Security Policy

1. Our security commitment

Kore Payroll is designed with security as a foundational principle, not an afterthought. We apply a defence-in-depth approach, combining multiple layers of technical controls with rigorous operational security practices. We are ISO 27001-aligned and work towards formal certification.

We hold ourselves to the security standards expected by the most regulated industries — because payroll data demands nothing less.

2. Infrastructure security

Cloud hosting: The Service runs on Amazon Web Services (AWS) UK region (eu-west-2). AWS operates ISO 27001-certified, SOC 2 Type II-audited data centres with multi-layer physical security, including biometric access, CCTV surveillance, and 24/7 security personnel.

Network security: Our infrastructure is protected by:

• Web Application Firewall (WAF) blocking common web attacks (OWASP Top 10)
• DDoS mitigation at the network and application layers
• Intrusion detection and prevention systems (IDS/IPS)
• Private VPC networking — production databases are not accessible from the public internet
• Regular automated vulnerability scanning

Availability: The Service is designed for high availability with redundant infrastructure across multiple availability zones. We target 99.9% uptime (with SLA guarantees for Pro customers) and maintain a business continuity plan with tested failover procedures.

3. Application security

Secure development: We follow OWASP Secure Coding Guidelines throughout our development lifecycle. Security requirements are built into every feature from design through deployment.

Authentication:

• Passwords are hashed using bcrypt with a high work factor — we never store plain-text passwords.
• JWT tokens used for session management with short expiry times and automatic refresh.
• Account lockout after repeated failed login attempts.
• Secure password reset via time-limited, single-use tokens.

API security: All API endpoints require authentication. Rate limiting prevents abuse. API keys can be revoked instantly. OAuth 2.0 used for third-party integrations.

Input validation: All user input is validated and sanitised. SQL injection, XSS, and CSRF protections are implemented throughout.

Dependency security: We regularly scan our software dependencies for known vulnerabilities using automated tools and apply security patches promptly.

4. Operational security

Employee security:

• DBS checks and employment reference verification for all staff with access to production systems.
• Annual security awareness training for all employees.
• Binding confidentiality agreements for all staff.
• Principle of least privilege — employees only have access to systems required for their role.
• Access reviews conducted quarterly.

Change management: All changes to the production environment are subject to code review, automated testing, and documented deployment procedures. Emergency changes follow an accelerated but equally rigorous process.

Penetration testing: We commission annual penetration tests from CREST-accredited security firms. Pro customers may request summary test reports under NDA.

5. Data security

Backups: Data is backed up daily with automated, encrypted backups retained for 35 days. Backup restoration is tested quarterly.

Data separation: Customer data is logically separated by tenant ID at the database level. No customer can access another customer's data.

Data minimisation: We collect and process only the personal data necessary for the Service. We conduct regular data minimisation reviews.

Secure deletion: When data is deleted (including on account closure), it is securely overwritten in accordance with NIST SP 800-88 guidelines.

6. Incident response

We maintain a documented Incident Response Plan that covers:

• Detection and triage of security events.
• Escalation procedures and defined roles.
• Containment, eradication, and recovery steps.
• Regulatory notification obligations (ICO within 72 hours for personal data breaches).
• Customer notification procedures.
• Post-incident review and lessons learned.

In the event of a confirmed personal data breach affecting your data, we will notify you within 72 hours in accordance with our Data Processing Agreement.

7. Third-party security

All third-party service providers with access to personal data are subject to:

• Security assessment before engagement.
• Contractual security obligations including a Data Processing Agreement.
• Annual review of their security posture.

Our current sub-processors are listed in Annex B of our DPA.

8. Responsible disclosure

We welcome reports from security researchers who discover vulnerabilities in our Service. If you find a security issue, please:

• Email security@korepayroll.co.uk with details of the vulnerability.
• Include steps to reproduce, potential impact, and any proof-of-concept.
• Allow us at least 90 days to investigate and remediate before public disclosure.
• Do not access, modify, or exfiltrate data beyond what is necessary to demonstrate the vulnerability.

We commit to: acknowledging receipt within 2 business days, providing a remediation timeline within 14 days, and not pursuing legal action against good-faith researchers who follow this process.

9. Compliance and certifications

• UK GDPR & Data Protection Act 2018 — fully compliant; see our DPA and Privacy Policy.
• HMRC RTI — HMRC-recognised payroll software.
• Pensions Regulator — auto-enrolment compliant.
• ISO 27001 alignment — working towards formal certification.
• Cyber Essentials — certified (certificate available on request).

10. Security questions

For security questions, concerns, or to report a vulnerability: security@korepayroll.co.uk

For Pro customers requesting security documentation, penetration test summaries, or security questionnaire support: enterprise@korepayroll.co.uk