Employee data. Treated like it.
The data we move is among the most personal your company holds — names, salaries, bank details, and the government ID numbers Philippine law protects hardest. This page is written for the person who has to approve us before anyone signs: what we hold and for how long, who can reach it — and how you cut that access off — where it runs, exactly where our paperwork stands (including what we don't claim yet), and what happens when you leave. Forward it whole; your security review can start before anyone books a call.
Sending this to your security team? The one-screen version.
- Roles
- your company is the personal information controller (PIC); OmniSync HR processes on your documented instructions (PIP)
- Data touched
- employee master data — including bank details and PH government IDs (SSS, TIN, PhilHealth, Pag-IBIG) — org structure, time & leave, compensation and payroll results · only fields named in your signed mapping document ever move
- Hosting
- AWS ap-southeast-1 (Singapore) — processing, backups, and support access all stay in-region
- Retention
- record-level operational data — sync payloads, quarantined records, run logs — 90 days rolling, then deleted (backups age off the same clock) · your systems stay the permanent home
- Encryption
- TLS on every connection · encryption at rest for every stored record · credentials in a secrets vault, never in code, config, or tickets
- Access
- scoped service accounts you create, limited to mapped objects and fields, revocable by you any time · on our side: the operating engineers only, under MFA, logged
- Security testing
- regular third-party penetration tests and vulnerability assessments across our engineering organization; the platform enters that regime at launch
- If we're breached
- you hear from us within 24 hours, in writing, with the facts your NPC report needs
- Certifications & paperwork
- SOC 2 Type II — controls in build, audit on the roadmap, not certified yet (we say so on purpose) · PH Data Privacy Act–compliant processing (NPC registration and DPO designation land with our legal entity) · GDPR-ready DPA
- Reliability
- 99.5% sync-success SLA, service credits behind it → SLA & Support #summary
- On exit
- your data stays in your systems · mapping documentation goes with you · operational data deletes on the same 90-day clock, with written confirmation
Less to protect. On purpose.
A security review usually starts with "show us how you protect what you hold." Start one step earlier: how much do we hold?
- We're a mover, not a home. Your HRIS and your payroll system remain the only systems of record. There is no OmniSync database of your employees quietly accumulating — what we hold at the record level is the last 90 days of payloads, quarantined records, and run logs, deleted on a 90-day rolling schedule.
- The mapping document is also the exposure list. A field that isn't named in it never transits the platform — and for vendor-API connections, the integration credentials can't read it anyway. Our worst case is enumerated in a document you signed.
- Deletion is a schedule, not a ticket. Record-level data ages out at day 90, automatically — nobody has to remember to ask.
Most vendors ask you to trust what they protect. We start by shrinking what needs protecting.
What we hold — and what your law calls it ¶
No euphemisms first: the records we move are the sensitive kind. Employee master data includes bank details — and the government identifiers (SSS, TIN, PhilHealth, Pag-IBIG) that the Philippine Data Privacy Act classifies as sensitive personal information, its most protected tier, with the stiffest penalties attached. We designed for that classification from day one, because it's in the pipe from day one.
- Lives in your systems, permanently
- The employee record itself — names, salaries, bank details, government IDs — lives in your HRIS and your payroll system. We move it between them; we don't warehouse it. There is no third employee database to manage.
- Passes through us, held 90 days
- Record-level operational data: sync payloads, quarantined records, run logs — what the quarantine queue, the sync history, and your reconciliation reports run on. Encrypted at rest while it's with us; deleted on the 90-day rolling clock.
Two more things we hold, so the inventory is complete: your API credentials (in the secrets vault, until you revoke them) and your field-mapping documents (versioned — and yours).
And the handling doesn't wait for go-live: the same encryption, scoping, and retention rules apply from week-1 discovery onward, parallel run included — there is no separate "test mode" pipeline.
The scope isn't a policy sentence — it's a signed artifact. Every field that moves is named in your mapping document before we build: versioned, signed off, yours to keep. Nothing moves that isn't in it, and integration access is scoped to exactly it. When your DPO asks what this vendor holds, the answer is a signed document, not a reconstruction.
Which domains move, and in which direction: the Product page owns that story →Access — you issue it, you scope it, you can kill it ¶
Our access to your systems is a credential you create, in your own tenant. There is no master key we hold that you didn't mint.
