Self-Service Portal security
Learn how the Self-Service Portal keeps employee data secure.
Responsible disclosure
Security is a core part of the Self-Service Portal. Employees access sensitive payroll data through it, and that responsibility is taken seriously.
If you discover a vulnerability in the Self-Service Portal, report it responsibly by contacting us directly rather than disclosing it publicly.
Note
The Self-Service Portal does not persist employee or payroll business data of its own; it connects to external data sources and only stores short-lived operational state, such as server-side session data.
Third-party verification tools
You can use independent security assessment tools to verify the security posture of the Self-Service Portal or any other service that handles sensitive data:
| Tool | What it tests |
|---|---|
| Mozilla Observatory | Web application security |
| SSL Labs | Transport Layer Security |
| Security Headers | HTTP response headers |
| CSP Evaluator | Content-Security-Policy |
Authentication and session management
Sign-in is handled exclusively through Microsoft Entra External ID using OpenID Connect. The Self-Service Portal does not manage end-user credentials directly.
Sessions have the following properties:
- Sessions are stored server-side and accessed through secure, HTTP-only cookies.
- Sessions expire after 10 hours.
- Sessions are bound to the user's IP address at the time of sign-in. If a request arrives from a different IP address, the portal treats it as unauthenticated.