Employee data protection, built in from day one

Leave requests carry personal stories — health, family, plans. Time-Out Zone locks that data behind roles, walls it off per company, and keeps it encrypted. No security add-on, no fine print.

  • Lab Test Analyzer logo
  • Promics Edge logo
  • SelfHacked logo
  • SelfDecode logo
  • OmicsEdge logo

Why HR data security matters

$4.44M

the average cost of a data breach worldwide in 2025

88

fine-grained permissions deciding who can do what

4

roles, from owner to employee, each seeing only what the job needs

EU

your leave data is hosted in Frankfurt, Germany

  • A breach costs millions and trust. The cheapest incident is the one that cannot happen, so every request is checked against your company and your role before any data moves.
  • HR data security is not a feature you switch on. It is how the product is built: private storage, expiring links, verified webhooks, and an audit trail underneath it all.

IBM Cost of a Data Breach Report 2025, global average; US average $10.22M. Rounded.

Four roles, 88 keys

Owners, admins, managers, and employees each pass through their own door. Every sensitive action checks a permission on the server, never in the browser.

Your company is an island

Every single query is scoped to your company. Automated tests try to break across that wall on every release — and must fail for the build to pass.

Defense in depth

Sign-in, roles, company walls, private files, encrypted transport. Five layers, each assuming the one above it could fail.

Roles that mean something

88 permissions across four roles. An employee cannot read teammates' balances; a manager cannot change company policy. The server enforces it every time.

One company, one world

Your data is scoped to your company on every request. Nobody from another tenant can reach it — proven by automated cross-tenant tests.

Files behind expiring links

Sick notes and documents live in private storage. Access happens only through short-lived signed links that expire on their own.

The quiet safeguards

Modern sign-in

Authentication runs on Clerk, with session limits and multi-factor options. Unrecognized routes end at the login page, not at your data.

Least visibility by default

Calendars and team views show absence, not reasons. Sensitive detail stays with the people who need it.

Encrypted, monitored, rate-limited

TLS in transit, AES-256 at rest, error monitoring with masked replays, and rate limits on sensitive endpoints.

Verified at every edge

Payment and identity webhooks are signature-checked and replay-protected. We never see or store card numbers — payments run entirely through Stripe.

Encryption at rest is provided by the hosting infrastructure (AES-256). Payment card data is handled exclusively by Stripe.

Access

Who can see what, decided by role

Permissions live on the server, not in the browser.

  • Four roles — owner, admin, manager, employee — mapped to 88 individual permissions.
  • Every sensitive action passes a permission check before it touches data; there is no client-side shortcut.
  • Managers see their team's absences, not their documents; employees see themselves.

Isolation

Your company is an island

Multi-tenant security without the jargon.

  • Every database query is filtered by your company. Not most — every one.
  • Automated cross-tenant tests attack that boundary on every release and must fail to pass the build.
  • Files carry the same wall: storage paths are company-scoped and links expire.

Foundation

Built on trusted rails

The stack underneath is boring on purpose.

  • Identity by Clerk, database and storage by Supabase in Frankfurt, payments by Stripe, monitoring by Sentry.
  • Server-side validation on every input; database constraints as the last line of defense.
  • Every sensitive change lands in the audit trail — who, what, before, after.

Ready to get started?

Give us a call. We'll show you live how roles, company isolation, and the audit trail work together.

GDPR & Data Residency

EU hosting, exports, and erasure.

Explore

Audit trail

Who changed what — field by field.

Explore

Frequently asked questions

Where is my data stored?
Your leave data lives in Frankfurt, Germany, on Supabase infrastructure in the EU. It is encrypted in transit and at rest. Identity, payments, email, and error monitoring run through vetted providers, listed transparently.
Who can see employee data?
Only people whose role allows it. Time-Out Zone maps four roles to 88 fine-grained permissions, checked on the server for every sensitive action. Employees see their own data; managers see their team's absences; admins manage the company.
Do you store credit card numbers?
No. Payments run entirely through Stripe. Time-Out Zone stores only a customer reference — never a card number. Payment webhooks are signature-verified and protected against replays.
Can another company ever see our data?
No. Every query is scoped to your company, and automated cross-tenant tests verify that isolation on every release. Files are separated the same way, behind expiring signed links.
What happens when someone leaves the company?
Their account is deactivated and access ends immediately. If your identity provider deprovisions the user, Time-Out Zone mirrors it automatically. Deletion requests are honored with proper cascades.
Are you SOC 2 certified?
Certification is on our roadmap. What exists today is the substance behind it: role-based access control, tenant isolation proven by tests, encrypted storage, verified webhooks, rate limiting, and a complete audit trail. We publish what we do — and never claim what we do not.