Trusted by 19,000+ customers · 45+ countries · Support NPS 97 · Backed by Deel
Security fundamentals
Payroll data is among the most sensitive a business holds. Our platform was designed from day one with security as a core requirement, not a feature layer.
Hosted on Microsoft Azure in South Africa and Europe. A new European data centre gives customers the choice of where their data resides — supporting local data sovereignty requirements.
256-bit encryption or greater for all data at rest. TLS/SSL for all data in transit — our API and application endpoints score an A+ on SSL Labs with HSTS and Perfect Forward Secrecy fully enabled.
Role-based access controls at module, field, and unit level. Multi-factor authentication (Google Authenticator, Email, or SMS) is available for all users. SSO via AzureAD, Google, and Okta using OpenID Connect and OAuth.
24/7 infrastructure monitoring with automated alerting. Security events are logged, correlated, and reviewed. Vulnerability patching runs on a defined cycle.
Every user action — login, data change, configuration update — is logged with timestamp and user identity. Retained for compliance review and forensic access.
Defined incident response procedures with SLA-backed escalation paths. Customer notification commitments aligned to GDPR and POPIA breach reporting windows.
ISO/IEC 27001:2022 certification
ISO 27001:2022 is the current international standard for information security management systems. We were the first cloud-native payroll provider in Africa to achieve certification — and we recertify through annual surveillance audits.
Our ISMS has been independently assessed and certified against ISO 27001:2022 by an accredited certification body, providing verifiable evidence to customers, suppliers, and partners.
Our ISMS covers all 93 ISO 27001:2022 Annex A security controls — from information security policies and access control to cryptography, supplier relationships, incident management, and business continuity.
ISO 27001:2022 mandates formal processes for continuously monitoring and improving security controls. Our certification demonstrates ongoing commitment, not just a point-in-time assessment.
Independent security audits and penetration testing are conducted annually by a reputable third-party specialist — results feed directly into our risk remediation cycle.
Information Security Management System. Certified to the ISO 27001:2022 standard. Independently assessed and maintained through annual surveillance audits.
SOC 1 Type 2 & SOC 2 Type 2
A Type 2 report means an independent auditor tested whether our controls actually operated effectively across a defined period — typically six to twelve months. Not a snapshot. A track record.
Covers the internal controls relevant to customer financial reporting. Required by enterprise finance teams and auditors who need assurance that the payroll platform they rely on won't introduce errors into their financial statements.
Assessed against the AICPA Trust Services Criteria. Confirms that our security controls, system availability commitments, and data confidentiality practices held up under sustained independent scrutiny — not just at the moment of assessment.
Both reports are made available under NDA for vendor security reviews, procurement processes, and supply chain risk assessments. Contact your account manager or submit a request below.
Independently audited. Controls assessed over a sustained period — not just reviewed at a point in time. Both reports available to enterprise customers under NDA.
Cloud infrastructure
Built on Microsoft Azure. Multi-tenant architecture with logical isolation per customer. No shared data, no shared compute for sensitive payroll processing.
Hosted on Azure with dedicated compute resources for payroll processing. Azure’s global infrastructure provides the geographic resilience, certifications, and SLAs expected by enterprise buyers.
Azure provides robust availability through virtualisation-based redundancy. Geo-replication copies data in real-time to the DR environment. Disaster recovery processes are tested annually and recorded for audit.
Azure SQL Server maintains up-to-the-minute backups with 14-day retention, with monthly backups retained annually, replicated in near real-time to the DR environment. All services run within a Virtual Private Cloud with network ACLs preventing unauthorised access.
Azure Security Center, Azure Defender, Azure Sentinel, and a Web Application Firewall (WAF) work together for real-time threat detection, advanced workload protection, and intelligent security analytics.
Developer security
The same security controls that protect Deel Local Payroll on the PaySpace.com platform extend to the API — with full documentation at developer.payspace.com.
All API access uses OAuth 2.0 bearer tokens. Tokens are scoped to the minimum required permissions, short-lived, and revocable without impacting platform access.
API calls are rate-limited per client and per endpoint. Throttling protects platform stability and prevents credential misuse from causing cascading impact.
Every API call is logged with timestamp, caller identity, endpoint, and response status. Logs are retained and available for security review and integration debugging.
Compliance frameworks
Payroll compliance is not optional. Our platform is built to meet the data protection and security obligations of each market — not just the lowest common denominator.
The Protection of Personal Information Act governs processing of personal information. Our platform is designed to support POPIA-compliant data handling and retention.
Fully compliant with the EU’s GDPR, UK GDPR, and Brazil’s LGPD. Data subject rights, lawful processing bases, and breach notification timelines are built into our compliance programme across all operating jurisdictions.
Independently audited. Controls tested over a sustained period — not just at a point in time. Reports available to enterprise customers under NDA.
DPAs are available for enterprise customers to document the controller/processor relationship and data handling obligations in line with applicable legislation.
Enterprise buyers and developers have full access to our security documentation, DPAs, and architecture overview. Book time with the team.