Compliance & Security

Data Security

Infrastructure

MyHRProof is hosted on Amazon Web Services (AWS) in the United States. We leverage AWS's security infrastructure, which maintains SOC 1, SOC 2, ISO 27001, and PCI DSS compliance. Our specific infrastructure controls include:

• Virtual Private Cloud (VPC) isolation
• Automated daily backups with 30-day retention
• Backups encrypted independently of primary data
• Intrusion detection and automated alerting
• DDoS protection via AWS Shield
• Web Application Firewall (WAF) protecting all endpoints
• Automated vulnerability scanning

SOC 2 Compliance

MyHRProof is currently building toward SOC 2 Type II certification. SOC 2 is an industry-standard audit framework developed by the American Institute of Certified Public Accountants (AICPA) covering Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Our current SOC 2 readiness includes:

We expect to complete our SOC 2 Type II audit by Q4 2025 and will publish our report upon certification.

Privacy Compliance

CCPA (California Consumer Privacy Act)

We are a CCPA-compliant business. We do not sell personal information. California residents may exercise their CCPA rights by contacting privacy@myhrproof.com.

GDPR (General Data Protection Regulation)

For users in the European Economic Area and United Kingdom, we process personal data under lawful bases including contract performance and legitimate interest. We maintain Standard Contractual Clauses (SCCs) with all sub-processors. Data subject requests: privacy@myhrproof.com.

COPPA

MyHRProof is not directed to children under 18. We do not knowingly collect personal information from minors.

App Store & Google Play Compliance

Apple App Store Requirements

• App Privacy Nutrition Label fully completed and accurate
• No use of private APIs or unauthorized system access
• Location permission requested only when user initiates location logging
• Microphone permission requested only when user initiates voice memo
• Camera permission requested only for photo attachment
• No advertising identifiers (IDFA) used
• Data not used to track users across apps or websites
• App Review Guidelines compliance: section 5.1 (Privacy) fully adhered to
• In-app purchases processed via StoreKit where applicable

Google Play Requirements

• Data Safety section completed in Play Console
• No deceptive behavior or unauthorized data collection
• Permissions usage justified in Privacy Policy
• Target SDK updated to current Play Store requirements
• No use of sensitive permissions beyond what is disclosed
• Billing handled through Google Play Billing Library where applicable

Vulnerability Disclosure

We maintain a responsible disclosure program. If you discover a security vulnerability in MyHRProof, please report it to security@myhrproof.com. We will acknowledge your report within 48 hours, investigate, and work to resolve the issue. We ask that you:

• Not access, modify, or delete data that is not yours
• Not perform denial-of-service attacks
• Give us reasonable time to address the issue before public disclosure

We do not currently offer a bug bounty program, but we appreciate responsible disclosure and will acknowledge credited researchers upon resolution.

Incident Response

In the event of a security incident affecting your data, we will notify affected users within 72 hours of discovery, describe what happened and what data was affected, explain what we have done to address the incident, and provide guidance on steps you can take to protect yourself. Notifications will be sent to your registered email address and posted to our status page.

Questions

For compliance and security inquiries: security@myhrproof.com