Trust & Safety
Security at AwayOps
Your company's HR data is sensitive. Here's exactly how we protect it.
Encryption
All data is encrypted in transit with TLS 1.2+ and at rest with AES-256. No plaintext passwords are ever stored.
Access Controls
Role-based access control ensures employees see only their own data, managers see their team, and admins operate within their workspace only.
Data Isolation
Each company's workspace is fully isolated at the database level. There is no way for one tenant to access another tenant's data.
Automated Backups
Your data is backed up automatically on a daily schedule with point-in-time recovery available. Backups are encrypted and stored redundantly.
CSRF & XSS Protection
All forms are protected against cross-site request forgery. Output is automatically escaped to prevent cross-site scripting attacks.
Rate Limiting
Authentication endpoints are rate-limited to mitigate brute-force attacks. Repeated failed attempts trigger temporary lockouts.
Infrastructure & Hosting
AwayOps runs on enterprise-grade cloud infrastructure. Our servers are located in secure, access-controlled data centres. We use containerised deployments with health checks, automatic restarts, and rolling updates to minimise downtime.
Authentication
- Passwords are hashed using bcrypt with a high work factor — we never store plaintext passwords.
- Session tokens are signed and rotated on each login. Sessions expire automatically after inactivity.
- Email verification is required for all new accounts.
- OTP codes for password reset are time-limited and single-use.
- Employee app sessions use secure signed tokens that expire and are revoked on logout.
Mobile App Security
- All API communication is over HTTPS — no plaintext HTTP traffic.
- Push notification tokens (Firebase FCM) are stored server-side and deleted when the user logs out or uninstalls the app.
- Uploaded documents (e.g. medical certificates) are stored in private, non-public storage with access controlled per workspace.
Dependency & Code Security
- Dependencies are regularly updated to incorporate security patches.
- We follow secure coding practices and conduct internal code reviews before deploying changes.
- Production secrets (database credentials, API keys, signing keys) are managed via environment variables — never hardcoded or committed to version control.
Incident Response
In the event of a security incident affecting your data, we will notify affected customers by email within 72 hours of becoming aware of the breach, in accordance with GDPR requirements. Notifications will include the nature of the incident, data affected, and steps we are taking.
Reporting a Vulnerability
We take security reports seriously. If you believe you've found a security vulnerability in AwayOps, please email us at awayops.solution@@gmail.com with the subject line "Security Vulnerability Report". We will acknowledge your report within 48 hours and work with you to understand and address the issue responsibly.
Please do not disclose the vulnerability publicly until we have had a reasonable opportunity to address it.