Security is a shared responsibility between us, our hosting providers and our users. The full DPIA and Transfer Impact Assessment sit on the Trust Centre.
Transport and edge
- TLS 1.3 enforced site-wide; HSTS preload submitted.
- Strict per-request Content-Security-Policy with nonce.
- Hosted on Vercel London edge (region lhr1) for UK requests.
Payslip handling
- Image processed in server memory only for the duration of the request.
- No payslip content written to any database, log, or file by PayslipIQ.
- EXIF metadata stripped client-side before upload.
- Upload rate-limited per-IP (3/hour) and per-day overall (300/day).
Identity and access
- Source code in private GitHub with branch protection and required review.
- Production secrets rotated quarterly.
Vulnerability disclosure
Email security@payslipiq.co.uk. Triage within 24 hours, patch critical issues within 14 days.
Certifications
- Cyber Essentials Basic — application in progress (target Q3 2026).
- ISO 27001 — under evaluation for 2027.
- SOC 2 Type 1 — under evaluation for 2027.
- Annual independent penetration test from 2026.