- Scope equals the signed mapping document. The service account is limited to exactly the objects and fields your mappings name. The platform cannot read what you never signed over — and widening the scope requires a new signed mapping version, because no mapping change ships without your sign-off. Least privilege here isn't our policy promise; it's your configuration.
- Revocation is unilateral. The off switch lives in your systems, and using it needs nothing from us. That's not a failure mode — it's the design. (The next section runs the drill.)
- Credentials live in a secrets vault — never in code, config files, or tickets. Every connection runs over TLS; everything the platform stores is encrypted at rest.
The most our access can ever reach is your signed mapping document — the current version, nothing more.
Connections without a vendor API (screen-based, direct-database) run as custom scope with their own connection model, defined in your quote.
the exclusions row on the SLA page →If you ever need us gone, you don't need us to agree
Security reviews are about worst cases. So run this one: you want us out — today.
- Suspend the service account in your own system. Every sync stops. No ticket to us, no notice period to cut our access, no cooperation required.
- There's nothing to uninstall. No agent on your servers, no middleware you licensed, no code you have to own. Switching us off leaves nothing behind. (Vendor-API connections — the default; custom connections define their model in the quote.)
- And nothing to retrieve. Your data was never only with us — the permanent copy sat in your systems all along. The record-level data we held — payloads, quarantined records, run logs — ages off the 90-day clock.
We'd rather you never reach for the off switch. But in our worst case, you hold it.
Leaving the contract is a different, calmer story — term end, with notice, no exit fee.
Renewal terms, on the Pricing page →"Can your engineers read our salaries?" — the honest answer ¶
A vendor whose staff can never see your data is a vendor who can never diagnose your quarantined record an hour before cutoff. So here is the real answer:
- The engineers who operate your integration can access the operational data the platform holds — because diagnosing a held record means seeing it. Your success manager works from run metadata and dashboards, not record payloads — and your support ticket lands with those same engineers, which the SLA page says on purpose.
- That access is controlled. Multi-factor authentication on everything. Production access logged. And everyone who touches production completes mandatory IT-security-awareness training — recurring, not a hire-date checkbox.
- And it's structurally capped. Whatever anyone here can see is bounded by your mapped fields — and, for record-level data, by the 90-day window. The most our access can reach doesn't change because an employee of ours is the one reaching.
Where it lives, and for how long ¶
The platform runs on AWS in Singapore (ap-southeast-1) — and stays there: processing, backups, and support access are all in-region. What it keeps is deliberately small — and deliberately brief:
- What exists operationally is the record-level data named above — held because the quarantine queue, the sync history, and your reconciliation reports need a working window behind them. On a semi-monthly payroll calendar, 90 days is roughly six cycles of history: when payroll asks what synced two cutoffs ago, the answer is in the dashboard.
- Why not longer: Philippine privacy law's own principle is that personal data is kept no longer than the purpose needs — and a sync layer needs a window, not an archive. On day 91 a record-level payload is deleted on the rolling clock — backups included, they age off the same schedule — and the permanent record is where it always was: in your systems. What persists is run-level history and the monthly SLA figures your dashboard reports, not employee records.
- Why not shorter: because a quarantined record being fixed at the source, a failed run being re-run, and a cutoff sign-off being audited all need history behind them. Ninety days is sized to the job — not to building a shadow database.
PH employee data, offshore — and why that's lawful
The question a Philippine DPO asks right after "where": may employee data lawfully sit in Singapore? Yes — and here's the checklist they'll run:
- The Data Privacy Act doesn't require in-country hosting. It requires accountability: your company stays responsible for personal data it sends out for processing, wherever it goes, and secures that responsibility through contract.
- The contract is where we're held to it. The data processing agreement you sign names the processing location, the security measures, and the documented instructions — three of the items the law's outsourcing rules require an agreement to carry. The hosting region isn't a discovery in an audit; it's on this page and in that agreement.
- If your policy requires in-country hosting, we're the wrong vendor today — say so on the scoping call and we'll say it back.
