Security posture
Data handling guarantees
- Purpose limitationWe only process the payroll and timekeeping data you upload for the purpose of running the analyses you request. Your data is never used to train shared models, never sold, and never shared with third parties beyond the providers listed below.
- Retention & deletionRaw uploaded files are retained for 90 days by default and then purged automatically. Workspace owners can shorten this to as low as 7 days, or extend it up to 365 days. Derived analysis results follow the same retention as their source dataset.
- Export & right to erasureWorkspace owners can export all organisation data as a downloadable archive at any time. A one-click "Delete all organisation data" action permanently removes datasets, reports, evidence and storage objects, with an audit log entry recorded.
- PII minimisationYou control which columns you upload. We only need an opaque employee identifier and overtime transaction data — dates, hours, and monetary values. We do not need names, email addresses, dates of birth, bank account numbers, tax file numbers, or any other sensitive identifiers.
- Audit logEvery sensitive action — sign-in, dataset upload, report generation, member changes, data export, data deletion — is recorded in an append-only audit log visible to workspace owners.
Our service providers
Like every modern software service, OvertimeSolved relies on a small number of reputable companies for core infrastructure — hosting, database, and payments. Each provider is contractually bound to the same data protection standards we follow. We will tell workspace owners by email and update this page at least 30 days before any new provider is added.
DPA & legal
Compliance roadmap
We believe in being honest about where we are. Below is the current status of our compliance programme.
Vulnerability disclosure
If you believe you have found a security vulnerability in OvertimeSolved, please report it to us privately. We will acknowledge your report within 2 business days, keep you updated on progress, and credit you publicly once the issue is fixed (with your permission).