PHELTIX

Security & Privacy

PHELTIX is designed with a security-first architecture suitable for enterprise deployments and regulated environments. We focus on strict access control, data isolation, and verifiable auditability — without unnecessary complexity.

Core Security Principles

  • Organization isolation: All data is strictly segmented by organization. Cross-organization access is technically prevented.
  • Least-privilege access: Users only see and act on data required by their role (employee, manager, admin).
  • Auditability by default: Attendance events, approvals, corrections, and timesheet records are stored as append-only records.
  • Deployment-safe configuration: Security rules are explicit, inspectable, and adjustable per organization.

Data Protection

  • Encrypted in transit: All client-to-server communication uses HTTPS/TLS.
  • Secure storage: Sensitive identifiers (device bindings, tokens) are stored in hashed or scoped form where applicable.
  • Controlled retention: Organizations control how long attendance and payroll-related data is retained.
  • No biometric storage by default: Optional selfie checks are configurable; images are never used for identity recognition.

Access Control

  • Row-Level Security (RLS): Enforced at the database level for all organization-scoped tables.
  • JWT-based authentication: Short-lived access tokens with scoped permissions.
  • Role-aware policies: Managers and admins can approve, export, or audit — employees cannot.
  • One-device-per-user model: Device binding reduces account sharing and “buddy punching”.

Location & BLE Controls

  • Geofence enforcement: Attendance actions are validated against organization-defined locations.
  • BLE verification (optional): Physical presence can be confirmed using registered beacons.
  • Purpose-limited location use: Geofence status is evaluated to support attendance prompts and punch verification. We do not store continuous route history.

Compliance Posture

  • GDPR-aligned design: Data minimization, access transparency, and deletion support.
  • Data residency options: Regional hosting can be arranged for enterprise or dedicated deployments, subject to the chosen infrastructure and customer requirements.
  • Audit support: Exportable logs and timesheets support internal and external audits.
  • No false certifications: We do not claim ISO or SOC certifications unless formally obtained.

Operational transparency

During Starter and Pro deployments, organizations have visibility into configuration, permissions, and data flows. Starter GPS/random selfie controls and Pro BLE controls are enabled deliberately, not hidden or auto-assumed.

This ensures PHELTIX can be evaluated realistically before any large-scale rollout.

Have specific security, compliance, or data-residency requirements?

You can also report vulnerabilities at support@pheltix.com.

Talk to us about your security needs
© 2026 PHELTIX Technologies L. L. C — All rights reserved.
Privacy PolicyTerms of ServiceSecurityDPASubprocessors