Security at HQ Workforce
We take the security of your workforce data seriously. Here's how we protect it.
Encryption in Transit
All data between your browser, the WordPress plugin, and HQ Workforce servers is encrypted using TLS 1.2 or higher. We enforce HTTPS on all endpoints and reject unencrypted connections.
Encryption at Rest
Database records and file storage are encrypted at rest using AES-256. Backups are also encrypted. Sensitive fields (passwords, API keys) are additionally hashed using bcrypt with per-record salts.
API Key Security
Each connected WordPress website receives a unique API key. Keys are hashed before storage — we cannot retrieve a key after issuance. Keys can be rotated or revoked at any time from your dashboard. Each key is scoped to a single website and tenant.
Tenant Isolation
Each organization (tenant) has a completely isolated data environment. All database queries are scoped by tenant ID enforced at the API layer. There is no shared data between tenants. Tenant separation is enforced at every layer of the stack.
Role-Based Access Control
HQ Workforce enforces strict RBAC with roles including Super Admin, Tenant Owner, Company Admin, Manager, Supervisor, Worker, and Contractor. Each role can only access data relevant to their function. Permissions are enforced server-side on every API call.
Audit Logs
All sensitive actions (login, role changes, API key creation, data exports) are recorded in immutable audit logs. Logs include the actor, action, timestamp, and IP address. Audit logs are retained for 12 months and accessible to tenant owners.
Stripe Billing Security
All payment processing is handled by Stripe, a PCI DSS Level 1 certified provider. HQ Workforce never stores, transmits, or processes raw card numbers. Billing is managed entirely via Stripe's hosted Checkout and Customer Portal — your card data never touches our servers.
Report a Security Issue
If you discover a security vulnerability, please report it responsibly to our security team. We take all reports seriously and will respond within 24 hours.
security@hqworkforce.com