Data Security, Privacy & Compliance

Payslip uses highly-secure AWS data centers to host its SaaS platform. Read about Amazon’s AWS data center security protection here. Payslip enforces strict physical security at all of its premises via CCTV, entry and exit controls, and tracking measures.

The Payslip platform uses a Zero Trust approach to ensure privacy and security of data. We operate on the Principle of Least Privilege (POLP) and Role-based Access Control (RBAC) to restrict user access to the bare minimum. Payslip tracks all access and activity for security and audit.

Access is recertified on a quarterly basis.

Payslip supports Single Sign-On (SSO) with Security Assertion Markup Language (SAML). SAML is an open standard widely used for authentication. We operate Two Factor Authentication (2FA) across a number of channels including email, SMS, and Authenticator app.

Passwords are hashed and salted to ensure the highest level of protection. To ensure users create strong passwords, we impose password rules for employees and users of the platform. Accounts are locked after 5 failed login attempts.

Payslip’s support for role-based access enables you to restrict what your users can see and the actions they can perform. Build and enforce your own fine-grained data access control using Payslip’s powerful but intuitive policy expression language.

All data on Payslip is obfuscated and encrypted using the strongest and most robust encryption standards.

Data at Rest
Payslip uses the Advanced Encryption Standard (AES) with a key size of 256 bits to encrypt all data before it is stored in our database. AES 256 is a highly secure cipher and is a US Federal Government standard.

Data in Transit
All AWS services are protected by AWS Key Management Service (AWS KMS). More information here.
Network traffic to and from the Payslip platform across public internet is protected by Transport Layer Security (TLS). TLS defends against data tampering and eavesdropping.

Payslip helps our partners manage and protect personal data without sacrificing usability. You can safely use, share, and analyze data within the platform without ever compromising privacy.

Data is communicated only via a secure SFTP channel, and once it leaves this channel, it’s stored immediately on secure AWS S3 buckets or in Payslip’s secure document repository.

Payslip’s Zero Touch approach protects data on our platform. Manual intervention by users is replaced by automation and integrations that perform ingestion and validation of data. The platform includes a set of robust APIs that enable processing of all update and deletion requests without any manual intervention. HCM system integrations and bulk update of data via Secure File Transfer Protocol (SFTP) reduce manual intervention by enabling bulk update of employee data, creation of new employees, update of leavers, and processing of payroll updates.

As a global payroll platform, Payslip is designed to be audit-ready, providing a comprehensive set of reports on activity. It’s easy to manage data residency, access, and policy enforcement, with auditable logs and provenance.

Payslip uses a dedicated Security Information and Event Management (SIEM) service to identify potential security threats before they can take effect. For example, unusual login patterns. The SIEM system is always running. We perform bi- weekly vulnerability scans and annual penetration tests. We use a Data Loss Prevention (DLP) tool, which issues alerts to help us protect PII data.

The Payslip platform is highly available. Our Business Continuity policy and plan ensures minimal disruption to your business in the event of a disaster. The Payslip platform is made subject to regular recovery testing.

Payslip data is backed up continuously. The backups are archived in a secure vault and cannot be edited in any way. Payslip’s RPO is zero data loss.

Our tests have proved that our data center including database can be recovered and become available in minutes.

We are committed to ensuring that all AI-powered features in Payslip Alpha are secure, transparent, fair, and privacy-preserving. The following outlines how we manage and govern the AI components of our platform:

Data Handling & Isolation

• Customer data is never used for training of AI models.
• Customer data processed by AI is isolated per customer and per User and not shared across sessions or organizations.
• All data in transit and at rest within the AI pipeline is encrypted.
• We apply the principle of data minimization, endeavoring to ensure that only the minimum necessary data is processed for each AI session.
• Data retention is being applied, ensuring data is only stored for the necessary time.

Third-Party AI Models

• Payslip leverages AWS Bedrock to deliver AI-enabled features. Bedrock provides a secure, isolated environment for processing.
• Input data submitted to the AI is processed in real-time, is only stored for the session duration, and is never used to train the underlying third-party models.
• Third-party model providers do not have access to customer data.
• We conduct thorough due diligence, security, and privacy reviews of all AI providers.
• AWS implements industry-leading security and compliance standards, including:

• ISO 42001 – AI Management System
• ISO 27001 – Information Security
• ISO 27017 – Cloud Security
• ISO 27018 – Personal Data in the Cloud
• ISO 27701 – Privacy Information Management
• ISO 20000 – Service Management
• ISO 9001 – Quality Management
• ISO 22301 – Business Continuity Management
• ISO 50001 – Energy Management
• ISO 14001 – Environmental Management
• SOC 1 – Controls over financial reporting
• SOC 2 / SOC 3 – Controls relevant to security, availability, confidentiality, and privacy
• CISPE – Controlled adherence under Article 40 of GDPR

Model & Output Security

• Safeguards are in place to prevent sensitive data leakage through model outputs.
• We implement monitoring and protections to detect and block prompt injection or other adversarial attacks.

Auditability & Explainability

• When AI is used, this is clearly disclosed, and outputs are labeled as AI-generated.

Bias, Testing & Monitoring

• Unlike general large language models, Payslip Alpha is tailored to specific payroll use cases, reducing risks of hallucination or irrelevant outputs.
• All AI features are vetted, tested, and validated to support — not replace — payroll professionals.
• We conduct regular testing to ensure fairness, accuracy, and reliability.
• In line with data minimization principles we don’t send personal data to LLMs which always reduces the chances of bias

Human Oversight & Control

• Customer-data-related AI features are disabled by default and can only be enabled by Global Owners in accordance with company policies.
• The AI features that rely solely on Payslip’s proprietary data or knowledge base, which can never be customer data, are enabled by default.
• AI recommendations are advisory and subject to professional review. This follows the human-in-the-loop oversight strategy.

Regulatory & Standards Alignment

• All AI features are developed in accordance with GDPR, ISO 27001 / 27701, SOC 2, and Payslip’s internal security and privacy frameworks.
• All Payslip staff are receiving on an annual basis Information Security, Data Protection and AI use training.
• We actively monitor and align with emerging AI regulations and standards to ensure ongoing compliance.