Built to be trusted with sensitive HR data.
HR systems hold contracts, salaries, IDs, performance records — the most sensitive data a company has. Here's exactly how we protect it. No fake badges, no aspirational claims — just what's true today.
Tenant-isolated by design
Cross-tenant data leaks are made impossible at the database level — not by code that has to remember to add WHERE clauses.
Dedicated database per tenant
Each customer gets its own MariaDB schema. The application connects to a different database per request, picked from the subdomain — there is no shared rows table where a missing filter could leak.
No multi-tenant joins
Tenant data never appears in joins across tenants. The codebase has no way to query "all employees across all tenants" — by design.
Central vs tenant separation
Subscription, billing, and platform-level data live in a separate central database. Customer business data never mixes with platform metadata.
Encrypted in transit and at rest
Strong encryption everywhere — and double encryption for the fields HR systems care about most.
TLS 1.2+ everywhere
All connections use modern TLS. Older protocols and weak ciphers are disabled. Strict-Transport-Security forces HTTPS for one year on all subdomains.
Disk-level AES-256
Hetzner provides AES-256 encryption at rest on the storage layer. Backups are encrypted with separate keys.
Application-level encryption for sensitive fields
National IDs, passport numbers, bank accounts and similar PII are double-encrypted at the application layer using Laravel's encrypter. Even with database access, those fields are unreadable.
Hashed passwords
Bcrypt with sensible cost factor. We never store, log, or transmit plain-text passwords.
EU-only by default
Your data lives where European data protection rules apply — without exception.
Hetzner Online GmbH, Germany
All production servers are in Hetzner's Falkenstein and Nuremberg data centres. ISO 27001-certified facilities. No US data transfers in the default configuration.
Subprocessor list available on request
Email privacy@momentumpro.pro for the current list, refreshed when sub-processors change.
Israeli residency on request (Enterprise)
For regulated Israeli customers, we can deploy on Israeli infrastructure with a separate contract.
Permissions, sessions, and SSO
Controls a real IT or compliance team would actually rely on.
Role-based permissions
Every action is gated by a Spatie permission. Owners, admins, HR managers, finance, and employees all have distinct, configurable role bundles.
SAML / OIDC SSO (Enterprise)
Sign in with Azure AD, Okta, Google Workspace, or any SAML 2.0 / OIDC provider. SCIM provisioning is on the roadmap.
Org-wide 2FA (Enterprise)
TOTP-based two-factor authentication enforced at the tenant level. Recovery codes provided.
Per-user session controls
Authenticated sessions are pinned to a device fingerprint. Login history visible to every user — they see where and when their account was used.
IP allowlists (Enterprise)
Restrict admin and HR roles to specific IP ranges or VPN addresses.
Activity log on every record
Investigations and audits aren't painful — every change is timestamped and attributed.
Activity log per record
Every create, update and delete on every record gets a row in the activity log: who did it, when, and a side-by-side field diff. Not opt-in — built into the framework.
Retention by plan
90 days on Starter, 1 year on Professional, up to 7 years on Enterprise. The retention is enforced server-side and cannot be shortened mid-period.
Per-user login history
Each user can see their own last 100 successful and failed authentication attempts, with IP, browser and device.
Auditor-ready exports
PDFs of activity, leave, payroll and procurement reports are filterable by date range and exportable on demand.
Backups and recovery
A full point-in-time recovery story.
Daily automated backups
Every tenant database backed up nightly. Retained for 7 daily, 4 weekly, 12 monthly snapshots.
Hourly backups (Enterprise)
Recovery point objective of 1 hour for Enterprise plans, with on-demand snapshots before risky operations.
Recycle bin
Soft-deleted records sit in the bin for 30 days, restorable in one click. Hard delete is gated behind a confirmation.
Tested restore procedure
We restore a sample tenant to a staging environment monthly to verify backups actually work.
GDPR posture
Built so a data protection officer can sleep at night.
Data processor + controller roles
For tenant employee data we are the processor — our customer is the controller. Marketing-site visitors and account admins fall under our controllership. Both roles are documented in our Privacy Policy.
Right of access + portability
Every user can download a zip of all data we hold about them in one click via the Privacy Centre.
Right to erasure
One-click "Close my account" anonymises the user record and soft-deletes within 30 days.
No customer data in ML training
We do not use customer data to train models — yours, ours, or anyone else's. Ever.
Breach notification
72-hour disclosure to affected customers and supervisory authorities if a breach is detected, as required by GDPR.
Tracked dependencies, audited code
A modern Laravel + Filament stack maintained on actively-supported versions.
Dependency monitoring
Composer + npm dependencies tracked. Critical security advisories trigger immediate patches.
CI on every change
Pint + PHPUnit run on every push and pull request. Lint failures block merges.
Code review required
No commit to main without review. All migrations require sign-off from a second engineer.
No third-party trackers
No Google Analytics, no Facebook Pixel, no marketing cookies. Just your data and ours.
What we have today, and what's on the roadmap.
We don't decorate the homepage with compliance badges we haven't earned. Here's the honest current state.
| Standard / control | Status | Notes |
|---|---|---|
| GDPR (EU) | live | Data export, deletion, processor agreements, breach notification. |
| Israeli Privacy Protection Law | live | Aligned with PPL 5741-1981 controller/processor obligations. |
| Encryption in transit | live | TLS 1.2+ enforced on all subdomains. |
| Encryption at rest | live | Disk-level AES-256 on Hetzner; sensitive fields double-encrypted. |
| Per-tenant DB isolation | live | Architecture-level — not a soft filter. |
| Activity log + audit trail | live | Every record, every change, with diff. Plan-tiered retention. |
| SAML / OIDC SSO | live | Enterprise plans. SCIM in roadmap. |
| SOC 2 Type II | roadmap | Targeting 2026. Not certified yet — we say so. |
| ISO 27001 | roadmap | Hosting provider certified; we are not yet. |
| HIPAA-ready | planned | BAA available on request for Enterprise customers in healthcare. |
Found a security issue?
We'd rather hear about it from you than from a bad actor. Email security@momentumpro.pro with reproduction details. We acknowledge within 24 hours and aim to remediate critical issues within 7 days. We do not currently run a paid bug bounty programme but we publicly credit responsible disclosures.
Ready when your security team is.
DPA, security questionnaire, sub-processor list — happy to provide on request.