Skip to content
Security at WalnutsHR

How we protect your team's data

Honest commitments, real architecture, and what we're still building. We document what is live today and what is on the roadmap.

Commitments

US-region data residency

WalnutsHR provisions the primary application database and object storage in a US region (us-west-1) of our cloud provider for organizations registered in the United States. Routing is determined by your country of registration at signup and is enforced by the application — there is no fallback path that routes US customer data to another region. Backups are retained in the same primary region.

Encryption in transit

Traffic between your browser and WalnutsHR is encrypted using TLS, as configured by our hosting provider (Vercel).

Encryption at rest

Databases and object storage are encrypted at rest by our cloud-storage providers (Supabase / Postgres on AWS infrastructure; object storage). Key management is handled by the provider.

Role-based access control

Admins, managers, and employees each see only the data appropriate to their role. Salary and other sensitive fields are restricted to authorised roles by default.

Audit logging

Significant actions (logins, record changes, exports, role changes) are logged and visible to administrators within the product.

Authentication and passwords

Authentication is delegated to Clerk. Passwords are never stored in plain text by WalnutsHR; Clerk manages credential storage using industry-standard hashing, and supports MFA and SSO on supported plans.

Provider certifications

We rely on infrastructure providers that hold SOC 2 Type II (Vercel, Supabase, Clerk). These certifications cover the providers, not WalnutsHR directly; our own SOC 2 path is listed under Roadmap below.

Architecture

WalnutsHR runs on Vercel for application hosting and Supabase for database and object storage. Supabase runs the primary database and object storage on AWS infrastructure. US-registered organizations are routed to a US region of Supabase for both Postgres and object storage; this routing is enforced by the application with no cross-region fallback for primary storage. The database enforces row-level isolation so each organization only sees its own data. Encryption at rest and in transit is provided by the underlying cloud services.

Sub-processors: we use a small number of vetted sub-processors for hosting, authentication, payments, transactional email, analytics, error tracking, and optional AI features. The current public registry is in Privacy Policy §4.2. Customers can request a DPA or sub-processor review by emailing privacy@walnutshr.com.

Quebec Law 25 Privacy Impact Assessment

Quebec's Act respecting the protection of personal information in the private sector (as modernized by Law 25) requires us to assess the protection level provided by destination jurisdictions before communicating personal information outside Quebec or entrusting it to a person outside Quebec. This page summarizes our pre-launch draft PIA. The full document is available to customers with a legitimate security-review need under NDA and to the Commission d'accès à l'information du Québec on request — contact privacy@walnutshr.com.

Status: Draft 0.2, prepared 2026-05-18 and revised 2026-05-22. Pending review by counsel admitted in Quebec before being treated as authoritative. The mitigations summarized below reflect the controls documented for launch readiness. The assessment below is preliminary and must not be treated as a final legal opinion.

Personal information categories covered

Identity, contact, authentication identifiers and credentials processed by our authentication provider (WalnutsHR never holds plaintext passwords), employee HR records (with sensitive fields encrypted at application layer), performance and time-off data, uploaded documents, support communications, AI prompt content (only when invoked), and device / network / usage metadata (only with explicit analytics consent).

Destination jurisdictions assessed

Canada and the United States. Supabase primary storage for Canadian organizations is provisioned on AWS Canada Central (ca-central-1). Supabase is a non-Canadian provider and AWS is a US-based infrastructure provider. The assessment also covers US infrastructure or access for the other sub-processors listed in Privacy Policy §4.2, US federal law (including CLOUD Act and FISA §702 exposure), the state-law layer (CCPA/CPRA and successors), and a per-recipient analysis of each sub-processor's contractual, technical, and organizational safeguards.

Operational mitigations in production

  • Standard Contractual Clauses (or equivalent) with every US-based sub-processor
  • Application-layer AES-256-GCM encryption for SIN, bank account, and bank transit numbers, in addition to the cloud provider's at-rest encryption
  • Postgres row-level security on every model; column-level revocation of salary, SIN, bank, and tax fields from the public-API role
  • Sentry payload scrubbing strips password, SSN, bank, salary, token, and authorization headers before transmission
  • AI invocations only on explicit user action; prompt content fenced; no background AI processing of Quebec residents' data
  • Explicit, granular consent captured at signup with audit trail (purpose, policy version, IP address, timestamp)
  • Customer-data deletion lifecycle: 60 days paused → 270 days archived → 30 days final notice → permanent deletion; backup purge within 30 additional days

Residual risks acknowledged

US government compulsion under the CLOUD Act, FISA §702, or domestic process remains a residual exposure for US-headquartered providers and US infrastructure, including providers used for Canadian-region primary storage. That storage is data residency only, not data sovereignty; this legal-process exposure is mitigated by encryption-at-rest, data minimization, access controls, and contractual notification requirements where lawful. Sub-processor breach risk is mitigated by SOC 2 Type II certifications and our layered technical controls but cannot be eliminated. AI provider prompt retention is the highest-attention residual; we reassess every six months and will route Quebec-customer AI invocations to a Zero-Data-Retention vendor if one becomes available with comparable capability.

Conclusion (pre-publication)

The draft PIA records the Privacy Officer's preliminary view that the transfers and provider arrangements listed in Privacy Policy §4.2 may be supportable under Article 17 if the documented mitigations remain in force and the annual PIA review cycle is followed. That view is not final and should not be relied on as a legal opinion until Quebec privacy counsel has completed review and the PIA has been approved.

Privacy Officer + complaints

Quebec residents with questions about this assessment, or who wish to challenge any cross-border transfer of their personal information, may contact the WalnutsHR Privacy Officer at privacy@walnutshr.com. Complaints unresolved through that channel may be filed with the Commission d'accès à l'information du Québec.

Roadmap

The things we are actively building. We commit to updating this page as items move from planned to live.

SOC 2 Type I

We are preparing for a SOC 2 Type I audit. The target is to begin the observation window once our core controls are fully documented.

In preparation

Third-party penetration test

Annual third-party penetration testing is on our roadmap. Until the first test completes, we treat security fixes reported through responsible disclosure as priority issues.

Planned

Data Processing Agreement (DPA)

A standard DPA is available on request for any customer processing Personal Data through WalnutsHR. Enterprise customers and organizations with regulatory requirements may request additional review.

Available on request

Sub-processor registry

Our current sub-processor list is published in Section 4.2 of our privacy policy, including provider purpose, data processed, and default processing location. We provide material sub-processor change notice where required by law or DPA.

Available in privacy policy

Responsible disclosure

If you believe you have found a security vulnerability in WalnutsHR, please email security@walnutshr.com with a clear description and reproduction steps. We acknowledge reports within two business days and work under a 90-day coordinated disclosure timeline. We do not take legal action against researchers who report issues in good faith and respect user privacy while testing.

Do not use this for customer support

For product questions, billing, or account help, please use the contact page or email support@walnutshr.com.

Questions we haven't answered here?

Enterprise security review, DPA, custom data-handling requirements — we're happy to talk.

Contact us

Security you can read. Software you can ship with.

Encryption in transit and at rest, role-based access, and a published roadmap. 30-day free trial.

30-day free trial · No credit card required