TRUST & SECURITY
Security at Worknilo
Last updated July 2026
Encryption
We protect your data at every layer of the stack:
- All data in transit is encrypted with HTTPS (TLS 1.2+).
- All data at rest is encrypted using AES-256.
- Sensitive fields (SIN, bank account numbers, emergency contacts) are encrypted at the column level using Vault-backed key management.
Audit logging
We maintain detailed logs to ensure accountability and detect suspicious activity:
- Authentication events (sign-in, sign-up, password reset, account deletion) are logged with actor, target email, and outcome.
- Platform-level administrative actions (org suspension, billing changes) are recorded in the platform audit log.
- Payroll payout history includes staff-level details for reconciliation and compliance.
Regulatory compliance
Worknilo aligns with data protection regulations across multiple jurisdictions:
- GDPR (EU) — Right to access, erasure, portability, and objection. Incident response and 72-hour breach notification preparedness.
- PIPEDA (Canada) — Breach of Security Safeguards notification requirements. Clear retention schedules and data minimization.
- CCPA (California) — Right to know, delete, and opt-out. No sale of personal information.
Incident response
We maintain a documented incident response plan covering detection, containment, notification, and post-mortem. In the event of a data breach, affected parties and relevant authorities are notified per the applicable regulatory timelines.
Questions
Have questions about our security practices? Contact our team.