Certifications & paperwork: what's true today ¶
| Claim | Where it stands | What it means for you |
|---|---|---|
| Encryption in transit & at rest | In place — every connection, every stored record, credentials vaultedlast confirmed 2026-07-11 | The table stakes, met. Access says exactly how. |
| Independent security testing | A standing third-party regime — regular penetration tests and vulnerability assessments across our engineering organization; the OmniSync HR platform enters it at launchlast confirmed 2026-07-11 | Not a one-off audit before a sales push — a schedule. The platform-specific test is tracked honestly in what we don't claim yet. |
| SOC 2 Type II | Controls being built to the standard now; independent audit on the roadmap; no report exists yetlast confirmed 2026-07-11 | Nothing to send you today — and no certification seal on this site until there is. We'll say certified when we are — not before. |
| Philippine Data Privacy Act | Processing designed to the Act from day one — sensitive-personal-information handling, minimization, and the contract terms the Act's outsourcing rules requirelast confirmed 2026-07-11 | What we hold and where it lives are the Act's requirements in practice, not a parallel effort. NPC registration and DPO designation land with our legal entity — we'll say registered when we are. |
| GDPR | We hold no GDPR certification — Article 42 certification is voluntary and still rare, and most "GDPR compliant" badges you'll see are self-declaredlast confirmed 2026-07-11 | What we bring is a GDPR-ready data processing agreement — the agreement we sign with you covers EU employees of multinational clients. What "ready" means |
You won't find a certification badge wall here. A seal you can't click through to a report is decoration — and AWS's certifications attest to AWS, not to us, so we won't borrow those either.
A row moves up when the paperwork is real — never before. It's the same rule our integration roadmap runs on: the status changes when reality does.
No report yet. Here's how to evaluate us anyway.
"SOC 2 in progress" can mean almost anything — our own homepage footer says it, so here is exactly what ours means: controls being built to the Type II standard, the audit still on the roadmap — not underway — and no report. Until that changes, here's what we offer your security team instead:
- A live walkthrough of the architecture and controls with the engineers who run the platform. Ask exactly which controls are built and which aren't — you'll get a specific answer, not a roadmap slide.
- Your questionnaire, completed — SIG, CAIQ, or your own format. The answers come from the engineers who run the platform, not a compliance inbox.
- A worst day that's bounded by design. The most our access can reach holds whether or not anyone has audited us — the mapped-field scope, the 90-day window, and your unilateral revocation right are architecture, not policy.
Security here isn't a compliance team downstream of engineering — it's owned by the engineers who design, build, and operate every integration: the people already on the hook when a run fails.
A report is one way to evaluate a vendor. Being small enough to inspect directly is another.
Whose data it is — in the law's own words ¶
- You are the personal information controller (PIC). Your company decides why employee data is processed, and for what. Hiring us changes none of that.
- We are your personal information processor (PIP). We process on your documented instructions — and the signed field-mapping document literally is the instruction set. Only what's in it moves.
- No data sharing — and never our own purposes. We never process your employees' data for our own ends: no analytics on your records, no model training, no product research. Which is also why the NPC's data-sharing-agreement rules don't apply here: what governs is the outsourcing agreement — the data processing agreement we sign with you, carrying the contents Philippine law requires of it.
- We will never ask your employees for consent. The lawful bases you already rely on as their employer — including the laws that require these identifiers to be processed for payroll in the first place — carry the processing; we inherit your instructions. A vendor bragging about collecting employee consent is telling you they don't understand employment data.
For your EU employees: the same posture in EU vocabulary — we act as a processor under Article 28, in the same agreement. And the honest transfer answer, before your counsel asks: Singapore holds no EU adequacy decision, so the DPA will incorporate the EU Standard Contractual Clauses (controller-to-processor module), with the technical-and-organisational-measures annex your transfer impact assessment needs.
If there's ever a breach — the clock, and whose it is ¶
First, a boundary: a failed sync is an operations event — the SLA page owns that playbook. A suspected security incident is a different animal, with a different clock. No security vendor should promise you zero incidents; here is what we commit to when one touches your data:
- The 72-hour clock is yours — and we know it. Philippine law gives you, as controller, 72 hours to notify the National Privacy Commission and affected employees of a qualifying breach. That duty stays yours even when the incident is ours.
- Our job is to spend none of your 72 hours. We notify you within 24 hours of a confirmed or reasonably believed breach touching your records — in writing, with the facts your NPC report needs: what happened, which records were in scope, what we had already done by the time we called.
- You hear it from us first. Bad news travels from us to you — never from a headline. It's the same principle the whole platform runs on.
- What we hold that an incident could expose is bounded by design — the fields your mapping names and, at most, the 90-day operational window. Never a full copy of your workforce's history. And the credential is yours to kill the moment we call: revoke it in your own system and our access ends, no cooperation needed.
- Afterward, a written post-incident account — what happened, what it touched, what changed.
And the same whose-clock logic applies to your Article 33 duty for EU employees.
