Skip to content
yro
Back to home
Legal

Security

Effective 1 May 2026

An overview of how we protect your data — encryption, access control, infrastructure, incident response, and certifications. For technical or procurement-team queries, contact security@byro.io.

Template version 1.0. This document is a starting point and must be reviewed by qualified legal counsel before reliance in any specific jurisdiction (UAE, KSA, Pakistan, EU, etc.). Check with your lawyer before publishing on a production deployment.

1. Encryption

At rest. All Customer Data is encrypted at rest using AES-256 via the underlying database and storage layer (AWS RDS for PostgreSQL, AWS S3 for files). Encryption keys are managed by AWS Key Management Service (KMS) with automatic rotation.

In transit. All connections to the Service use TLS 1.2 or higher. We do not accept unencrypted HTTP traffic. SSL certificates are managed via AWS Certificate Manager with automatic renewal.

Field-level encryption. Highly sensitive fields (employee bank IBANs, account numbers) are additionally encrypted with a separate application-level key before being written to the database, providing defense in depth even if the database itself is compromised.

2. Access Control

Customer-side. Every action in the Service is gated by role-based access control (RBAC). We support 7 built-in roles (Super Admin, ERP Administrator, Company Admin, IT Manager, HR Manager, Finance Manager, Employee) with field-level access policies. Multi-tenant isolation prevents one customer from ever seeing another customer's data.

Internal access. Byro employees access production systems only when necessary for support, debugging, or operations. All access is:

  • Authenticated with multi-factor authentication (MFA)
  • Logged via cloud audit trails (AWS CloudTrail)
  • Time-limited to the minimum needed
  • Scoped to the minimum permissions needed

We do not read Customer Data without your written request (e.g. when you ask us to debug an issue).

3. Authentication

For your team:

  • Password authentication with bcrypt hashing (12 rounds)
  • Optional multi-factor authentication (MFA) for admin accounts (TOTP)
  • SSO via Google Workspace and Microsoft Entra (Enterprise plan)
  • Session timeout configurable per workspace
  • Forced password rotation supported by admin

4. Audit Logging

Every data-modifying action in the Service is recorded in an append-only audit log: who, what, when, before- and-after diff. Audit logs are retained for at least 7 years to meet regulatory record-keeping requirements (GCC labour law, financial record retention).

Customers can view their own audit log via the in-app /audit page. We retain a separate, tamper-resistant system audit log for forensic purposes.

5. Infrastructure

The Service runs on Amazon Web Services (AWS) using:

  • ECS Fargate — serverless container compute, no SSH access to underlying hosts
  • RDS PostgreSQL — managed database with Multi-AZ failover and point-in-time recovery
  • S3 — object storage with private bucket policy and lifecycle archival
  • CloudFront — CDN for static assets with WAF protection
  • VPC — private network with security groups; databases not internet-reachable
  • Secrets Manager — encrypted credential storage; no secrets in source code

Production data is stored in AWS Bahrain (me-central-1) for GCC customers and Mumbai (ap-south-1) for Pakistan customers, providing in-region data residency for regulated workloads.

6. Backups and Disaster Recovery

Daily automated database backups with point-in-time recovery covering the last 30 days. Backups are encrypted at rest and stored in a separate AWS region. Backup integrity is tested regularly via routine restore-to-staging exercises.

Recovery objectives:

  • RPO (Recovery Point Objective): ≤ 1 hour
  • RTO (Recovery Time Objective): ≤ 4 hours

7. Vulnerability Management

  • Automated dependency scanning (Dependabot) with critical patches applied within 24 hours
  • GitHub secret scanning + push protection — credentials never enter source control
  • Automated container image scanning before deployment
  • Annual third-party penetration testing (planned for 2026 H2)
  • Coordinated vulnerability disclosure program (see section 11)

8. Incident Response

We maintain documented incident response procedures covering detection, containment, eradication, recovery, and post-mortem. In the event of a confirmed Personal Data Breach affecting your data, we will notify you within 72 hours per the DPA �9 with what we know, what we're doing, and how to respond.

Status page (planned): status.byro.io

9. Employee Security

  • All Byro employees sign a confidentiality undertaking before starting
  • Mandatory data protection + security awareness training within first week
  • Hardware encryption required on company devices; remote wipe capability
  • Password manager mandatory for all credential storage
  • Background checks for employees with production access

10. Compliance and Certifications

Status of compliance work:

  • GDPR — designed to support compliance for our EU customers (see Privacy Policy and DPA)
  • UAE Data Office — Federal Decree-Law 45/2021 — designed for compliance
  • Saudi PDPL — designed for compliance with the Personal Data Protection Law
  • Pakistan PDPB — pending finalization of the bill; we track and adapt
  • SOC 2 Type II — planned for 2026 H2
  • ISO 27001 — planned for 2027

For specific compliance attestations or audit reports under NDA, contact security@byro.io.

11. Coordinated Vulnerability Disclosure

If you believe you've found a security vulnerability, please email security@byro.io with:

  • A description of the vulnerability
  • Steps to reproduce
  • Impact you observed
  • Your contact details for follow-up

We acknowledge reports within 48 hours and aim to triage and fix critical vulnerabilities within 30 days. We do not currently offer bug bounties but credit researchers in our security advisories where they wish.

Please do not: publicly disclose without giving us reasonable time to fix; access data beyond the minimum needed to demonstrate the issue; perform denial-of-service testing.

12. Contact

Security inquiries: security@byro.io