Row-Level Security
Postgres RLS isolates every organization. No shared queries, no shared cache, no cross-tenant leakage. Verified by Supabase linter on every migration.
Security & Compliance
Bank-grade by design. Built so foreign-investor HQ audit, donor compliance, and Bangladesh regulators can pull evidence on demand.
Encryption
TLS 1.3 in transit. AES-256 at rest. Secrets managed in Lovable Cloud vault — never in code, never in client bundles.
Immutable Audit Logs
Every mutation writes to audit_logs with actor, timestamp, entity, and signed hash. Cryptographically chained — tampering breaks the chain.
Signed Webhooks
HMAC-SHA256 signatures on all outbound webhooks. 5-minute timestamp skew window. Replay attempts logged.
Infrastructure
Cloudflare Workers edge runtime, Supabase Postgres with PITR backups, daily snapshots, RTO < 4h, RPO < 15min.
Vulnerability Disclosure
Responsible disclosure to security@hrtech.bd. PGP available. Acknowledgment within 48 hours; fix SLA tied to severity.
Compliance & Certification Status
- Bangladesh Data Protection Act (alignment)Aligned
- SOC 2 Type IIRoadmap — Q4 2026
- ISO 27001Roadmap — 2027
- GDPR (for foreign-invested EU exposure)Aligned
- PCI DSSN/A — no card storage
Security FAQ
Where is HRTECH.BD data stored?
Production data resides in Supabase Postgres in geographically distributed regions with point-in-time recovery. Data residency commitments for specific deployments available on Enterprise contracts.
Who has access to my organization's data?
Only authenticated users in your organization, scoped by role via Postgres RLS. HRTECH.BD staff access requires explicit support-grant tokens scoped per-request, logged in the audit trail.
Do you store NID or biometric data?
NIDs are stored encrypted; biometric templates are never received by HRTECH.BD — only event metadata (device_id, employee_code, timestamp) is ingested from on-prem turnstiles.
How do I report a vulnerability?
Email security@hrtech.bd with the details. We acknowledge within 48 hours and publish a CVE coordinated with the reporter where applicable.
Report a vulnerability
Email security@hrtech.bd with details. Acknowledgment within 48 hours.