Skip to main content

Security

Last updated: January 11, 2026

At Badger HR, we understand that you're entrusting us with sensitive employee data. Security is fundamental to everything we build. This page outlines our security practices and commitments.

Infrastructure Security

Hosting and Data Centers

  • Hosted on enterprise-grade cloud infrastructure with SOC 2 Type II certification
  • Data centers feature 24/7 physical security, biometric access controls, and video surveillance
  • Redundant power supplies and network connectivity ensure high availability
  • Geographic redundancy protects against regional outages

Network Security

  • All network traffic is protected by enterprise firewalls and intrusion detection systems
  • Regular vulnerability scanning and penetration testing
  • DDoS protection and mitigation
  • Network segmentation isolates sensitive systems

Data Protection

Encryption

  • In Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3
  • At Rest: Sensitive data, including email addresses and personal information, is encrypted using AES-256 encryption
  • Database backups are encrypted
  • Encryption keys are managed using industry-standard key management practices

Data Isolation

  • Each customer's data is logically isolated from other customers
  • Strict access controls ensure employees can only access data within their own organization
  • Role-based permissions control what actions users can perform

Data Retention and Deletion

  • You maintain full control over your data
  • Data can be exported at any time
  • Upon account termination, all data is permanently deleted within 30 days
  • Backups are purged according to our retention schedule

Application Security

Secure Development

  • Security is integrated into our software development lifecycle
  • Code reviews are required for all changes
  • Automated security scanning in our CI/CD pipeline
  • Dependencies are regularly updated and monitored for vulnerabilities

Authentication

  • Passwords are hashed using bcrypt with appropriate cost factors
  • Session tokens are cryptographically secure and rotated regularly
  • Protection against brute force attacks through rate limiting
  • Optional session expiration controls

Protection Against Common Attacks

  • Cross-Site Scripting (XSS) prevention through output encoding and Content Security Policy
  • Cross-Site Request Forgery (CSRF) protection on all forms
  • SQL injection prevention through parameterized queries
  • Clickjacking protection via X-Frame-Options headers

Operational Security

Access Control

  • Principle of least privilege for all internal access
  • Multi-factor authentication required for all employee accounts
  • Access to production systems is strictly limited and audited
  • Regular access reviews and prompt deprovisioning

Monitoring and Logging

  • Comprehensive logging of security-relevant events
  • Real-time monitoring and alerting for suspicious activity
  • Log retention for incident investigation and compliance
  • Regular review of security logs

Incident Response

  • Documented incident response procedures
  • Dedicated security team for incident handling
  • Commitment to notify affected customers promptly in case of a breach
  • Post-incident reviews to prevent recurrence

Business Continuity

Backups

  • Automated daily backups with point-in-time recovery
  • Backups stored in geographically separate locations
  • Regular backup restoration testing
  • Encrypted backup storage

Disaster Recovery

  • Documented disaster recovery plan
  • Regular DR testing and updates
  • Recovery time objective (RTO) and recovery point objective (RPO) targets
  • Redundant systems to minimize downtime

Compliance

We implement controls aligned with industry standards and regulations:

  • GDPR (General Data Protection Regulation)
  • UK Data Protection Act 2018
  • Industry best practices from OWASP and CIS

Responsible Disclosure

We appreciate the security research community's efforts to improve security. If you discover a vulnerability:

  • Email us at security@badgerhr.com
  • Provide sufficient detail to reproduce the issue
  • Allow reasonable time for us to address the issue before public disclosure
  • Do not access or modify other users' data

Questions

If you have questions about our security practices, please contact us at security@badgerhr.com.