Skip to content
Drap HRM
Sign in with SlackAdd to Slack

Security First

Your data security is our top priority. Learn how we protect your information.

Encrypted

All data encrypted at rest and in transit

Compliant

GDPR and CCPA compliant

Audited

Complete audit trails for all actions

Data Security

Encryption in Transit

All data transmitted between your browser/Slack and our servers is encrypted using TLS 1.3. We enforce HTTPS for all connections and use HSTS headers to prevent downgrade attacks.

Encryption at Rest

All data stored in our databases is encrypted using AES-256 encryption. This includes attendance records, user information, and any uploaded files. Database backups are also encrypted.

Secure Infrastructure

Our infrastructure is hosted on Google Cloud Platform, which provides enterprise-grade security including physical security, network security, and compliance certifications (SOC 2, ISO 27001, etc.).

Access Controls

We implement strict role-based access control (RBAC). Employees only have access to the minimum data required for their role. All access to production systems requires multi-factor authentication.

Application Security

Authentication

  • JWT-based authentication with short-lived tokens
  • Secure password hashing using bcrypt with appropriate work factors
  • Two-factor authentication available for dashboard access
  • Session invalidation on password change

API Security

  • Rate limiting to prevent abuse (100 requests per 15 minutes per IP)
  • Input validation on all API endpoints
  • CORS configuration to prevent unauthorized cross-origin requests
  • Helmet.js for secure HTTP headers

Slack Integration Security

  • All Slack requests verified using signing secrets
  • OAuth 2.0 for secure workspace authorization
  • Minimal permission scopes - we only request what we need
  • Token encryption for stored Slack credentials

Audit Logging

  • All user actions logged with timestamps and user identification
  • Admin actions tracked separately
  • Logs retained for compliance requirements
  • Anomaly detection for suspicious activities

Compliance

GDPR Compliance

  • Right to access - export all your data
  • Right to erasure - request data deletion
  • Right to portability - download in standard formats
  • Data processing agreements available
  • EU data residency options available

CCPA Compliance

  • Right to know what data is collected
  • Right to delete personal information
  • Right to opt-out of data sales (we don't sell data)
  • Non-discrimination for exercising rights

Data Retention

  • Attendance records: 7 years (employment law compliance)
  • Location data: 90 days
  • Audit logs: 2 years
  • Deleted accounts: Purged within 30 days

Third-Party Security

  • Stripe (PCI DSS Level 1 certified)
  • Google Cloud Platform (SOC 2, ISO 27001)
  • MongoDB Atlas (SOC 2, ISO 27001, HIPAA)
  • All vendors reviewed for security practices

Incident Response

We have a documented incident response plan that includes:

  • 24/7 monitoring for security events
  • Defined escalation procedures
  • Customer notification within 72 hours of confirmed breach
  • Post-incident analysis and prevention measures

To report a security vulnerability, please email security@drap.ai. We take all reports seriously and will respond within 24 hours.

Security Questions?

Our security team is happy to answer your questions or provide additional documentation.

Contact Security Team