Empuls is built on the principle that securing your data is not optional — it is a core product requirement. Whether you are an HR administrator managing employee records or a program owner overseeing reward transactions, the security measures described here apply to every layer of the platform your organization uses.Documentation Index
Fetch the complete documentation index at: https://empuls.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
Certifications and compliance posture
Empuls holds ISO/IEC 27001:2013 certification, which means an independent body has audited and verified that our Information Security Management System (ISMS) meets internationally recognized standards. The ISMS governs how we assess risk, apply controls, and protect the confidentiality, integrity, and availability of information at every level — from our codebase to physical infrastructure to people practices. In addition to ISO 27001, Empuls complies with:- SOC 2 — independent attestation of our security, availability, and confidentiality controls
- GDPR — full compliance with the EU General Data Protection Regulation for customers with EU-based employees
- EU–US Privacy Shield principles — protecting the rights of EU residents whose data is transferred to the United States
- PCI-DSS — credit card payments are processed through PCI-compliant payment gateways (such as Stripe); Empuls never captures or stores raw card data directly
Multi-tenant architecture and data isolation
Empuls operates as a SaaS platform with a multi-tenant architecture. Each customer organization is treated as a distinct tenant. Data isolation is enforced at the application and database layers so that one organization’s data is never accessible to another. Encryption keys are managed at the client level, meaning your data is encrypted with keys specific to your organization.Data encryption
All data in transit between your employees’ browsers or mobile apps and Empuls servers is encrypted using HTTPS/TLS. Data at rest — including your employee database — is stored in encrypted form. Data transferred via SFTP (for bulk employee data sync) is encrypted using PGP. Sensitive third-party service keys, such as payment gateway credentials, are stored in encrypted form in the database and are never exposed in logs or application responses.Physical and network security
Empuls is hosted exclusively on Amazon Web Services (AWS). Empuls employees have no physical access to production servers. AWS data centres provide:- Military-grade perimeter controls and 24/7 professional security staff
- Video surveillance and intrusion detection systems
- Built-in protection against Distributed Denial of Service (DDoS) attacks
- Protection against Man-in-the-Middle (MITM) attacks, port scanning, and packet sniffing by other tenants
Administrative access controls
Empuls enforces two-factor authentication for all privileged access. Permissions follow least-privilege principles, and every administrative action is logged and auditable. Changes to the platform are subject to a documented review process before they take effect.Application security practices
The Empuls application follows secure development standards:- Cross-site scripting (XSS) — all user inputs are encoded on output to prevent injection attacks
- Cross-site request forgery (CSRF) — all POST requests validate a CSRF token before processing
- SQL injection — all database queries use prepared statements
- Vulnerability scanning — periodic vulnerability assessments and penetration testing are conducted using authorized third-party vendors; patches are applied promptly when vulnerabilities are discovered
Data backup and redundancy
Empuls uses Amazon RDS for its database, configured in a Multi-AZ (Availability Zone) deployment. This means your data is automatically replicated across physically separate data centres. Automated backups run continuously with a retention period of up to 30 days, so recovery is possible even in the event of a localized failure.User management and bulk data operations
Administrators can manage employee accounts in bulk using CSV or XLSX uploads, making it straightforward to onboard, update, or deactivate users at scale. For organizations that need automated, recurring data sync, Empuls supports SFTP-based data transfer with PGP encryption — allowing your HRIS to push employee records securely without manual intervention.Monitoring and incident response
Empuls uses both internal and external monitoring services to track system behaviour in real time. Automated alerts notify the relevant teams via email and phone if anomalies are detected in request patterns, error rates, or access logs. Login and audit trail reports are available to administrators, capturing user activity including IP address, browser, operating system, and timestamp.If you discover a security issue or have questions about Empuls’s security posture, contact the support team at cs@xoxoday.com. We investigate all reported concerns and respond promptly.