Your payroll data is safe with us.

1. Where your data is stored

All Wadata HR data — business profiles, worker records, payroll history, contracts, and payslips — is stored on servers located in Ireland (AWS eu-west-1), operated by Supabase. This is one of the most secure and well-governed cloud regions in the world, covered by EU data protection law (GDPR) and subject to regular independent audits.

We do not store any data on servers in Nigeria, on shared hosting, or on any infrastructure we do not control. We do not use Nigerian cloud providers for primary storage.

2. Encryption

In transit: Every connection between your browser and Wadata HR uses TLS 1.2 or higher. All connections are HTTPS-only. We enforce HSTS (HTTP Strict Transport Security) so browsers never connect over plain HTTP.

At rest: All data stored on disk — database rows, backups, file attachments — is encrypted using AES-256. This means even if a physical drive were ever removed from a data centre, its contents would be unreadable without the decryption keys, which are stored separately.

Sensitive fields: Fields containing particularly sensitive employee data — National Identification Numbers (NIN), Bank Verification Numbers (BVN), and bank account details — are treated with additional controls beyond standard database encryption.

3. Tenant isolation

Every Wadata HR account is a separate tenant. Your workers, payroll records, and business settings are isolated from every other business on the platform using Postgres Row-Level Security (RLS) — a database-enforced access policy, not just an application-level check.

This means even if there were a bug in our application code, the database itself would block any query that tried to read another business's data. One business cannot see, access, or modify another business's records under any circumstances.

4. Access control

Within your account, access is role-based:

• Owner — full access to all features, settings, billing, and team management.
• Admin — can run payroll, manage workers, and view all records, but cannot change billing or remove the owner.
• Viewer — read-only access to payroll records and reports. Cannot make changes.

Every action that changes data — running payroll, adding a worker, confirming a contract — is tied to the user who performed it. You can see who did what and when from your settings page.

Multi-factor authentication (MFA/TOTP) for account owners is on our near-term roadmap and will be available soon.

5. Authentication

Authentication is handled by Supabase Auth, which uses industry-standard JWT (JSON Web Tokens) with short expiry windows and secure refresh token rotation. Passwords are hashed using bcrypt — we never store or have access to your plaintext password.

Session tokens are stored in secure, HttpOnly cookies that cannot be accessed by JavaScript running on the page, which protects against cross-site scripting (XSS) attacks.

6. Third-party services

We use a small, vetted set of third-party services. Each one is chosen for their security posture:

• Supabase — database, authentication, and file storage. SOC 2 Type II compliant. Data in AWS eu-west-1 (Ireland).
• Paystack — payment processing and salary disbursements. PCI-DSS compliant. Card data never touches our servers.
• Resend — transactional email delivery (payslips, alerts). No employee PII stored beyond the email recipient address.

We do not use advertising networks, third-party analytics that track users across sites, or any service that sells user data. We previously used PostHog and Sentry — both have been removed.

7. Error monitoring and logging

Application errors are logged to our own internal error table in Supabase — not to any third-party service. Logs are automatically scrubbed of sensitive fields before storage: passwords, tokens, API keys, salary figures, bank account numbers, BVN, and NIN are redacted and never appear in error logs.

Error logs are accessible only to Wadata HR engineers and are retained for 90 days.

8. Data retention and deletion

You own your data. Before cancelling, you can export all payroll records, worker profiles, contracts, and payslips in Excel and PDF format at any time from your dashboard.

After account cancellation:

• Your data is retained for 90 days in case you need a final export.
• After 90 days, all your data is permanently and irreversibly deleted from our systems.
• Backups are rotated and purged on the same schedule.

Payroll and compliance records you export are your responsibility to retain for the periods required under Nigerian law (FIRS recommends 6 years for tax records).

9. Incident response

If we ever detect a security incident that affects your data, we will notify you by email within 72 hours of becoming aware of it, in line with GDPR notification requirements. The notification will tell you what happened, what data was affected, what we are doing about it, and what you should do.

We maintain an internal incident response runbook that is reviewed and updated quarterly.

10. NDPR and GDPR posture

Wadata HR operates in compliance with Nigeria's Nigeria Data Protection Regulation (NDPR), administered by the Nigeria Data Protection Commission (NDPC). We also meet the baseline requirements of the EU's GDPR by virtue of our data infrastructure being based in Ireland.

We act as a data processor on behalf of your business (the data controller) for your employees' personal data. Our Privacy Policy and Terms of Service set out the data processing agreement terms.

NDPR GDPR baseline AES-256 at rest TLS 1.2+ SOC 2 infrastructure