EN-Payroll Sync moves employee data between payroll and your benefits platform. The whole design assumes that data is the most sensitive thing we touch — and minimizes how much of it we hold.
No full Social Security numbers in our operational database. SSNs are masked to last four in any record that lands in the runtime store.
Operational data is encrypted at rest. Snapshots and attachments use AWS S3 with KMS-managed keys. All data in transit is TLS end-to-end.
Every record is scoped by client. Row-level security enforces isolation at the database layer, not just in the application.
Operators see only their own clients. End-client users see only their own company. PHI-bearing surfaces require a capability beyond role.
The rare full-identifier export is gated at generation, not just at the link. Once the access window closes, the link can't be re-minted.
Every sync run, every change written, every operator action is logged per client — so you can answer "what happened, and when" with evidence.
The safest data is the data you never store. EN-Payroll Sync is built so that full identifiers live only inside encrypted attachments in cloud object storage, behind explicit access gates — never in the day-to-day operational database. Everything the platform shows operators by default is masked.
Isolation isn't a convention we ask developers to remember; it's enforced at the database layer. Cross-tenant access is structurally prevented, not just discouraged. The same applies to storage keys, logs, and audits — all scoped per client.
See the privacy notice for the data-handling detail.
We're happy to walk your team through the architecture, the data flows, and the controls. Reach out and we'll set it up.