Security for compliance, LMS, feedback, and People Ops records
WorkforceVault protects the records auditors ask for: acknowledgments, training transcripts, feedback cycles, manager actions, access events, and exportable evidence packets, using controls that are implemented in the product rather than unsupported badges or attestations.
Control plane
Evidence trust chain
Access boundary
Scoped sessions, role checks, MFA, and beta-gated SSO controls.
Request hardening
CSRF validation, origin checks, input schemas, and security headers.
Sensitive secrets
AES-256-GCM encryption for OAuth tokens, MFA secrets, SSO client secrets, and webhook secrets when encryption is configured.
Audit ledger
Security events, export actions, high and critical alert routing, and tenant-bound access records.
Control ledger
Security follows the same evidence model as the product.
WorkforceVault protects records that contain compliance state, training evidence, employee feedback, People Ops history, access changes, and export activity. The security surface is organized around implemented controls: authentication, role scope, request validation, secret handling, audit logging, and recovery readiness.
Granular role-based access controls ensure only authorized personnel can access your data. MFA is available today, and enterprise SSO remains beta-gated until the operational flag is enabled. Operational SSO is disabled unless the beta flag is enabled.
No third-party security attestation is claimed on this page. Security review material is limited to implemented controls, operating evidence, and available customer-diligence context.
Identity and access
Better Auth sessions, organization context, role permissions, MFA policy, and SSO options (selected providers).
Session-bound org context, role-gated routes, MFA setup and verification events.
Request and browser boundary
Mutating routes use CSRF wrappers, zod validation, origin checks, and secure response headers.
CSRF token checks, validation middleware, CSP, HSTS, frame denial, and referrer policy.
Sensitive credential handling
OAuth tokens, MFA secrets, SSO client secrets, API keys, and webhook credentials.
AES-256-GCM encryption where configured, hashed API keys, webhook secrets where encryption is configured, redacted logs, and scoped secret handling.
Audit and export evidence
Security events, tenant-isolation attempts, report exports, integration changes, and data export requests.
Database-backed audit log, CSV export trail, high and critical alert routing, and export event records.
Operational readiness
Health endpoints, Redis-backed bulk rate limiting, deploy smoke checks, incident response docs, and backup/restore runbooks.
Readiness checks, PSCICD smoke evidence, documented restore procedure, and read-only backup verifier.
Operations runbook
Security practice is visible as a working record, not a shelf of unsupported claims.
The platform favors controls that a customer can reason about: scoped access, CSRF protection, security headers, encrypted integration secrets where configured, audit logs, health checks, backup-readiness procedures, and documented incident paths.
Collect
Security events, exports, access attempts, delivery status, and integration changes are stored with owner and timestamp context.
Restrict
Organization context and role checks keep platform operators, tenant admins, managers, employees, and partners in their lane.
Protect
Sensitive integration secrets are encrypted when configured; API keys are represented by hashes, not raw keys.
Review
Health checks, backup readiness, dependency review, and incident-response procedures stay documented for operator follow-up.
Export
Security audit logs and compliance evidence can be exported through role-gated routes for customer diligence.
Security review
Need security documentation for a buying committee?
Send the review scope and we will route the right security, privacy, access, hosting, and evidence-export context.