How we protect your data
Omnivoo handles payroll, identity, and statutory data for employees in India and their employers worldwide. Here is how we keep that information safe.
Data protection practices
The technical controls we apply across our infrastructure to protect customer and employee data at every stage.
Encryption in transit
All traffic between your browser, our APIs, and our internal services is encrypted with TLS 1.3. We do not accept unencrypted connections.
Encryption at rest
Databases, file storage, and backups are encrypted at rest using AES-256. Encryption keys are managed by our cloud providers and rotated on standard schedules.
Role-based access control
Application access is controlled by role. Sensitive actions are recorded in an audit log so we can trace who did what, and when.
Least privilege for our team
Our employees only access customer data when it is required to support a request or resolve an incident. Access is scoped to the specific account, time-bounded, and logged.
Environment isolation
Production data is fully isolated from staging and development environments. Real customer records are never copied into non-production systems.
Privacy compliance
As an India-focused EOR with global customers, we operate against the two regulatory regimes that matter most for our users.
GDPR alignment
Our customers in the EU, and customers anywhere who employ EU citizens, can rely on Omnivoo's processing practices being aligned with the GDPR. We honour data subject rights including access, correction, and deletion.
India DPDP Act 2023
India's Digital Personal Data Protection Act 2023 directly governs how we handle the data of Indian employees. We treat consent, purpose limitation, and data principal rights as core product requirements rather than checkbox items.
Data subject access requests
Requests from employees and customers to access, correct, or delete their data are handled within the timeframes set by the applicable law. Email contact@omnivoo.com to start a request.
Privacy Policy
For full details on what we collect, why, and how we share it, see our Privacy Policy.
Operational security
The day-to-day practices that keep our infrastructure safe as it evolves.
Vendor security reviews
Every third-party service that touches customer data, including Stripe and AWS, is reviewed before integration and re-evaluated periodically. We prefer vendors with established security programmes.
Dependency vulnerability scanning
We scan our application dependencies on every change and on a continuous schedule. High-severity vulnerabilities are triaged and patched on priority.
Incident response
We maintain an incident response procedure covering detection, containment, notification, and post-incident review. Customers are notified about incidents that affect their data within the timeframes required by law.
Backups and recovery
Production databases are backed up continuously with point-in-time recovery. Backups are encrypted and tested regularly so we can restore from them when needed.
Compliance roadmap
We are working toward formal third-party security audits. For our latest compliance status, contact security@omnivoo.com.
Reporting a vulnerability
If you believe you have found a security issue in Omnivoo, please report it to security@omnivoo.com. Include reproduction steps, the impact, and any supporting material.
We commit to acknowledging valid reports promptly, keeping you updated as we investigate, and giving researchers reasonable time to work with us before public disclosure. We will not pursue legal action against good-faith research conducted under this policy.
Have a security question?
We are happy to walk through our practices in detail, share documentation, or answer specific questions from your security team.