-based access control — HR admin, manager, employee, finance — with fine-grained field permissions
  • SSO with SAML and OIDC on the Scale plan (Okta, Azure AD, Google Workspace)
  • Mandatory 2FA on every privileged account; optional 2FA for all employees
  • Sensitive fields (salary, ID copies) gated by an additional permission tier
Audit and observability
  • Full audit log — every read, write, login, and permission change recorded with actor, time, and source IP
  • Audit log exportable as CSV for compliance reviews; retained 7 years
  • Per-request correlation IDs so support can trace any issue back to the source
  • Tenant isolation enforced at the database row level (Postgres RLS)
Compliance and data rights
  • GDPR-aligned data subject rights: access, portability, rectification, erasure on request
  • Data residency in AWS Bahrain or Cloudflare R2 (Frankfurt) — tenant-selectable
  • DPA available on request for every customer; subprocessor list public
  • SOC 2 Type I targeted for Q4 2026; ISO 27001 on the 2027 roadmap
Compliance status

We're transparent about where we are on the compliance journey. SOC 2 Type I work is underway with an audit window targeted for Q4 2026. ISO 27001 follows in 2027. In the meantime, we publish a security pack on request — architecture diagrams, encryption keys management, incident-response runbooks, subprocessor list, and DPA template.

Frequently asked

How is data encrypted?

How is data encrypted?
AES-256 at rest for the Postgres database and all document object storage. TLS 1.3 in transit between every client, the API, and all downstream services. Per-tenant encryption keys with quarterly rotation.
Where is my data stored?
Tenant-selectable: AWS Bahrain (me-south-1) for MENA residency, or Cloudflare R2 (Frankfurt) for European residency. Documents and database both stay in the chosen region; data never crosses unless you explicitly request a transfer.
Is there an audit log?
Yes — every read, write, login, permission change, and API call is logged with actor, time, source IP, and correlation ID. The audit log is exportable as CSV for compliance reviews and retained for 7 years.
Are you SOC 2 certified?
Not yet — SOC 2 Type I is underway with the audit window targeted for Q4 2026. ISO 27001 follows in 2027. In the meantime, we publish a security pack on request covering architecture, key management, incident response, and subprocessors.
Who are your subprocessors?
AWS (Bahrain region for primary hosting), Cloudflare (CDN + R2 storage for European residency), Anthropic (Linky AI features, zero-retention enterprise contract), and Sentry (error monitoring, EU region). The full list and DPA terms are public.
What happens in a security incident?
We notify affected tenants within 24 hours of confirmed impact, with details of what was accessed and a remediation plan. Our incident-response runbook follows the NIST framework. Penetration tests are run twice a year and reports are available on request.

Need to review the security pack?

Book a 20-minute call and we'll walk through architecture, share the security pack, and answer your IT team's procurement questions in writing.