How we protect your people's data.

AES-256-GCM encryption applied to sensitive database fields: user and employee emails, TOTP secret for 2FA, API tokens for your HRIS integrations, OIDC client secret, and the RUT (tax ID) in billing data.

Keys are managed via AWS KMS in production with incremental rotation support. For lookups that don't require decryption (authentication, person search), we use deterministic SHA-256 hashes in composite indexes.

All traffic between browser, CloudFront, nginx, API, and database travels over TLS 1.3 with modern ciphers. HSTS preload with max-age of 2 years and includeSubDomains to ensure no browser ever downgrades to HTTP.

Your database (Neon PostgreSQL serverless), Redis, S3, and compute infrastructure live in AWS sa-east-1. Data doesn't leave the region without your explicit authorization.

Only exception: calls to Claude (Anthropic) and Voyage AI (embeddings) travel outside the region, but with PII redacted and under enterprise contract that prohibits training.

To search users by email without needing to decrypt (login, password reset, invite), we store an emailHash SHA-256 in a composite index (companyId, emailHash). This avoids decrypting the field on each request and removes the risk of timing-based side-channel attacks in queries.

Same pattern for RefreshToken.tokenHash, ApiKey.keyHash, InviteToken.token, and PasswordResetToken.token.

JWTs travel in HttpOnly, SameSite=None, Secure cookies, inaccessible from client-side JavaScript (prevents XSS theft).

Cookies are split by path: access_token (15 min) on path / and refresh_token (7 days) on path /api/v1/auth/refresh. This way the refresh is only sent when actually needed, reducing its exposure.

Each refresh token is single-use. If the same token arrives twice (usedAt already set), we assume possible theft: automatically invalidate ALL of the user's tokens by incrementing tokenVersion and force a re-login.

Tokens are stored as SHA-256 hashes, never in plaintext. Rotation drastically reduces the attack window if a token leaks.

Logout doesn't require querying a blacklist in the database on every request. We increment a tokenVersion field on User, and our JWT strategy compares payload.tv === user.tokenVersion. Any JWT issued before logout stops validating instantly.

Upside: zero per-request latency (no extra query) and the ability to invalidate ALL sessions of a user in a single atomic change.

Full TOTP 2FA support (Google Authenticator, Authy, 1Password). The secret is stored AES-256-GCM encrypted with a dedicated key (TOTP_ENCRYPTION_KEY), separate from the main key.

When 2FA is enabled, we generate 10 bcrypt-hashed backup codes for recovery. We also support WebAuthn / passkeys, enabling passwordless login with Face ID, Touch ID, Windows Hello, or hardware keys (YubiKey).

SsoConfig model active for Enterprise customers: stores SAML entryPoint, issuer and IdP certificate, plus OIDC credentials encrypted at rest with AES-256-GCM. The OIDC client secret is never exposed in plaintext outside the moment of creation.

SCIM 2.0 provisioning available in preview: /scim/v2/Users endpoint with Bearer token (SHA-256 hash in DB, shown in plaintext only once at generation) lets your IdP create and disable users. The full SSO login flow (signed SAML assertion validation and OIDC token exchange) is on the Enterprise roadmap — available on request for early evaluation.

We validate every password against HIBP (Have I Been Pwned) using k-anonymity: we only send the first 5 characters of the SHA1 hash, never the full password. If it appears in public breaches, we reject it.

Automatic lockout after 5 failed attempts (15 min block). Login and forgot-password always return the same generic message, preventing email enumeration.

Real defense-in-depth at the database layer. Every tenant-scoped table has ROW LEVEL SECURITY policies that filter by company_id automatically — even if an application query forgot the filter, PostgreSQL returns 0 rows without error.

The PrismaService (REQUEST-scoped) executes SET LOCAL app.company_id = '<uuid>' at the start of every transaction, reading the id from an AsyncLocalStorage populated by the TenantContextMiddleware. The policies use current_setting('app.company_id')::uuid to compare. Background jobs and schedulers run inside runWithCompany(companyId, fn), ensuring no operation ever touches data outside its tenant.

The companyId never travels in the body of a request. It's always read from the X-Company-ID header, and we validate that the authenticated user has a Membership in that company before continuing.

This means that even with a stolen JWT, you cannot access another company's data: the JwtAuthGuard rejects the request if it doesn't find a matching membership.

