Security at Texlaculture HRMS

Our security approach

Texlaculture HRMS stores some of the most sensitive information your business holds — salary records, PAN and Aadhaar references, performance reviews, medical leave notes, and bank details. We design every part of the product with that responsibility at the centre. Our security programme is engineered around three principles: protect data in depth, give administrators precise control over who can see what, and produce an evidence trail that any auditor or regulator can follow.

We build to India's Digital Personal Data Protection (DPDP) Act, 2023, and align with widely accepted international frameworks — GDPR for European customers, and the control families described in ISO 27001 and SOC 2. We follow the principle of least privilege internally: our own engineers do not get production data access by default, and any privileged action is logged. The same posture is reflected in the product, so your HR and finance teams can apply the same standard to their own users.

Data encryption

All customer data in Texlaculture HRMS is encrypted at rest using AES-256 on the storage layer. This covers our primary database, file storage for documents like offer letters and Form 16s, and routine backups. Data in transit is protected by TLS 1.2 or higher between clients and our servers, and between internal services. Older protocols and weak cipher suites are explicitly disabled at the load balancer.

Encryption keys are managed through our cloud provider's key management service. Keys are rotated on a defined schedule, access to key material is restricted to a small operational group, and every key-use event is logged. Sensitive fields such as bank account numbers are additionally protected at the application layer so that they are never returned in plaintext where the UI does not need them.

Access controls

Texlaculture HRMS ships with fine-grained role-based access control (RBAC). Standard roles cover common HR personas — admin, HR manager, payroll operator, reporting manager, employee — and customers can define custom roles scoped down to specific modules, fields, or employee groups. A finance partner reviewing payroll, for example, can be limited to a single legal entity and a single cost centre.

For workforce identity, we support single sign-on through SAML 2.0 and OpenID Connect, so Texlaculture HRMS slots in behind your existing identity provider. Multi-factor authentication is supported natively for local accounts and can be enforced through your IdP for federated users. Admin sessions can be time-bound — a contractor reviewing records for a week-long audit, for instance, can be given access that automatically expires.

Audit logs and observability

Every meaningful action in Texlaculture HRMS — a record view, a payroll change, a salary revision, a document download, a permission grant — is captured in an audit log with the actor, target, timestamp, and source IP. Logs are written append-only, retained for the duration agreed in your contract, and available for export so they can be ingested into your SIEM. Administrators can run audit queries directly in the product to investigate incidents or respond to internal questions.

On our side, application logs, infrastructure metrics, and security events feed a central observability stack. Anomalies — a spike in failed logins, an unusual export pattern, a privilege change — trigger alerts to our on-call engineers around the clock.

India DPDP Act 2023 compliance

Under the Digital Personal Data Protection Act, 2023, your company is the Data Fiduciary and Texlaculture is your Data Processor. The product is designed to help you meet your obligations under the Act: collect data only for declared purposes, capture and version employee consent where required, honour data principal rights, and notify the Data Protection Board in the event of a breach.

Practically, that means Texlaculture HRMS gives you a consent register tied to each employee, configurable retention windows so personal data is purged when it no longer needs to be kept, structured export of an individual's data on request, and tooling to action correction and erasure requests. Our own breach-notification process is engineered to meet the timelines the Act sets out, and we make our processing locations and sub-processors available so your privacy team can complete its assessment.

Infrastructure security

Texlaculture HRMS is hosted on Google Cloud Platform in regions chosen to match customer data-residency requirements, including India regions for customers that need in-country processing. Production runs in a hardened, private network segment; databases are not exposed to the public internet, and administrative access is gated through a bastion with MFA.

Operating systems, container images, and managed services are patched on a defined cadence, with critical security fixes accelerated. Backups run automatically with encryption and point-in-time recovery, and our disaster-recovery plan is tested so we know our recovery objectives are realistic, not theoretical.

Vulnerability management

Texlaculture HRMS goes through regular third-party penetration testing covering the web application, APIs, and authentication paths. Findings are tracked, prioritised, and remediated against agreed SLAs. Between formal tests, automated dependency scanning, static analysis, and container scanning run continuously in our CI pipeline so known CVEs are surfaced before code reaches production.

We also run a responsible disclosure programme. Security researchers can reach us at security@texlaculture.ai, and we commit to acknowledging valid reports promptly and working with the reporter on a fix and disclosure timeline.

Customer responsibilities

Security on a cloud HRMS is a shared responsibility. We secure the platform — the infrastructure, the application, encryption, backups, vulnerability management. Your team is responsible for the configuration and operational hygiene on top of that: choosing who gets administrator privileges, enforcing strong MFA at your identity provider, reviewing access for leavers, configuring retention windows that fit your policy, and approving the integrations and exports that move data outside Texlaculture HRMS.

We publish guidance and provide reports in-product to help with those tasks — for example, a dormant-user report, an admin-action digest, and a permissions review view — and our customer-success team will walk you through the recommended baseline during onboarding.

Frequently asked questions

Where is my data stored?

For customers that require India data residency, Texlaculture HRMS can be provisioned in Google Cloud's India regions, with backups also held in-country. We confirm the exact region for your tenant during onboarding and document it in your contract.

How quickly will you notify us of a breach?

Our incident-response process is built to notify affected customers without undue delay and within the timelines required by the DPDP Act and other applicable regimes. You will receive an initial notification, regular updates as we investigate, and a final post-incident report.

Can we export an employee's full data set?

Yes. Administrators can export all personal data associated with an employee — profile, payroll history, leave, documents, audit trail — in a structured format suitable for responding to a data principal request under the DPDP Act.

Do you support our vendor-risk review?

We do. We can share our security overview, sub-processor list, data flow diagrams, and recent penetration-test summary under NDA, and we are happy to complete standard vendor questionnaires.

Can we bring our own identity provider?

Yes. Texlaculture HRMS supports SAML 2.0 and OpenID Connect, so your team signs in with the identity provider you already use — Google Workspace, Microsoft Entra ID, Okta, or another SAML/OIDC-compatible IdP.

How long are audit logs retained?

The default retention is set during onboarding to match the period your policy and regulatory regime require. Logs are available for export throughout the retention window so you can hold them in your own systems for longer if you wish.