Draft - Pending Legal Review
Information Security Policy
1. Purpose and Scope
This Information Security Policy establishes the security framework for NannyLedger, a payroll processing service for household employers. It applies to all systems, data, and personnel involved in operating the NannyLedger platform. The policy ensures the confidentiality, integrity, and availability of sensitive payroll and tax data, including personally identifiable information (PII) and financial information.
2. Access Control
NannyLedger enforces strict access control measures to ensure only authorized individuals can access sensitive data and systems.
Role-Based Access Control (RBAC)
Access to data and functionality is granted based on user roles. Employer accounts can manage employees, run payroll, and view all account data. Employee accounts can only view their own pay stubs, tax documents, and personal profile. Administrative access to production systems is restricted to authorized personnel on a need-to-know basis.
Least Privilege
All users and systems are granted the minimum level of access required to perform their functions. Database queries are scoped to the authenticated user's account, and API endpoints enforce authorization checks before returning data.
Multi-Factor Authentication (MFA)
Multi-factor authentication is supported for all user accounts through our authentication provider (Supabase Auth). We strongly recommend that all users enable MFA, particularly for employer accounts that have access to sensitive employee data.
3. Data Classification
All data processed by NannyLedger is classified into categories that determine the required level of protection.
Highly Sensitive (Encrypted at Rest)
Social Security Numbers (SSNs), bank account and routing numbers, Employer Identification Numbers (EINs), and tax withholding details (W-4 data). These fields are encrypted at rest using AES-256-GCM encryption via Prisma field-level encryption.
Sensitive (Standard Protection)
Names, addresses, email addresses, phone numbers, pay rates, and employment details. Protected by database access controls, TLS in transit, and audit logging.
Internal (Operational Data)
System logs, usage analytics, and configuration data. Access restricted to authorized personnel; retained per operational needs.
4. Encryption
Encryption is a cornerstone of our data protection strategy, applied at multiple layers.
Encryption at Rest
Highly sensitive fields (SSN, bank accounts, EIN) are encrypted at the application layer using AES-256-GCM via Prisma field-level encryption before being stored in the database. The database itself uses storage-level encryption provided by Supabase (PostgreSQL).
Encryption in Transit
All communications between clients and servers use TLS 1.2 or higher. API calls to third-party services (Check, Stripe, Supabase) are encrypted in transit. Internal service-to-database connections use SSL/TLS.
Key Management
Encryption keys are stored as environment variables in the deployment platform (Vercel), never in source code. Key rotation is supported through a legacy key mechanism that allows decryption with previous keys during migration periods.
5. Incident Response
NannyLedger maintains an incident response plan to address security events promptly and effectively.
Detection
Security events are detected through audit logging on sensitive database operations, rate limiting alerts, authentication failure monitoring, and third-party vulnerability notifications.
Containment
Upon detection of a security incident, affected accounts or systems are immediately isolated. Compromised credentials are revoked, and affected API keys are rotated.
Eradication and Recovery
The root cause is identified and remediated. Systems are restored from known-good backups if necessary. All changes are documented and reviewed.
Notification
Affected users are notified within 72 hours of confirming a data breach, in accordance with applicable state and federal notification requirements. Notification includes the nature of the breach, data affected, and steps users should take.
6. Vendor Management
NannyLedger relies on trusted third-party vendors for core infrastructure. Each vendor is evaluated for security posture and compliance.
Check (Payroll Infrastructure)
Check is a SOC 2 Type II certified payroll infrastructure provider that handles tax calculations, filings, and direct deposit processing. Data shared with Check is transmitted over encrypted channels.
Stripe (Payment Processing)
Stripe is PCI DSS Level 1 certified and handles all payment card processing. NannyLedger never stores or processes payment card numbers directly.
Supabase (Database and Authentication)
Supabase provides managed PostgreSQL with row-level security, encrypted storage, and SOC 2 compliant authentication services.
Vercel (Hosting and Deployment)
Vercel provides the hosting platform with automatic HTTPS, DDoS protection, and SOC 2 compliance. Environment variables (including encryption keys) are securely stored in the Vercel platform.
7. Change Management
All changes to production systems follow a structured change management process. Code changes require peer review before merging. Automated testing (unit and integration tests) must pass before deployment. Deployments are staged and can be rolled back immediately if issues are detected. Infrastructure changes are documented and approved by authorized personnel.
8. Business Continuity
NannyLedger maintains business continuity measures to ensure service availability and data durability.
Database Backups
Supabase provides automated daily database backups with point-in-time recovery. Backups are stored in a separate availability zone and encrypted at rest.