The Prisma middleware has two explicit lists: SCOPED_MODELS (54 models that require a companyId filter) and ALLOWED_MODELS (global models without tenant: enums, plan catalog, etc.).

Any model not in either list triggers an immediate exception. It's impossible to accidentally introduce a new model without going through an explicit security code review.

The model works with symbolic representations, not real personal data. Each redaction is logged in PromptGuardrailEvent for auditing.

We recognize and block 18 distinct prompt injection patterns: 'ignore previous instructions', 'DAN mode', 'jailbreak', 'pretend you are', 'forget your rules', 'override your instructions', 'role play as', 'developer mode', 'simulate being', among others.

Each attempt is logged with the input's SHA-256 hash (not the content) in PromptGuardrailEvent, along with userId and companyId, to detect systematic abuse.

When we inject company data into a RAG prompt, we wrap it in clear markers: <<<COMPANY_DATA>>>...<<<END_COMPANY_DATA>>> and <<<USER_QUESTION>>>...<<<END_USER_QUESTION>>>.

This prevents prompt confusion: the model distinguishes what is factual context from your company, what is the user's question, and what are its own system prompt instructions. Recommended pattern in LLM safety literature.

We use Anthropic Claude on enterprise tier: by contract, no input or output is used to train public models. Same with Voyage AI (embeddings): it does not store queries.

There is no model fine-tuning with one customer's data that benefits another. Your information stays with you.

Every recommendation has two layers: Layer 1 (deterministic rules) always runs and guarantees a response, and Layer 2 (Claude) enriches with qualitative judgment.

If the AI fails for any reason (rate limit, timeout, network error, invalid output), the rules layer responds. The client never sees a blank screen and there's no degradation in security.

We operate under the standards of Law 19.628 on Privacy Protection in Chile. Your employees' personal data is processed with consent, specific purpose, and right of access/rectification/cancellation.

DPA (Data Processing Agreement) document available for any customer that requires it.

We comply with Brazilian LGPD: clear legal bases for each processing, data subject rights (access, correction, deletion, portability), and incident notification within reasonable timeframes.

For Brazilian customers, the LGPD-specific DPA and Data Protection Officer contact are available on request.

Although our focus is LATAM, we implement GDPR rights as a baseline: portability (ZIP export with all your data in JSON), right to be forgotten (soft/hard delete with anonymization), minimization (we only collect what's needed), and transparency (this page).

We operate with controls equivalent to ISO 27001 (AES-256-GCM at rest, fail-closed tenant segregation with DB-level RLS, immutable audit log, mandatory 2FA on Enterprise plans, GDPR hard-delete, prompt-injection guardrails, etc.) and an established Information Security Management System (ISMS) — 16 formal policies ratified by management on 2026-05-15. External certification is the next step.

Meanwhile, we offer a bilateral DPA on request (support@talyzr.com), an up-to-date sub-processor list, and answer pre-filled security questionnaires (CAIQ Lite, SIG Lite, custom).

Every critical action is recorded in an AuditLog table that is never deleted: USER_LOGIN, USER_LOGOUT, creation/modification/deletion of positions, successors, talent review decisions, criticality changes, platform-admin impersonations, subscription changes.

Each entry stores before/after JSON, userId, companyId, entityType, entityId, and timestamp. If a user is deleted (GDPR), their userId is anonymized but the log persists for legal compliance.

If you cancel your subscription, data remains available for 90 days before automatic cleanup.

For Chilean companies that require an electronic invoice to deduct VAT, we automatically issue DTE (Documento Tributario Electrónico) upon each confirmed payment. Integration with Bsale and Nubox.

You receive PDF + XML by email with a folio assigned by the SII. The RUT in CompanyBillingInfo is stored AES-256 encrypted at rest.

CloudFront protected with AWS WAFv2 applying AWSManagedRulesCommonRuleSet (OWASP Top 10), AWSManagedRulesSQLiRuleSet, and custom rate-limiting rules. Violation logs reviewed periodically to detect abuse patterns.

External webhooks (Paddle, Talana, Resend) use HMAC signature + Redis idempotency for 24h.

Error monitoring with Sentry, configured with sendDefaultPii: false and a beforeSend hook that replaces emails in breadcrumbs with [email] before sending.

tracesSampleRate: 0.2 in production to keep cost controlled. Every request carries a unique requestId (ULID) propagated in headers and structured JSON logs for correlation between frontend, backend, queue, and Sentry.