Security at Payrollix

Payrollix runs on Amazon Web Services in the us-east-1 (N. Virginia) region. All production workloads, databases, queues, and document storage are located in the United States.

• Compute: Application services run on AWS managed compute behind a load balancer; application hosts are not directly reachable from the public internet
• Database: Managed relational database with encryption at rest and automated, encrypted backups
• Document storage: Encrypted object storage with server-side encryption, in private buckets
• Dedicated static IP: Outbound traffic to government tax systems originates from a fixed, dedicated IP address that is registered with the IRS e-file gateway and state revenue agencies that require source-IP allowlisting. The address is intentionally pinned and never released.
• Isolation: Services run in isolated environments with least-privilege access roles

All data is encrypted both in transit and at rest using industry-standard algorithms.

• In transit: TLS 1.2 or higher for all HTTPS traffic between browsers, mobile apps, our API, and our sub-processors
• At rest: AES-256 encryption for the database and all document and tax-filing archive storage
• Backups: Encrypted with the same AES-256 standard and retained within the United States
• Key management: Cloud-managed encryption keys; no plaintext key material is handled by application code

Access to Payrollix is gated by per-user credentials with optional second-factor authentication.

• Password storage: All passwords are hashed with bcrypt using a per-user salt; we never store plaintext passwords
• Session tokens: Signed JWT session tokens with short-lived expiry
• Multi-factor authentication (MFA): Available for all user roles; required for administrative roles
• Role-based access control: Separate portals for accountants, clients, employees, SMBs, and platform administrators, each with scoped permissions
• Biometric login (mobile): Face ID and Touch ID on iOS, fingerprint on Android, gated by the device's secure enclave (Payrollix never receives biometric data — see our Privacy Policy)

Payrollix retains records for the period required by federal and state tax law, then destroys them.

• Tax filings: All filed 941, 940, W-2, W-3, 1099-NEC, 1096 and related documents are archived with a minimum 4-year retention to satisfy IRS recordkeeping requirements
• Payroll records: Retained 7 years per IRS regulations (see Privacy Policy)
• Data residency: All customer data resides in the United States. We do not replicate data outside the US
• Document archive: Each tax filing artifact is stored in private, encrypted storage, isolated per client and tax year
• Deletion: On verified account closure, we retain records for the legally required period and then securely destroy them

Payrollix operates under several regulatory and certification regimes. We do not claim certifications that we have not earned — current status is listed below.

• SOC 2 Type 2: In progress. We are aligning our cloud environment to the audit scope ahead of the engagement, and will publish the report and audit window once it is complete.
• IRS-authorized e-file transmitter: Payrollix is an IRS-authorized electronic filer for the 941, 940, 943, 944, and 945 family of forms, filing directly with the IRS rather than through a third-party service.
• E-SIGN Act & UETA: Our in-house electronic signature implementation (we do not use DocuSign or third-party e-sign vendors) captures a full audit trail per signature, including IP address, user-agent, timestamp, authentication method, and document hash
• PCI DSS scope: Minimized. Subscription card payments are tokenized and processed by Stripe; Payrollix systems never store full PAN data
• Banking compliance: ACH origination is performed by our partner Moov Financial through a federally insured banking partner; see Privacy Policy § 3

Payrollix relies on a small set of contractually bound sub-processors to deliver the service. The full list with data categories and locations is maintained in our Privacy Policy.

• Amazon Web Services (AWS): Cloud infrastructure, database, and document storage (us-east-1)
• Moov Financial: ACH origination and payment orchestration
• Middesk: Business identity verification (KYB) and state tax registration assistance
• Sentry: Application error tracking and monitoring
• Stripe: Subscription billing for Payrollix accounts (keeps PCI scope off our infrastructure)

Every state-changing action on the platform is recorded in an append-only audit log. Each entry captures:

• The acting user ID and role
• The action performed and target resource
• The source IP address and user-agent string
• A UTC timestamp

Audit logs cover payroll runs, tax filings, e-sign events, banking changes, employee onboarding, and administrative actions. Logs are queryable by authorized administrators for incident investigation and customer-facing audit-trail exports.

Payrollix maintains an internal incident response process. In the event of a data breach affecting your personal or payroll information, we commit to notify affected customers within 72 hours of discovery, consistent with applicable state breach-notification laws and the timeline referenced in our Privacy Policy.

Notification will include, at minimum, the nature of the incident, the categories of data involved, the steps we have taken in response, and recommended actions for affected users.

We welcome reports from security researchers. If you believe you have found a vulnerability in Payrollix, please email security@payrollix.com with:

• A description of the issue and its potential impact
• Steps to reproduce, including any proof-of-concept code or screenshots
• The URL, endpoint, or component affected
• Your name or handle for acknowledgment (optional)

We ask that researchers give us a reasonable opportunity to investigate and remediate before public disclosure, avoid accessing or modifying customer data, and avoid actions that degrade service for other users. We will acknowledge receipt within two business days.

For questions about Payrollix security practices, or to request additional information for a vendor security review:

• Security: security@payrollix.com
• Privacy: privacy@payrollix.com
• Phone: (708) 540-3586
• Address: ReasonWorks AI Inc. (d/b/a Payrollix), Attn: Security, 1449 South Michigan Avenue, STE 13207, Chicago, IL 60605