Workforce evidence security

Security for compliance, LMS, feedback, and People Ops records

WorkforceVault protects the records auditors ask for: acknowledgments, training transcripts, feedback cycles, manager actions, access events, and exportable evidence packets, using controls that are implemented in the product rather than unsupported badges or attestations.

Control plane

Evidence trust chain

Access boundary

Scoped sessions, role checks, MFA, and beta-gated SSO controls.

Request hardening

CSRF validation, origin checks, input schemas, and security headers.

Sensitive secrets

AES-256-GCM encryption for OAuth tokens, MFA secrets, SSO client secrets, and webhook secrets when encryption is configured.

Audit ledger

Security events, export actions, high and critical alert routing, and tenant-bound access records.

Control ledger

Security follows the same evidence model as the product.

WorkforceVault protects records that contain compliance state, training evidence, employee feedback, People Ops history, access changes, and export activity. The security surface is organized around implemented controls: authentication, role scope, request validation, secret handling, audit logging, and recovery readiness.

Granular role-based access controls ensure only authorized personnel can access your data. MFA is available today, and enterprise SSO remains beta-gated until the operational flag is enabled. Operational SSO is disabled unless the beta flag is enabled.

No third-party security attestation is claimed on this page. Security review material is limited to implemented controls, operating evidence, and available customer-diligence context.

Identity and access

Better Auth sessions, organization context, role permissions, MFA policy, and SSO options (selected providers).

Session-bound org context, role-gated routes, MFA setup and verification events.

Request and browser boundary

Mutating routes use CSRF wrappers, zod validation, origin checks, and secure response headers.

CSRF token checks, validation middleware, CSP, HSTS, frame denial, and referrer policy.

Sensitive credential handling

OAuth tokens, MFA secrets, SSO client secrets, API keys, and webhook credentials.

AES-256-GCM encryption where configured, hashed API keys, webhook secrets where encryption is configured, redacted logs, and scoped secret handling.

Audit and export evidence

Security events, tenant-isolation attempts, report exports, integration changes, and data export requests.

Database-backed audit log, CSV export trail, high and critical alert routing, and export event records.

Operational readiness

Health endpoints, Redis-backed bulk rate limiting, deploy smoke checks, incident response docs, and backup/restore runbooks.

Readiness checks, PSCICD smoke evidence, documented restore procedure, and read-only backup verifier.

Operations runbook

Security practice is visible as a working record, not a shelf of unsupported claims.

The platform favors controls that a customer can reason about: scoped access, CSRF protection, security headers, encrypted integration secrets where configured, audit logs, health checks, backup-readiness procedures, and documented incident paths.

01

Collect

Security events, exports, access attempts, delivery status, and integration changes are stored with owner and timestamp context.

02

Restrict

Organization context and role checks keep platform operators, tenant admins, managers, employees, and partners in their lane.

03

Protect

Sensitive integration secrets are encrypted when configured; API keys are represented by hashes, not raw keys.

04

Review

Health checks, backup readiness, dependency review, and incident-response procedures stay documented for operator follow-up.

05

Export

Security audit logs and compliance evidence can be exported through role-gated routes for customer diligence.

Security review

Need security documentation for a buying committee?

Send the review scope and we will route the right security, privacy, access, hosting, and evidence-export context.