Security at WorkHive

A breach with bank details and NI numbers is reportable to the ICO within 72 hours and can result in fines up to £17.5m. We treat your team's data accordingly.

🇬🇧 UK-hosted (London) 🔐 AES-256 + field-level 📜 ICO registered 🏆 Cyber Essentials 📋 UK GDPR compliant

The 3 layers

🔐

Encrypted at rest

AES-256 across the whole database. Bank sort codes, account numbers and NI numbers have an additional field-level encryption layer using a separate master key in Supabase Vault — even a leaked database key wouldn't expose them.

🛡️

Row Level Security

Every table is locked down at the database. Staff can never query other staff's data, managers see only their site, payslips are HR-confidential. 59 RLS policies covering 26 tables — bypassed by no UI bug.

📋

Immutable audit log

Every sensitive action — login, payslip view, bank update, RTW sign-off — recorded with actor + IP + timestamp. Append-only at the database trigger level: nobody, including us, can edit or delete entries. Used for tribunal defence.

What we do

Hosting

Supabase EU-West-2 (London) — your data never leaves UK soil

Transport

TLS 1.3 with HSTS preload, certificate pinning option

Encryption at rest

AES-256 on database + storage + backups

Field-level encryption

pgsodium-encrypted: bank details, NI numbers

2FA

Mandatory for Manager / HR / Owner roles

Password policy

12+ characters, breach check via HaveIBeenPwned

RLS policies

59 policies enforcing role-based access at the database

Audit log

Append-only via DB trigger — UPDATE/DELETE/TRUNCATE blocked

Backups

Daily encrypted + Point-in-Time Recovery (any second in last 7 days)

Off-site backup

Weekly to a separate cloud account (different blast radius)

Penetration testing

Annual, by CREST-certified UK firm

Vulnerability scanning

OWASP ZAP weekly automated scan

Cyber insurance

£1m cover via Hiscox / Markel

Compliance & certifications

📜

UK GDPR + Data Protection Act 2018

You are the Controller, we are the Processor. DPA available on request. Subject access requests, erasure requests and data exports supported within 30 days.

🏛️

ICO registered

Registered with the Information Commissioner's Office under the Data Protection Fee. Registration number visible on this page once active.

🏆

Cyber Essentials

UK government-backed certification proving baseline cyber-security controls. Renewed annually.

⚖️

Employment law records

Retention rules baked in: PAYE 3 years, RTW 2 years post-employment, employment contracts 6 years (Limitation Act 1980), audit log 6 years.

Sub-processors

The third-party services we use to operate WorkHive. Full list in our Sub-processor list.

Supabase (database + storage + auth) — hosted in London
Netlify (web hosting + serverless functions)
Resend (transactional email)
Twilio (SMS notifications)
Anthropic (HR Helper AI — only when an org enables it)

Breach response

If we ever detect a security incident:

Within 1 hour: contain the incident, isolate affected systems
Within 24 hours: assess scope, notify affected customers
Within 72 hours: ICO notification (if required under UK GDPR Art 33)
Within 7 days: root-cause report + remediation plan

Full plan documented in our Breach Response Plan.

Reporting a vulnerability

Found something? Email security@workhive.co.uk. We respond within 24 hours.

Questions?

Need our DPA, sub-processor list, or other compliance documentation for your own records? Email security@workhive.co.uk — we respond within 1 working day.