How we treat your employees' data.
Specifics, not slogans. Every claim on this page is implemented in production code today. If something here ever stops being true, this page changes in the same release.
Canadian Data Residency
All HR data is stored in Canadian data centres on Microsoft Azure (Canada Central). Transactional emails are delivered via Resend (US-based processor) and payment processing via Helcim (Calgary, Canada). Employee and payroll data does not leave Canada.
AES-256-GCM Field-Level Encryption
All data is encrypted at rest using AES-256 and in transit using TLS 1.2+. SINs and banking details get an additional layer of authenticated field-level encryption (AES-256-GCM) so even a database leak can't expose them. Encryption keys are verified on every application boot with a round-trip self-test; a misconfigured key refuses to start the service rather than silently corrupting records.
HttpOnly Cookie Authentication
Authentication tokens live in HttpOnly cookies, not browser storage. This means XSS attacks, the most common web vulnerability, cannot steal a logged-in session. Tokens also rotate on every refresh.
Strict HTTP Security Headers
Every response ships with HSTS (preload), a strict Content Security Policy limiting where scripts and styles can load from, X-Frame-Options: DENY to block clickjacking, X-Content-Type-Options: nosniff, and a tight Permissions-Policy. The admin, API, and marketing sites are each independently scored A on securityheaders.com.
Breached-Password Protection
Passwords set on signup or reset are checked against the HaveIBeenPwned Pwned Passwords database using k-anonymity, we never send your password or full hash, only a 5-character prefix. If your password appears in a known breach, we reject it and ask you to choose another.
Email Authentication (SPF, DKIM, DMARC)
Our sending domain publishes SPF, DKIM, and a DMARC policy with aggregate reporting. We are in the staged rollout from p=none to p=reject, which prevents attackers from spoofing @hibiscushr.ca in phishing emails targeting your team.
PIPEDA Compliant
Our data handling practices are designed to comply with Canada's Personal Information Protection and Electronic Documents Act. Hibiscus HR doesn't currently process Quebec employee data, so Quebec Law 25 obligations are not in scope today. Law 25 is part of the audit work we're doing before Quebec coverage ships.
PCI-DSS Compliant
Payment card data is processed by Helcim, a PCI-DSS Level 1 certified processor. Card numbers are tokenized in the browser via HelcimPay.js and never touch our servers.
Access Controls
Role-based access control ensures employees only see data relevant to their role. Three roles, admin / manager / employee, with every protected route checking role before serving data. TOTP-based two-factor authentication is available for every account, with a tenant-level "Enforce 2FA for admin" toggle that requires every admin to enrol before they can use admin functions.
Schema-per-Tenant Isolation
Every customer gets a dedicated PostgreSQL schema. There is no shared "employees" table that we filter by tenant_id at runtime. The tenant boundary is enforced by the database, not by application code, so a bug in application code cannot accidentally surface another tenant's rows. Schema names are random hex strings, not slugs, so a leaked tenant identifier can't be reverse-engineered into a schema name.
Audit Logging
Every administrative action writes an immutable row to the audit log: employee creation, role change, payroll run, T4 file, ROE generation, document upload, integration connection, billing change, 2FA enrolment. Each row captures actor, action, target, and timestamp. Authentication failures and 5xx responses also flow into Application Insights for forensic review.
Live Status Page
Real-time operational health at hibiscushr.ca/status. API, admin console, and marketing site are independently probed every 5 minutes by Azure availability tests; the public status page polls our readiness endpoint every 30 seconds.
SOC 2
SOC 2 Type II attestation is on our security roadmap, but is not currently in progress. We will revisit when budget and customer demand align, typically when an enterprise customer needs SOC 2 as a contract gate.
Responsible Disclosure
Found a security issue? Please report it responsibly to support@hibiscushr.ca. Our RFC 9116 disclosure policy is published at /.well-known/security.txt. We aim to respond within 48 hours.
Security questions?
We're happy to answer questions about our security posture for enterprise evaluations. Detailed responses available under NDA for procurement reviews.
support@hibiscushr.ca