Security

Security at Zziffy

Last updated: 1 April 2026

Zziffy handles sensitive payroll, salary, and employee data. We take this responsibility seriously. Below is a plain-English overview of the security measures in place to protect your data.

🔒

AES-256 Encryption

All data is encrypted at rest using AES-256, the same standard used by banks and financial institutions.

🔐

TLS in Transit

All data transmitted between your browser or app and our servers uses TLS 1.2 or higher. No unencrypted connections are accepted.

🇮🇳

India-Based Servers

Your data is stored exclusively on AWS infrastructure in the Mumbai (ap-south-1) region. No data leaves India.

👁️

Audit Logging

Every action on payroll data or employee records is logged with a timestamp, user ID, and IP address. Full traceability.

🛡️

Role-Based Access

Owners, HR managers, and employees each see only the data their role permits. Permissions are configurable per user.

🔑

Two-Factor Authentication

2FA is available for all admin accounts and is strongly recommended. OTP-based and authenticator app options supported.

Application Security

Regular penetration testing by independent security firms.
Input validation and parameterised queries to prevent SQL injection.
CSRF protection on all state-changing requests.
Rate limiting and brute-force protection on login endpoints.
Dependency scanning and vulnerability patching on a rolling basis.
Separate environments for production, staging, and development — production data never used in testing.

Access Controls (Internal)

Zziffy staff access to production systems requires VPN and multi-factor authentication.
Access is granted on a least-privilege basis — staff see only what their role requires.
All internal access to customer data is logged and reviewed.
Offboarding procedures immediately revoke all access upon employee departure.

Backups

Daily encrypted backups are stored in a geographically separate AWS region. Backups are retained for 90 days. Recovery testing is performed quarterly.

Incident Response

In the event of a security incident affecting your data, we will notify you within 72 hours of becoming aware of it, as required under applicable law. We maintain a documented incident response plan that is reviewed and tested annually.

Responsible Disclosure

If you discover a security vulnerability in Zziffy, please report it to security@zziffy.com. We investigate all reports promptly and will keep you informed of our findings. We do not pursue legal action against researchers acting in good faith.

Questions

For any security-related questions: security@zziffy.com