Trust Center

How we protect your payroll data.

OvertimeSolved analyses sensitive payroll and timekeeping data. This page sets out our security posture, data handling guarantees, service providers and the legal basis on which we process your data. Last reviewed June 2026.

Hosted on SOC 2 Type II and ISO 27001 certified infrastructure, audited to SOC 2 Type II standards. Operated in line with regional privacy and data-protection laws across Australia (Privacy Act 1988 / APPs), the United States (incl. CCPA/CPRA and other state laws) and the EU/UK (GDPR).

What we promise you

Seven commitments your data security team can rely on.

Your data stays under your organisation's control
You remain the Data Controller. We act only as your Processor, on your written instructions in the DPA. We do not repurpose, resell or relicense your data — ever.
Isolated storage — only your workspace can see it
Every dataset, report and case is partitioned by workspace and enforced by row-level security at the database layer, so other customers can never see your data.
Delete everything with one click — anytime
Workspace owners can permanently delete all organisation data — datasets, reports, evidence and storage objects — in a single action, with an audit log entry recorded.
We never sell, share or mine your data
We do not sell your data, do not share it with advertisers or data brokers, and never use it to train shared or third-party AI models. Staff only access your data when you ask us to (e.g. support), and every access is logged.
Bank-grade encryption for claims and people data
TLS 1.2+ in transit and AES-256 at rest via our managed database and object storage, hosted on SOC 2 Type II and ISO 27001 certified infrastructure.
Procurement-ready for government and public sector
Standard DPA on file, audit log, configurable retention, and infrastructure operated in line with regional privacy laws across Australia (Privacy Act / APPs), the United States (incl. CCPA/CPRA and other state laws) and the EU/UK (GDPR) — designed for public-sector and enterprise procurement reviews.
Full audit trail — every action is logged and traceable
Sign-ins, dataset uploads, analysis runs, member changes, exports and deletions are recorded in an append-only audit log that workspace owners can review and export at any time.
Layer 01

Security posture

Encryption in transit
All traffic is served over TLS 1.2+ with modern cipher suites. HSTS is enabled on the production domain.
Encryption at rest
Databases and uploaded files are encrypted at rest with AES-256 via our managed database and object storage providers.
Authentication
Email + password sign-in is supported today. TOTP-based two-factor authentication is available for every user and can be enforced workspace-wide by owners and admins. We strongly recommend enabling 2FA for all workspace users. Google SSO and SAML SSO are on the roadmap.
Access control
Row-level security is enforced at the database layer. Every query is scoped to the caller's workspace; cross-workspace access is structurally prevented.
Isolated workspaces
Each organisation lives in its own logical workspace. Datasets, reports and evidence are partitioned by workspace ID and enforced by row-level security, so they are never co-mingled across customers.
Hosting region
Primary database and object storage are hosted in Asia Pacific (Singapore) by our managed database provider. Application traffic is served from the Cloudflare edge globally. Additional regions are on the roadmap.
Certified infrastructure
Hosted on SOC 2 Type II and ISO 27001 certified infrastructure, audited to SOC 2 Type II standards. Operated in line with regional privacy and data-protection laws across Australia (Privacy Act 1988 / APPs), the United States (incl. CCPA/CPRA and other state privacy laws) and the EU/UK (GDPR).
Layer 02

Data handling guarantees

  • Purpose limitation
    We only process the payroll and timekeeping data you upload for the purpose of running the analyses you request. Your data is never used to train shared models, never sold, and never shared with third parties beyond the providers listed below.
  • Retention & deletion
    Raw uploaded files are retained for 90 days by default and then purged automatically. Workspace owners can shorten this to as low as 7 days, or extend it up to 365 days. Derived analysis results follow the same retention as their source dataset.
  • Export & right to erasure
    Workspace owners can export all organisation data as a downloadable archive at any time. A one-click "Delete all organisation data" action permanently removes datasets, reports, evidence and storage objects, with an audit log entry recorded.
  • PII minimisation
    You control which columns you upload. We only need an opaque employee identifier and overtime transaction data — dates, hours, and monetary values. We do not need names, email addresses, dates of birth, bank account numbers, tax file numbers, or any other sensitive identifiers.
  • Audit log
    Every sensitive action — sign-in, dataset upload, report generation, member changes, data export, data deletion — is recorded in an append-only audit log visible to workspace owners.
Layer 03

Our service providers

Like every modern software service, OvertimeSolved relies on a small number of reputable companies for core infrastructure — hosting, database, and payments. Each provider is contractually bound to the same data protection standards we follow. We will tell workspace owners by email and update this page at least 30 days before any new provider is added.

Provider
Purpose
Region
Supabase
Managed Postgres database, authentication and object storage
Asia Pacific (Singapore)
Cloudflare
Edge hosting, TLS termination and DDoS protection for the web application
Global edge network
Stripe
Subscription billing and payment processing (no payroll data shared)
Global
Lovable
Application hosting platform and AI gateway
Global
Layer 05

Compliance roadmap

We believe in being honest about where we are. Below is the current status of our compliance programme.

GDPR-aligned data processing
Live
Row-level security on all customer data
Live
Encryption in transit (TLS 1.2+) and at rest (AES-256)
Live
Audit logging of sensitive actions
Live
Hosted on SOC 2 Type II and ISO 27001 certified infrastructure (AU, US, EU/UK privacy-law aligned)
Live
TOTP two-factor authentication
Live
Configurable retention & one-click data export / deletion
Live
Independent SOC 2 Type II attestation for OvertimeSolved (planned)
Planned
Independent ISO 27001 certification for OvertimeSolved (planned)
Planned
SAML SSO for enterprise workspaces (planned)
Planned
Independent annual penetration test (planned)
Planned
Layer 06

Vulnerability disclosure

If you believe you have found a security vulnerability in OvertimeSolved, please report it to us privately. We will acknowledge your report within 2 business days, keep you updated on progress, and credit you publicly once the issue is fixed (with your permission).

adrian@accordanalytics.com— please do not disclose publicly until we have responded.
Last reviewed June 2026.
Back to home