Is my data isolated from other customers?

Yes. ASHR.work is a multi-tenant platform with a tenant_id on every per-org table and a Postgres row-level-security policy that makes cross-tenant reads or writes impossible — even with a hand-crafted query.

All data is encrypted at rest and in transit using modern industry-standard cryptography (AES-256 at rest, TLS in transit) provided by the underlying Supabase platform. Database backups are encrypted.

Are you GDPR / DPDP / CCPA compliant?

ASHR.work is designed to support GDPR, India's DPDP Act, and CCPA subject-rights workflows (access, export, erasure). For signed DPAs and specific regional commitments, contact sales.

Who can see my data inside ASHR.work?

Only users in your tenant. Within a tenant, RLS plus role gates mean employees see their own data, managers see their direct reports, admins see everything in the tenant. ASHR.work employees do not access customer data except for explicit support requests with customer consent.

Where is data stored?

On Supabase (Postgres + Auth + Storage) hosted on major cloud providers. Enterprise customers can discuss regional hosting during contracting.

Do you have SOC 2 / ISO 27001?

Independent compliance certifications (SOC 2, ISO 27001) are on the roadmap. For the current status and our security questionnaire, email hello@ashr.work.

How do you handle data deletion?

Individual subject-deletion requests are processed promptly per applicable law (e.g. GDPR Article 17). For specific retention and backup timelines for your account, contact us — we document them in the DPA.

Is my data safe in ASHR.work? How do you handle security and compliance?

Quick answer

Yes. Every customer's data lives in a dedicated tenant with a tenant_id column on every per-org table, protected by Postgres row-level-security. Data is encrypted at rest and in transit using the Supabase platform's modern cryptography. ASHR.work is designed to support GDPR, DPDP (India), and CCPA subject-rights workflows.

How isolation works

Every per-org table has a tenant_id column and a restrictive RLS policy: tenant_id = current_tenant_id(). The tenant is derived from the authenticated user's session — not from the URL — so there is no way to accidentally or maliciously read or write another tenant's rows.

Even a SQL injection, a misrouted API call, or a logic bug in application code cannot cross the tenant boundary, because Postgres enforces isolation before the row is ever returned.

What about backups, exports, and deletion?

Backups — encrypted daily snapshots managed by the Supabase platform.
Exports — admins can export data from Reports and Documents inside the product. For a full tenant export, contact support and we will produce one.
Deletion — offboarded tenants are purged from active systems, with backups expiring on the platform's standard retention cycle. Exact timelines are documented in the DPA.
Subject requests — GDPR Article 15 (access) and 17 (erasure) are processed promptly on request to hello@ashr.work.

Where can I read more?

See the full security page for certifications, architecture diagrams, and the security questionnaire download.

Frequently asked questions

Is my data isolated from other customers?: Yes. ASHR.work is a multi-tenant platform with a tenant_id on every per-org table and a Postgres row-level-security policy that makes cross-tenant reads or writes impossible — even with a hand-crafted query.
Is data encrypted?: All data is encrypted at rest and in transit using modern industry-standard cryptography (AES-256 at rest, TLS in transit) provided by the underlying Supabase platform. Database backups are encrypted.
Are you GDPR / DPDP / CCPA compliant?: ASHR.work is designed to support GDPR, India's DPDP Act, and CCPA subject-rights workflows (access, export, erasure). For signed DPAs and specific regional commitments, contact sales.
Who can see my data inside ASHR.work?: Only users in your tenant. Within a tenant, RLS plus role gates mean employees see their own data, managers see their direct reports, admins see everything in the tenant. ASHR.work employees do not access customer data except for explicit support requests with customer consent.
Where is data stored?: On Supabase (Postgres + Auth + Storage) hosted on major cloud providers. Enterprise customers can discuss regional hosting during contracting.
Do you have SOC 2 / ISO 27001?: Independent compliance certifications (SOC 2, ISO 27001) are on the roadmap. For the current status and our security questionnaire, email hello@ashr.work.
How do you handle data deletion?: Individual subject-deletion requests are processed promptly per applicable law (e.g. GDPR Article 17). For specific retention and backup timelines for your account, contact us — we document them in the DPA.

How much does ASHR.work cost and what is included?
ASHR.work is priced per employee per month with three tiers — Starter, Growth, and Enterprise. Every tier includes the core HR modules.