Security Overview
Last updated: 21 January 2026
This page provides a summary of Core HR security practices for buyers, customers, and due diligence reviews. It is a high-level overview and does not replace a signed security schedule or customer agreement.
Security program
- Access control and least‑privilege for admin and support access.
- Audit logging for sensitive actions and system activity.
- Rate limiting for public endpoints.
Data protection
- Encryption in transit (TLS) for web and API traffic.
- Secure storage for tokens and secrets.
- Segregation by tenant to prevent cross‑tenant access.
Application security
- Authentication required for private endpoints.
- Role‑based access checks for administrative operations.
- Input validation for key flows.
Delivery model and platform control
- Core HR is ordinarily delivered as a hosted service rather than a source-code handover.
- Sensitive configuration, billing integrations, and server-side business logic are intended to remain in controlled runtime environments.
- Customer-facing web and mobile clients should be treated as inspectable, so security boundaries are designed around server-side controls instead of relying on client secrecy.
Operational controls
- Controlled deployment and release procedures for application updates.
- Environment-specific configuration management for operational secrets and billing integrations.
- Change validation and smoke testing for public-facing releases.
Incident response
We maintain an incident response process, including triage, containment, remediation, and notification timelines as required by contract and law.
Vulnerability reporting
If you believe you have identified a security issue, do not publicly disclose it. Send details to the contact below and include the affected URL, reproduction steps, and any supporting evidence.
Third‑party security
We use reputable subprocessors for infrastructure and payments. See the Subprocessors page.
Contact
Report security issues to security@coremethods.com.au.