TaviPay is built on a security model that assumes nothing, verifies everything, and keeps every record in an immutable trail for the 6 years the law requires.
All data encrypted at rest with AES-256. All client-server traffic over TLS 1.3. Database credentials and API secrets stored in a managed secrets vault, never in source.
Every query is scoped by tenant_id. Postgres row-level security as belt-and-braces. No service account has blanket cross-tenant write access. Your data never leaks into another customer's tenant.
Every create, update or delete on an Employee, Contract, Pay Run, Leave transaction, Consent or Document is appended to an audit_event table that can only be written to — never updated, never deleted.
ERA s.45(3) and s.45(4) require 6-year retention of employment records. Every record within the window is read-only; edits are tracked, not overwritten. Retention windows can be extended per tenant policy.
Admin, Payroll Processor, Payroll Approver, HR Officer, Finance, and Employee Self-Service roles are pre-defined. Granular permissions per module. SSO via M365 / Google Workspace optional.
Database snapshots daily, plus point-in-time recovery to within 5 minutes. Backups stored encrypted in an isolated region. Annual restore drills.
Every legally significant doc (contracts, probation extensions, dismissals, redundancy notices, consent forms) is signed via a SignatureConnector and returned with an audit certificate. No PDF is filed as "executed" without it.
Every validation failure raises a typed error and is logged. No "log and continue". A guardrail that lets a non-compliant pay run through is a bug, not a feature.
Deployed on managed cloud infrastructure with 99.9% uptime SLA. Geographic redundancy. DDoS protection at the edge. Status page with real-time uptime and incident history.
These aren't aspirational — they're hard invariants. Any change that violates one is rejected.
