Your payroll data, taken seriously.
Payroll data is sensitive — employee salaries, tax numbers, banking details. Here is how we protect it.
Encrypted in transit and at rest
Every request to MyPayrollOn is served over TLS 1.2+. The Postgres database storing your payroll data uses AWS-managed at-rest encryption (AES-256).
Data residency in af-south-1 (Cape Town)
Application servers run on Vercel; your payroll data lives in an AWS RDS Postgres instance in af-south-1 (Cape Town). We do not move data outside that region — satisfying POPIA data-residency expectations.
Daily backups, point-in-time recovery
Automated daily backups retained for 7 days and point-in-time recovery up to 7 days back. Restore drills are run periodically.
Per-tenant RLS isolation
Row-level security enforced at the database layer. Every payroll record is tagged with a tenant_id and Postgres RLS policies ensure one business can never read another's data — even if application code has a bug.
Audit trail on every action
Every payroll action — employee changes, run approvals, payslip releases, SARS submissions — is logged with the user and timestamp. Auditors can export the activity log for any period.
Responsible disclosure
Found a security issue? Email security@mypayrollon.com. We respond within one business day and do not pursue good-faith research.
POPIA compliance
MyPayrollOn is designed with the Protection of Personal Information Act (POPIA) in mind. Payroll data is hosted in af-south-1 (Cape Town) with appropriate technical and organisational controls. You can export and permanently delete your data on request, and we never share employee information with third parties for marketing purposes.
SARS requires employers to retain payroll records for at least 5 years. MyPayrollOn retains your payroll data for this period and makes it exportable at any time.
If your business requires a Data Processing Addendum, email privacy@mypayrollon.com.
Questions about security?
Our team is happy to walk you through the architecture on a call.