Security Policy
Technical and organisational security measures protecting your HR and payroll data on ExpertPay HRMS — encryption, access controls, and compliance.
Last Updated: June 2026
Effective Date: 1 January 2025
Document Ref: EP-SEC-2026-01
This Security Policy describes the technical and organisational measures implemented by Prime ExpertPay HRMS Technologies LLC ("ExpertPay HRMS") to protect customer and employee data stored and processed on the ExpertPay HRMS platform. We take data security seriously — your employees' personal data, payroll records, and HR information are protected at every layer.
1. Infrastructure Security
1.1 Data Centre
- ExpertPay HRMS data is hosted exclusively in UAE-based data centres meeting tier-3 equivalent standards
- Physical access controls include biometric authentication, CCTV monitoring, and security personnel
- Data centres maintain N+1 power redundancy and multiple internet uplinks
- No customer data is stored, processed, or replicated outside the United Arab Emirates
1.2 Network Security
- All traffic to ExpertPay HRMS is encrypted using TLS 1.3 with HSTS enforcement
- Web Application Firewall (WAF) protects against OWASP Top 10 vulnerabilities
- DDoS protection with automatic traffic scrubbing
- Network segmentation between production, staging, and administrative environments
- Intrusion detection and prevention systems (IDS/IPS) with 24/7 monitoring
2. Data Encryption
| Data Type | Encryption Standard | Where Applied |
|---|
| Data at rest (databases) | AES-256 | All database storage, backups |
| Data in transit | TLS 1.3 | All API calls, web sessions, mobile app |
| Passwords | bcrypt (cost factor 12) | User authentication |
| Sensitive fields (bank accounts, Emirates ID) | AES-256 column-level | Database fields |
| File storage (documents) | AES-256 | Uploaded documents and files |
| Backups | AES-256 | All backup copies |
3. Access Controls
3.1 Role-Based Access Control (RBAC)
- Granular role permissions — Super Admin, HR Admin, Payroll Manager, Manager, Employee
- Least-privilege principle enforced across all roles
- Custom roles configurable per organisation requirements
3.2 Authentication
- Strong password requirements enforced (minimum 10 characters, complexity requirements)
- Multi-Factor Authentication (MFA) available for all accounts; mandatory for Admin roles
- Session timeout after 30 minutes of inactivity
- Concurrent session limits per account
- Failed login attempt lockout (5 attempts triggers temporary lock)
3.3 Internal Access Controls
- ExpertPay HRMS staff access to customer data is restricted to authorised personnel only
- All internal access is logged and auditable
- Production data access by engineers requires formal approval and is logged
- Background verification conducted for all staff with data access
4. Application Security
- Secure Software Development Lifecycle (SSDLC) with security reviews at each stage
- Regular automated vulnerability scanning of application code
- Annual third-party penetration testing by certified security professionals
- OWASP Top 10 controls implemented and tested quarterly
- Input validation and output encoding to prevent injection attacks
- Content Security Policy (CSP) headers enforced
- Dependency scanning for known vulnerabilities in third-party libraries
5. Data Backup and Business Continuity
- Automated daily backups with encryption at rest
- Hourly transaction log backups for point-in-time recovery
- Backup restoration tested quarterly
- Recovery Point Objective (RPO): 1 hour
- Recovery Time Objective (RTO): 4 hours for critical services
- Business continuity plan tested bi-annually
6. Incident Response
ExpertPay HRMS maintains a documented Security Incident Response Plan:
- Detection: 24/7 automated monitoring with alert thresholds for anomalous activity
- Classification: Incidents classified P1–P4 based on data sensitivity and scope
- Notification: Customers notified of material security incidents within 72 hours of discovery, in compliance with UAE PDPL requirements
- Containment and Recovery: Dedicated incident response team with defined escalation paths
- Post-Incident Review: Root cause analysis and remediation for all P1/P2 incidents
7. Vulnerability Management
- Critical vulnerabilities (CVSS 9.0+): Patched within 24 hours
- High vulnerabilities (CVSS 7.0–8.9): Patched within 7 days
- Medium vulnerabilities (CVSS 4.0–6.9): Patched within 30 days
- Low vulnerabilities: Addressed in next scheduled maintenance cycle
8. Third-Party Security
- All third-party service providers are vetted for security practices
- Data Processing Agreements (DPA) in place with all sub-processors
- Annual review of third-party access and permissions
- No third-party access to customer data without explicit need-to-know authorisation
9. Compliance
- UAE Personal Data Protection Law (PDPL): Federal Decree-Law No. 45 of 2021
- UAE Cybercrime Law: Federal Decree-Law No. 34 of 2021
- CBUAE WPS Regulations: Payroll data security per Central Bank requirements
- MOHRE Compliance: HR data processing per Ministry of Human Resources standards
- ExpertPay HRMS follows the ISO/IEC 27001 information security framework as a reference standard
10. Responsible Disclosure
If you discover a potential security vulnerability in ExpertPay HRMS, we encourage responsible disclosure. Please report vulnerabilities to info@expertpay.ae with subject line "Security Vulnerability Report". We commit to acknowledging reports within 24 hours and providing status updates throughout the remediation process. We will not take legal action against researchers who report vulnerabilities in good faith.
Security Contact:
Email: info@expertpay.ae
Subject: "Security Inquiry" or "Security Vulnerability Report"
Prime ExpertPay HRMS Technologies LLC, 22nd Floor, Iris Bay Tower, Business Bay, Dubai — UAE