Security Policy

**Last Updated:** January 18, 2025

Number Ready takes the security of your payroll data seriously. This Security Policy describes our security practices, infrastructure, and commitment to protecting your information.

1. Security Overview

Number Ready implements industry-standard security measures across all layers of our platform:

**Infrastructure Security:** SOC 2 Type 2 certified hosting providers

**Data Encryption:** AES-256 at rest, TLS 1.3 in transit

**Access Control:** Multi-factor authentication and role-based access

**Monitoring:** 24/7 automated security monitoring and alerting

**Compliance:** GDPR and CCPA compliant data handling practices

2. Infrastructure Security

2.1 Hosting and Cloud Services

Our infrastructure is built on enterprise-grade, SOC 2 Type 2 certified providers:

|---------|----------|---------------|---------|

2.2 Data Center Security

All infrastructure providers maintain:

Physical security controls (24/7 surveillance, biometric access)

Environmental controls (fire suppression, climate control, redundant power)

Network security (DDoS protection, firewalls, intrusion detection)

Geographic redundancy and disaster recovery

Regular third-party security audits

2.3 Network Security

**DDoS Protection:** Automatic mitigation of distributed denial-of-service attacks

**Web Application Firewall:** Protection against common web exploits (SQL injection, XSS, CSRF)

**Rate Limiting:** API request throttling to prevent abuse

**IP Allowlisting:** Database access restricted to authorized systems only

3. Data Encryption

3.1 Encryption in Transit

All data transmitted to and from Number Ready is encrypted using:

**Protocol:** TLS 1.3 (Transport Layer Security)

**Minimum Version:** TLS 1.2

**Cipher Suites:** Industry-standard algorithms (AES-128-GCM, AES-256-GCM, ChaCha20-Poly1305)

**Certificate Authority:** Trusted CAs with automatic certificate renewal

**HSTS:** HTTP Strict Transport Security header enabled

**No Plaintext:** All HTTP requests automatically redirected to HTTPS

3.2 Encryption at Rest

All stored data is encrypted using:

**Algorithm:** AES-256 (Advanced Encryption Standard)

**Key Management:** Managed by infrastructure provider with automatic key rotation

**Scope:** All databases, backups, and file storage

**OAuth Tokens:** Encrypted at application layer before database storage

**Passwords:** Hashed using bcrypt with cost factor 12 (never stored in plaintext)

3.3 Encryption in Use

**Memory Encryption:** Sensitive data encrypted in application memory where possible

**Secure Sessions:** Session tokens stored in HttpOnly cookies (protected from XSS)

**No Client-Side Storage:** Sensitive data not stored in browser localStorage or sessionStorage

4. Access Control

4.1 Multi-Factor Authentication (MFA)

MFA is required for all administrative and production access:

**Developer Access:** Vercel, GitHub, and cloud provider accounts protected by 2FA

**Database Access:** Certificate-based authentication + IP allowlisting

**Authenticator Apps:** TOTP-based (Google Authenticator, Authy, 1Password)

**Recovery Codes:** Secure backup codes provided for account recovery

4.2 Role-Based Access Control (RBAC)

**Customer Data Isolation:** Each customer's data strictly isolated by company ID

**Row-Level Security:** Database queries automatically filtered by authenticated user's company

**API Authorization:** All endpoints require valid session token and company ownership verification

**Deny by Default:** All resources require explicit permission grants

4.3 Employee Access

Number Ready is currently a solo-founded operation:

