Security & Compliance
Updated: January 28, 2026
This page explains ShrumHR’s security approach in plain English. It is a transparency page and not a certification claim.
Security Summary
Access Control
Portal access can be gated behind identity verification (Cloudflare Access) with request/approval workflows.
Transport Encryption
HTTPS/TLS encrypts data in transit between users and the platform.
Audit Logging
Security and access activity logging supports accountability and incident investigation.
Least Privilege
Role-based access patterns aim to limit access to the minimum needed for job function.
Data Handling
- Customer Data: HR records entered by customers (employees, PTO, cases, documents) remain customer-controlled.
- Minimize sensitive data: avoid SSNs, banking, and medical data unless absolutely required and protected.
- Retention: customer data follows account lifecycle and reasonable backups; logs may be retained for security.
Encryption
Encryption in transit is provided by TLS. Encryption at rest depends on how the backend database/storage is hosted (when the production backend is deployed,
we enable database/storage encryption at rest via provider controls and key management).
Operational Controls
- Change control: controlled releases to reduce accidental breakage.
- Incident handling: investigate security events and take mitigations; notify as required by law/contract.
- Vendor diligence: select providers for reliability and security features.
Security Contact
Report a security concern or request security documentation:
ShrumHR / Shrum Consulting Group
[email protected]