NewBIR TRAIN Law brackets are now live in WORKSPHR. Learn more
Security

Security at WORKSPHR

Effective: April 2026Last updated: April 2026

Security overview

WORKSPHR is built with security as a foundational principle. We protect Filipino businesses’ most sensitive data, employee records, salaries, government IDs, with enterprise-grade controls.

This page documents our security posture for technical due diligence and procurement reviews.

Encryption

  • Data at rest: AES-256 encryption for all database, backup, and file storage
  • Data in transit: TLS 1.3 for all network traffic
  • Key management: AWS KMS with automatic key rotation every 90 days
  • Field-level encryption: Sensitive fields (TIN, SSS, bank accounts) encrypted with separate keys

Access controls

  • Multi-factor authentication (MFA): Required for all admin actions
  • Role-based access (RBAC): Granular permissions per role and team
  • Session management: Automatic timeout after 30 minutes of inactivity
  • Audit logs: All data access and modifications logged with timestamp + user + IP
  • Single Sign-On (SSO): SAML 2.0 / OIDC available on Scale+ plans

Infrastructure security

  • Hosting: AWS Asia Pacific (Singapore) primary, with Philippines edge nodes
  • Network isolation: VPC with private subnets, security groups, and WAF
  • DDoS protection: AWS Shield Standard + CloudFront
  • Patch management: Automated security patches within 48 hours of CVE disclosure
  • Backup: Daily encrypted backups, 30-day retention, cross-region replication

Compliance & certifications

  • RA 10173 (Data Privacy Act): Fully compliant. NPC registration in process.
  • SOC 2 Type II: In progress (target: Q4 2026)
  • ISO 27001: Roadmap for 2027
  • PCI DSS: We do NOT store credit card data; payments tokenized via PCI-DSS Level 1 providers
  • Annual penetration testing: Conducted by CREST-certified third party

Incident response

Our incident response process includes:

  • Detection: 24/7 monitoring with automated alerting
  • Triage: Severity classification within 1 hour
  • Containment: Immediate mitigation per playbook
  • NPC notification: Within 72 hours per NPC Circular 16-03
  • Customer notification: Without undue delay for affected customers
  • Post-incident review: Root cause analysis and remediation

Responsible disclosure

If you discover a security vulnerability, please email security@worksphr.com with:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact

We commit to:

  • Acknowledging within 48 hours
  • Validating and triaging within 5 business days
  • Patching critical issues within 30 days
  • Public credit (with permission)
  • Bug bounty (Scale+ scope, case-by-case for now)