Disaster Recovery
In the event of a service outage, the platform can be restored from the most recent backup. Recovery time objective (RTO) is 4 hours. Recovery point objective (RPO) is 24 hours based on the backup schedule.
9. Audit and Monitoring
Comprehensive audit logging is implemented to provide accountability and support forensic analysis.
Audit Logging
All create, update, and delete operations on sensitive database tables (Users, Accounts, Employees, PayRuns, PayStubs, Documents) are logged with the user ID, timestamp, operation type, and changed fields. Sensitive fields (SSN, bank accounts) are excluded from audit log content to prevent PII exposure in logs.
Periodic Security Reviews
Security controls, access permissions, and vendor relationships are reviewed periodically. Audit logs are reviewed for anomalous activity. Penetration testing and vulnerability assessments are conducted as resources permit.
10. Vulnerability Management
NannyLedger maintains a proactive approach to identifying and remediating security vulnerabilities.
Dependency Updates
Third-party dependencies are monitored for known vulnerabilities using automated tools (npm audit, Dependabot). Critical and high-severity vulnerabilities are patched within 7 days of disclosure.
Security Scanning
Static analysis tools are used to identify potential security issues in application code. Input validation using Zod schemas prevents injection attacks. Rate limiting protects against brute-force and denial-of-service attacks.
Data Retention Policy
1. Purpose
This Data Retention Policy formalizes the retention and deletion practices for data processed by NannyLedger. Household employers are required by the Internal Revenue Service (IRS) and various state agencies to retain payroll and tax records for specified periods. This policy ensures compliance with those requirements while respecting user privacy and minimizing data retention beyond what is legally necessary.
2. Retention Periods
Data is retained for the following minimum periods, based on legal requirements and operational needs:
Payroll Records (5 Years)
Pay runs, pay stubs, hours worked, gross and net pay amounts, and tax withholding details are retained for a minimum of 5 years from the date the payroll was processed, as required by the IRS for employment tax records (IRC Section 6001, IRS Publication 15).
Tax Documents (7 Years)
W-2 forms, Schedule H filings, quarterly tax returns, and other tax documents are retained for a minimum of 7 years from the filing date, consistent with IRS statute of limitations for tax returns and the period during which the IRS may audit or assess additional taxes.
Account Data (Until Deletion Requested)
Employer profiles, business information, and account settings are retained as long as the account is active. Upon account deletion request, account data is removed within 30 days, except where data must be retained for legal compliance (payroll and tax records).
Employee Records (5 Years Post-Termination)
Employee personal information, employment dates, and pay configuration are retained for 5 years after the employee's termination date or last payroll, whichever is later, to support potential tax audits and legal inquiries.
Audit Logs (5 Years)
System audit logs recording database operations, user actions, and security events are retained for 5 years to support security investigations and compliance audits.
Usage Data (1 Year)
Anonymized usage analytics and performance metrics are retained for up to 1 year for service improvement purposes.
3. Data Categories
The following table summarizes what data is retained by category:
Financial Data
Includes pay amounts, tax withholdings, deductions, bank account details (encrypted), and payment history. Retained per payroll records schedule (5 years minimum).
Personal Identifiers
Includes SSNs (encrypted), EINs (encrypted), names, addresses, and dates of birth. Retained as long as associated payroll or tax records are retained.
Employment Data
Includes hire dates, termination dates, pay rates, work schedules, and W-4 elections. Retained per employee records schedule (5 years post-termination).
System and Security Data
Includes audit logs, authentication events, API access logs, and rate limiting records. Retained per audit log schedule (5 years).
4. Deletion Procedures
Users may request deletion of their account and personal data at any time by contacting support@homepayroll.com or through the account settings page.
What Is Deleted
Account profile information, login credentials, preferences, and any data not subject to legal retention requirements are permanently deleted within 30 days of the request.
What Is Retained
Payroll records, tax documents, and audit logs that fall within their respective retention periods are retained even after account deletion, as required by law. This data is disassociated from the deleted account where technically feasible and is securely deleted once the retention period expires.
Deletion Confirmation
Users receive an email confirmation when their deletion request has been processed, specifying what data was deleted and what data is retained for legal compliance, including the expected deletion date for retained records.
5. Legal Holds
In certain circumstances, data that would otherwise be deleted must be preserved. When NannyLedger receives a legal hold notice (e.g., litigation hold, government investigation, or regulatory inquiry), all data relevant to the hold is preserved regardless of its scheduled retention or deletion date. Legal holds override user deletion requests for the affected data. Users are notified of a legal hold only where permitted by law. Data subject to a legal hold is released and resumes its normal retention schedule once the hold is lifted.