How we protect your team's data
Honest commitments, real architecture, and what we're still building. We document what is live today and what is on the roadmap.
Commitments
US-region data residency
WalnutsHR provisions the primary application database and object storage in a US region (us-west-1) of our cloud provider for organizations registered in the United States. Routing is determined by your country of registration at signup and is enforced by the application — there is no fallback path that routes US customer data to another region. Backups are retained in the same primary region.
Encryption in transit
Traffic between your browser and WalnutsHR is encrypted using TLS, as configured by our hosting provider (Vercel).
Encryption at rest
Databases and object storage are encrypted at rest by our cloud-storage providers (Supabase / Postgres; object storage). Key management is handled by the provider.
Role-based access control
Admins, managers, and employees each see only the data appropriate to their role. Salary and other sensitive fields are restricted to authorised roles by default.
Audit logging
Significant actions (logins, record changes, exports, role changes) are logged and visible to administrators within the product.
Authentication and passwords
Authentication is delegated to Clerk. Passwords are never stored in plain text by WalnutsHR; Clerk manages credential storage using industry-standard hashing, and supports MFA and SSO on supported plans.
Provider certifications
We rely on infrastructure providers that hold SOC 2 Type II (Vercel, Supabase, Clerk). These certifications cover the providers, not WalnutsHR directly; our own SOC 2 path is listed under Roadmap below.
Architecture
WalnutsHR runs on Vercel for application hosting and Supabase for database and object storage. US-registered organizations are routed to a US region of Supabase (us-west-1) for both Postgres and object storage; this routing is enforced by the application with no cross-region fallback. The database enforces row-level isolation so each organization only sees its own data. Encryption at rest and in transit is provided by the underlying cloud services.
Sub-processors: we use a small number of vetted sub-processors for hosting, transactional email, and analytics. A full registry will be published on this page. Enterprise customers can request the current list by emailing support@walnutshr.com.
Quebec Law 25 Privacy Impact Assessment
Quebec's Act respecting the protection of personal information in the private sector (as modernized by Law 25) requires us to assess the protection level provided by destination jurisdictions before transferring Quebec residents' personal information outside Quebec. This page summarizes our pre-launch PIA. The full document is available to enterprise customers under NDA and to the Commission d'accès à l'information du Québec on request — contact privacy@walnutshr.com.
Status:Draft 0.1, dated 2026-05-18. Pending review by counsel admitted in Quebec before being treated as authoritative. Operational mitigations summarized below are in production today; the "conclusion" below reflects the Privacy Officer's pre-publication assessment, not a final legal opinion.
Personal information categories covered
Identity, contact, account credentials (hashed by our authentication provider — WalnutsHR never holds plaintext passwords), employee HR records (with sensitive fields encrypted at application layer), performance and time-off data, uploaded documents, support communications, AI prompt content (only when invoked), and device / network / usage metadata (only with explicit analytics consent).
Destination jurisdictions assessed
United States, for all sub-processors listed in our Privacy Policy §4.2 except Upstash (Canada primary). The assessment covers US federal law (no comprehensive privacy statute; sectoral protections only; CLOUD Act and FISA §702 exposure acknowledged), the state-law layer (CCPA/CPRA and successors), and a per-recipient analysis of each sub-processor's contractual, technical, and organizational safeguards.
Operational mitigations in production
- Standard Contractual Clauses (or equivalent) with every US-based sub-processor
- Application-layer AES-256-GCM encryption for SIN, bank account, and bank transit numbers, in addition to the cloud provider's at-rest encryption
- Postgres row-level security on every model; column-level revocation of salary, SIN, bank, and tax fields from the public-API role
- Sentry payload scrubbing strips password, SSN, bank, salary, token, and authorization headers before transmission
- AI invocations only on explicit user action; prompt content fenced; no background AI processing of Quebec residents' data
- Explicit, granular consent captured at signup with audit trail (purpose, policy version, IP address, timestamp)
- Customer-data deletion lifecycle: 60 days paused → 270 days archived → 30 days final notice → permanent deletion; backup purge within 30 additional days
Residual risks acknowledged
US government compulsion under the CLOUD Act, FISA §702, or domestic process remains a theoretical exposure for all US-based sub-processors; mitigated by encryption-at-rest, contractual notification requirements where lawful, and the narrow scope of HR data (small/mid-size employers; not typical compulsion targets). Sub-processor breach risk is mitigated by SOC 2 Type II certifications and our layered technical controls but cannot be eliminated. AI provider prompt retention is the highest-attention residual; we reassess every six months and will route Quebec-customer AI invocations to a Zero-Data-Retention vendor if one becomes available with comparable capability.
Conclusion (pre-publication)
Personal information transfers to the recipients listed in Privacy Policy §4.2 are assessed as receiving adequate protection within the meaning of Article 17 of the Act, conditional on the operational mitigations above remaining in force and on the annual PIA review cycle (next: 2026-05-18 + 12 months) being followed. This conclusion is subject to counsel review before being treated as final.
Privacy Officer + complaints
Quebec residents with questions about this assessment, or who wish to challenge any cross-border transfer of their personal information, may contact the WalnutsHR Privacy Officer at privacy@walnutshr.com. Complaints unresolved through that channel may be filed with the Commission d'accès à l'information du Québec.
Roadmap
The things we are actively building. We commit to updating this page as items move from planned to live.
SOC 2 Type I
We are preparing for a SOC 2 Type I audit. The target is to begin the observation window once our core controls are fully documented.
Third-party penetration test
Annual third-party penetration testing is on our roadmap. Until the first test completes, we treat security fixes reported through responsible disclosure as priority issues.
Data Processing Agreement (DPA)
A DPA is available on request for enterprise customers and organizations with regulatory requirements. Contact sales to initiate.
Sub-processor registry
Our current sub-processor list is published in Section 4.2 of our privacy policy. We will mirror it on this page in a dedicated registry as part of our SOC 2 readiness work.
Responsible disclosure
If you believe you have found a security vulnerability in WalnutsHR, please email security@walnutshr.com with a clear description and reproduction steps. We acknowledge reports within two business days and work under a 90-day coordinated disclosure timeline. We do not take legal action against researchers who report issues in good faith and respect user privacy while testing.
Do not use this for customer support
For product questions, billing, or account help, please use the contact page or email support@walnutshr.com.
Questions we haven't answered here?
Enterprise security review, DPA, custom data-handling requirements — we're happy to talk.
Contact usSecurity you can read. Software you can ship with.
Encryption in transit and at rest, role-based access, and a published roadmap. 30-day free trial.
30-day free trial · No credit card required