Leaving, from a security seat ¶
Vendor-risk checklists end with "data return and destruction on termination." Our answer is short, because the architecture already gave it:
- Nothing needs returning — the permanent copy was in your systems all along, and cutting our access is a switch you already hold. The off switch is yours
- The 90-day clock keeps running after your last sync. Within 90 days of leaving, no record-level data of yours remains on the platform — and you get written confirmation when the deletion completes.
- The mapping documentation goes with you — versioned, complete, the artifact your next setup starts from.
A vendor you can leave cleanly is a vendor you can approve safely.
What this page doesn't claim — yet ¶
Security reviewers are trained to find the gap. Here's the list, so you don't have to dig:
- A SOC 2 report — not yet. The exact status. What stands instead: an architecture you can verify in one call, and an SLA whose service credits are in the contract → SLA & Support.
- NPC registration — lands with our legal entity: registration and DPO designation follow entity formation, and this line links the registration certificate when it's true. Status row
- A penetration test of this platform — not yet: the platform enters our standing third-party testing regime at launch. What stands meanwhile: the regime itself — regular pentests and vulnerability assessments across the engineering organization that builds it.
- ISO 27001 — not pursued at launch. One certification honestly finished beats two announced.
- A 24/7 security operations center — no. Automated monitoring watches every scheduled run around the clock; the humans work the published support hours — plus Premium's payroll-window on-call → support tiers, on the SLA page. We won't sell you a follow-the-sun team we don't have.
- A public status page — deliberate, not missing: the only status that matters is your own pair's, and your dashboard already shows it. → Why, on the SLA page
Every not-yet above is paired with the event that changes it; the rest are choices, and we've said why. A list like this is how you know the rest of the page means what it says.
Have a vendor-security questionnaire? Good.
Your company has a vendor-risk process — it should. Send the questionnaire — SIG, CAIQ, or your own spreadsheet — with your scoping request, and the answers come back from the engineers who run the platform, not a compliance inbox. Prefer it live? Bring your reviewer to the call.
Found a vulnerability?
security@omnisync-hr.com reaches the engineers directly — not a form, not a triage vendor. We read good-faith reports, we respond, and we credit them. No paid bounty; a monitored inbox.
Security questions, answered the way the questionnaire asks them ¶
Where is our employees' data hosted?
AWS ap-southeast-1, Singapore — processing, backups, and support access stay in-region, and your systems remain the permanent home.
Where it lives, and for how long →How long do you retain our data?
Record-level operational data — payloads, quarantined records, run logs — is kept 90 days rolling, then deleted.
What we hold → · for how long, and why →Is data encrypted in transit and at rest?
Yes — TLS on every connection, encryption at rest for every stored record, credentials in a secrets vault.
Access & controls →Are you SOC 2 certified?
No — not yet. Type II controls are being built now, the independent audit is on the roadmap, and we'll say certified when we are — not before.
The exact status →Who at OmniSync can see our data?
The engineers who operate your integration — diagnosing a held record means seeing it — under multi-factor authentication, with production access logged. Your success manager sees run metadata, not payloads.
The honest answer, in full →Can we revoke your access ourselves?
Yes — any time, unilaterally: the service accounts live in your systems, and suspending them stops the sync without our involvement.
The off switch →Will you sign our DPA?
We bring ours — the agreement we sign with you is built to the Data Privacy Act's outsourcing requirements and the EU Standard Contractual Clauses — and we expect your counsel to mark it up.
Whose data it is →Can we require Philippines-only hosting?
Not today — hosting is Singapore, and the page above shows why that's lawful for PH employee data. If your policy requires in-country, we're the wrong vendor and we'll say so.
Why Singapore is lawful →The parallel run uses real payroll data — is it protected before go-live?
Yes — the same encryption, scoped credentials, and retention rules apply from week-1 discovery onward; there is no separate "test mode" handling.
What we hold →What happens to our data when we leave?
Nothing needs returning — it never lived only with us — and within 90 days of your last sync no record-level data of yours remains, with written confirmation.
Leaving, from a security seat →Run the security review first, if you like.
Bring your security or IT reviewer to the scoping call — or send their questions ahead — and we'll test what this page claims against the systems you actually run: the data touched, the credential scopes, the honest where-it-stands on the paperwork. You get a fixed quote within a week either way, whether or not you buy.
Book a scoping callNeed security's sign-off before anyone talks to us? Start them on the one-screen version — it answers the intake form before the form arrives.