Data residency
PH customer data hosted on PH infrastructure (Coolify on SSDNodes, Manila). Singapore PDPA + Philippine RA 10173 compliance.
Encryption
At rest: AES-256 (S3 SSE on file storage; column-level on sensitive DB fields). In transit: TLS 1.3.
Access control
Role-based access at field level. Multi-tenant isolation enforced at database layer (PostgreSQL Row-Level Security). MFA mandatory for tenant_admin, hr_admin, and finance_admin roles.
Audit trail
Every state change captured in append-only audit log. Application role lacks UPDATE/DELETE permissions on audit tables. 10-year retention (BIR requirement).
AI governance
LLMs never compute payroll, taxes, or statutory deductions. AI use is feature-flagged per tenant tier. Every AI suggestion logged with prompt version, model version, and accept/edit/reject signal. AI tier can be disabled tenant-wide.
Backups
Nightly to GCS (steerfry-backup, Singapore region). Restoration tested monthly. Point-in-time recovery to 7 days.
Subprocessors
- Anthropic (LLM, US) — AI features only, prompt + retrieved context
- Resend (email, US/EU) — transactional email only
- Cloudflare R2 (file storage, global) — file vault, encrypted
- Stripe (payments, SG) — subscription billing only
- PostHog (analytics, EU) — anonymized product usage
Data export
Full data export available anytime in standard formats (CSV, JSON). Export your payroll history, employee records, contracts, and audit trail at no charge, no notice required.
Cancellation
Cancel anytime. Data deletion within 30 days of cancellation, except where retention is required by PH or SG law (BIR 10-year, etc.).
Compliance certifications (in progress)
- SOC 2 Type 1 — target Q3 2026
- ISO 27001 — target 2027
Questions about how we handle your data? Email contact@steerplatform.com.