Data Security

1 Our Security Commitment

PayMATE handles some of the most sensitive data in your organization — employee personal information, salary records, government ID numbers, and biometric logs. We treat the security of this data as a fundamental responsibility, not an afterthought.

Our security practices are designed to comply with the Republic Act No. 10173 (Data Privacy Act of 2012) and the guidelines of the National Privacy Commission (NPC) of the Philippines.

2 Data Encryption

In Transit

All communication between your browser or mobile device and our servers is encrypted using TLS 1.2 and TLS 1.3 protocols. We enforce HTTPS across all pages and API endpoints. HTTP connections are automatically redirected to HTTPS.

At Rest

Sensitive data fields — including government ID numbers, bank account details, and salary information — are encrypted at rest using AES-256 encryption before being stored in our database.

Passwords & Credentials

User passwords are never stored in plain text. We use bcrypt hashing with salting to protect all authentication credentials.

3 Access Control

PayMATE uses a Role-Based Access Control (RBAC) system to ensure users can only access data appropriate to their role:

• Super Admin — Full system access for authorized IT administrators
• HR Manager — Access to all employee records and payroll functions
• Payroll Officer — Limited to payroll processing and reports
• Supervisor — Access to team attendance and leave approvals
• Employee — Self-service portal: own payslips, attendance, leave only

4 Infrastructure Security

PayMATE is hosted on secure cloud infrastructure with the following protections:

• Firewall protection — All servers are protected by network-level firewalls
• DDoS mitigation — Protection against distributed denial-of-service attacks
• Isolated environments — Production, staging, and development environments are fully separated
• Private networking — Database servers are not directly accessible from the public internet
• Security monitoring — 24/7 automated monitoring for anomalous activity
• Regular patching — Operating systems and software dependencies are regularly updated

5 Application Security

Our development team follows secure coding practices to protect against common web vulnerabilities:

• SQL Injection — Parameterized queries and prepared statements throughout
• Cross-Site Scripting (XSS) — Input sanitization and output encoding
• Cross-Site Request Forgery (CSRF) — CSRF token protection on all forms
• Brute Force — Rate limiting and account lockout after failed login attempts
• Session Security — Secure, HttpOnly, SameSite cookie flags; session expiry on inactivity
• reCAPTCHA v3 — Bot protection on all public-facing forms

6 Backups & Disaster Recovery

We maintain a comprehensive backup strategy to ensure data availability and business continuity:

• Daily automated backups of all databases and file storage
• Off-site backup storage in a geographically separate location
• Backup encryption — All backups are encrypted at rest
• Retention policy — Daily backups retained for 30 days; monthly backups for 1 year
• Recovery testing — Restoration procedures are tested regularly

7 Biometric Data (ZKTECO Integration)

PayMATE integrates with ZKTECO biometric attendance devices. We treat biometric data with the highest level of sensitivity:

• Only time log records (time-in/time-out with employee ID) are transmitted from ZKTECO devices to PayMATE
• Raw biometric templates (fingerprint data) are stored only on the ZKTECO device itself — never transmitted to or stored in PayMATE servers
• Biometric time logs are used exclusively for payroll and attendance computation
• Access to biometric log data is restricted to authorized HR and payroll personnel

8 Employee Personal Data

Employee records in PayMATE — including government ID numbers, salary information, and bank account details — are protected by:

• Field-level encryption for sensitive data columns
• Strict access controls limiting visibility to authorized HR roles
• Audit logs for all access to sensitive employee records
• Data masking in non-production environments
• Employee self-service access limited strictly to their own records

9 Incident Response

In the event of a confirmed security incident or data breach, we follow a structured response process:

• Detection — Automated monitoring alerts our security team immediately
• Containment — Affected systems are isolated within 1 hour of detection
• Assessment — Scope and impact of the incident is determined
• Notification — Affected clients and employees are notified within 72 hours
• NPC Reporting — We notify the National Privacy Commission as required by RA 10173
• Remediation — Root cause is addressed and preventive measures implemented
• Post-Incident Review — Full incident report prepared and shared with affected parties

10 Shared Responsibility

Security is a shared responsibility between PayMATE and our clients. Here's how responsibilities are divided:

11 Reporting Security Issues

If you discover a potential security vulnerability or data breach, please use the secure form below to report it responsibly. We commit to acknowledging valid reports within 48 hours in accordance with the Data Privacy Act of 2012.