**Single Administrator:** Founder has full production access with MFA enabled

**No Third-Party Access:** No contractors or external parties have access to customer data

**Future Hires:** Background checks and confidentiality agreements required before granting access

4.4 Session Management

**Session Expiration:** Automatic logout after 7 days of inactivity

**Concurrent Sessions:** Multiple active sessions allowed (can be revoked individually)

**Session Revocation:** Users can log out of all sessions from account settings

**Token Rotation:** Refresh tokens rotated on use to prevent replay attacks

5. Application Security

5.1 Secure Development Practices

**Input Validation:** All API inputs validated using Zod schemas

**SQL Injection Prevention:** Parameterized queries via Prisma ORM (no raw SQL with user input)

**XSS Protection:** React's built-in output escaping, Content-Security-Policy headers

**CSRF Protection:** Anti-CSRF tokens on all state-changing operations

**Authentication Standards:** NextAuth.js with secure session management

**Dependency Scanning:** Automated security scanning via GitHub Dependabot

5.2 API Security

**Rate Limiting:** 100 requests per minute per user, 10 per minute for unauthenticated requests

**Request Validation:** All payloads validated server-side (type, size, format)

**Mass Assignment Protection:** Explicit field allowlists, unexpected fields rejected

**Authorization Checks:** Every API call verifies user owns the requested resource

**Error Handling:** Generic error messages to prevent information disclosure

5.3 Data Validation

**Server-Side Validation:** All data validated on backend (never trust client input)

**Type Safety:** TypeScript for compile-time type checking

**Range Validation:** Min/max limits on numeric inputs

**Format Validation:** Email, UUID, date format verification

**Sanitization:** HTML escaping, SQL parameter binding

6. Vulnerability Management

6.1 Dependency Management

**Automated Scanning:** GitHub Dependabot scans dependencies daily

**Security Advisories:** Automated alerts for known vulnerabilities

**Patch Schedule:**

- Critical vulnerabilities: Patched within 24 hours

- High vulnerabilities: Patched within 7 days

- Medium vulnerabilities: Patched within 30 days

- Low vulnerabilities: Patched in next release cycle

6.2 Infrastructure Patching

**OS Patches:** Managed automatically by Vercel and database providers

**Platform Updates:** Automatic deployment of security patches

**Zero-Downtime Deployments:** Rolling updates to maintain availability

6.3 Vulnerability Scanning

**Automated Scans:** Continuous monitoring by infrastructure providers

**Dependency Audits:** Weekly review of security advisories

**Penetration Testing:** Planned upon reaching Series A funding or 100+ customers

**Bug Bounty Program:** Planned for future implementation

7. Security Monitoring and Incident Response

7.1 Continuous Monitoring

**Error Tracking:** Real-time error monitoring via Sentry

**Performance Monitoring:** API response times and anomaly detection

**Access Logs:** All authentication events logged and retained for 1 year

**Database Audit Logs:** All data modifications logged with user ID and timestamp

**Automated Alerts:** Immediate notification of suspicious activity

7.2 Incident Response Procedure

In the event of a security incident:

Detection (0-2 hours):

Automated monitoring systems detect anomaly

Alert sent to security@numbeready.com

Incident response team assembled (currently: founder)

Assessment (2-6 hours):

Determine scope and severity of incident

Identify affected systems and data

Classify incident (low, medium, high, critical)

Containment (4-8 hours):

Isolate affected systems to prevent spread

Implement temporary security controls

Preserve evidence for forensic analysis

Eradication (8-24 hours):

Remove malicious code or unauthorized access

Patch vulnerabilities exploited

Verify systems are secure

Recovery (24-48 hours):

Restore normal operations

Monitor for recurrence

Implement additional safeguards

Notification:

**Affected Customers:** Notified within 72 hours (per GDPR requirements)

**Gusto/Partners:** Notified within 24 hours if integration data affected

**Regulatory Authorities:** Per jurisdiction requirements

Post-Incident Review:

Root cause analysis conducted within 1 week

Lessons learned documented

Security improvements implemented

7.3 Incident Response SLAs

|----------|------------------|-------------------|----------------------|

8. Data Protection and Privacy

8.1 Data Minimization

We collect only data necessary to provide the Service:

Employee data required for payroll calculations

Minimal personal information (no SSNs unless explicitly needed for integration)

OAuth tokens (encrypted, automatically expire)

8.2 Data Retention

| Data Type | Retention Period | Reason |

|-----------|------------------|---------|

| Active payroll data | While subscription active | Provide service |

| Deleted accounts | 30-day soft delete | Allow recovery |

| Payroll records | 7 years after termination | Legal compliance (IRS, FLSA) |

| Security logs | 1 year | Incident investigation |

| Application logs | 90 days | Debugging and monitoring |

8.3 Data Deletion

Upon account deletion:

30-day grace period for recovery

Permanent deletion after grace period

No data recovery possible after permanent deletion

Retention for legal compliance where required (payroll records)

