Security at JustParity
How we protect your employees' pay data, which security standards we follow, and how to report vulnerabilities.
Last updated: 7 July 2026 · security@justparity.com
Security posture
JustParity is built on a modern, isolated stack with a defence-in-depth architecture:
- Multi-tenant isolation: Row-Level Security (RLS) on personal-data tables, logical multi-tenant isolation tested and hardened (most recently 04-2026). No known cross-tenant exposure after hardening.
- Authentication: Supabase Auth with JWT, MFA support, session hardening and rate limiting on login.
- Encryption in transit: TLS 1.3 everywhere. HSTS preload submitted.
- Encryption at rest: AES-256 for the database and all files (Supabase Storage).
- Network isolation: Database access is protected by Row-Level Security, JWT and TLS. No direct SQL exposure to the internet.
- Observability: Sentry for error monitoring in the browser.
OWASP Top 10
JustParity is developed with the OWASP Top 10 as its baseline. Status as at the most recent internal audit (18 January 2026):
| Risk | Status | Controls |
|---|---|---|
| A01 Broken Access Control | Mitigated | RLS, role checks, audit trail |
| A02 Cryptographic Failures | Mitigated | TLS 1.3, AES-256 at rest |
| A03 Injection | Mitigated | Parameterised queries, Zod validation |
| A04 Insecure Design | Mitigated | Threat modelling, secure by default |
| A05 Security Misconfiguration | Mitigated | Environment validation at boot, HSTS, CSP |
| A06 Vulnerable Components | Monitored | Dependabot, npm audit in CI |
| A07 Authentication Failures | Mitigated | JWT, MFA, rate limiting, session hardening |
| A08 Software/Data Integrity | Mitigated | Signed CI/CD, immutable audit logs |
| A09 Security Logging | Mitigated | Sentry, Supabase logs, audit trail |
| A10 SSRF | Mitigated | Allowlist on outbound calls |
Certifications and roadmap
We are working towards formal certifications to meet the requirements of enterprise customers:
Penetration testing
Internal security audit completed on 18 January 2026 (security hardening sprint). An external penetration test is in preparation. Results of external penetration tests can be shared under NDA upon request to security@justparity.com.
Data retention and deletion
Payroll integration data is retained only for as long as required for compliance reporting and the customer's active subscription:
- Active customer: Data is available for as long as the subscription is active.
- Upon termination: Personal data is deleted within 30 days. Aggregated compliance reports (anonymised) are retained in accordance with legal requirements.
- Right to erasure: Individuals may contact us via their employer, or directly, to exercise their rights under Article 17 GDPR. See /gdpr.
- Audit logs: Security-relevant logs are retained for 12 months for compliance purposes.
Responsible vulnerability disclosure
If you discover a vulnerability in JustParity, we ask that you report it responsibly:
How to report:
- Send an email to security@justparity.com
- Describe the vulnerability, the steps to reproduce it and the potential impact.
- We will acknowledge receipt within 48 hours and provide a status update within 7 days.
- Please refrain from public disclosure until a patch has been deployed (90-day standard period).
Note: the deadlines above (48 hours, 7 days, 90 days) apply to responsible vulnerability disclosure. Notification of a personal data breach follows the data processing agreement (no later than 24 hours to the data controller), cf. DPA section 10.1.
We do not currently offer a formal bug bounty programme, but we always credit responsible researchers in a hall of fame upon patch release.
Sub-processors and data flow
JustParity uses the following sub-processors. The full list, including purposes and locations, is available in the data processing agreement.
- Supabase (database and auth, EU region)
- Netlify (web hosting, EU edge)
- Google Ireland Limited (transactional emails, EU/US)
- Slack Technologies (internal notifications, EU)
- Sentry (error monitoring in the browser; EU region with EU org)
- Redis provider (rate limiting, EU region)
Security questions?
Write to security@justparity.com or fill in the form below.
Security enquiries
Describe your enquiry, or use security@justparity.com directly for responsible vulnerability disclosure.