8.4 Third-Party Data Sharing

We share data only with:

Infrastructure providers (Vercel, Neon, Stripe) under DPAs

Integration partners (ClubReady, Gusto) as authorized by you

Law enforcement if required by legal process

We never:

Sell your data to third parties

Use your data for advertising

Share employee data without authorization

9. Compliance and Certifications

9.1 Current Compliance

**GDPR:** EU General Data Protection Regulation compliance

**CCPA:** California Consumer Privacy Act compliance

**SOC 2:** Infrastructure hosted on SOC 2 Type 2 certified providers

**PCI DSS:** Payment processing through PCI DSS Level 1 certified Stripe

9.2 Future Certifications (Planned)

SOC 2 Type 2 audit (upon reaching 100+ customers or Series A funding)

ISO 27001 certification (enterprise customer requirement)

Penetration testing (annual)

Bug bounty program

10. Employee Security

10.1 Background Checks

Required for all future hires with access to production systems

Verification of employment history and references

Criminal background checks where legally permitted

10.2 Security Training

Security best practices training for all team members

Annual refresher training

Incident response training

Secure coding practices

10.3 Confidentiality Agreements

All employees sign confidentiality and non-disclosure agreements

Agreements effective prior to access to customer data

Legal remedies for violations

10.4 Access Revocation

Upon employee departure:

Immediate revocation of all access credentials

Return of company equipment

Exit interview and security debrief

11. Disaster Recovery and Business Continuity

11.1 Backup Strategy

**Automated Backups:** Daily database backups

**Backup Retention:** 30 days

**Backup Encryption:** AES-256 encrypted at rest

**Backup Testing:** Quarterly restore tests

**Geographic Redundancy:** Backups stored in multiple regions

11.2 Recovery Time Objectives

| System | RTO (Recovery Time Objective) | RPO (Recovery Point Objective) |

|--------|-------------------------------|--------------------------------|

| **Application** | 4 hours | 24 hours |

| **Database** | 8 hours | 24 hours |

| **Authentication** | 2 hours | 1 hour |

11.3 Disaster Recovery Plan

Documented procedures for system recovery

Annual disaster recovery drills

Alternate infrastructure providers identified

Communication plan for customer notifications

12. Responsible Disclosure

12.1 Reporting Security Vulnerabilities

If you discover a security vulnerability in Number Ready:

DO:

Report it immediately to security@numbeready.com

Provide detailed description of the vulnerability

Include steps to reproduce (if possible)

Allow reasonable time for us to address the issue

DON'T:

Publicly disclose the vulnerability before we've patched it

Access or modify data you don't own

Perform destructive testing (DoS attacks, data deletion)

Exploit the vulnerability for personal gain

12.2 Our Commitment

We commit to:

**Acknowledgment:** Respond within 48 hours

**Assessment:** Evaluate severity and impact within 1 week

**Resolution:** Patch critical vulnerabilities within 30 days

**Recognition:** Publicly thank researchers (with permission)

**No Legal Action:** No legal action against good-faith security researchers

12.3 Bug Bounty Program

Currently, we do not offer a formal bug bounty program. However:

Responsible researchers will be recognized in our security hall of fame

We may offer rewards at our discretion for critical findings

Formal bug bounty program planned upon reaching $1M ARR

13. Contact Information

For security-related inquiries:

Security Team:

**Email:** security@numbeready.com

**Response Time:** Within 48 hours

**Incident Hotline:** security@numbeready.com (24/7 monitoring)

General Inquiries:

**Support:** support@numbeready.com

**Privacy:** privacy@numbeready.com

**Legal:** legal@numbeready.com

14. Security Policy Updates

This Security Policy may be updated from time to time to reflect:

Changes in security practices

New compliance requirements

Infrastructure or technology changes

Lessons learned from security incidents

Material changes will be communicated via:

Email notification to all registered users

Prominent notice on the Service

30 days' advance notice before changes take effect

Number Ready is committed to maintaining the highest standards of security and privacy. We continually invest in security measures to protect your payroll data and earn your trust.

**Last reviewed:** January 18, 2025

**Next scheduled review:** July 18, 2025

*For questions about this Security Policy, contact security@numbeready.com.*