Our HRMS is a complete HR and payroll management solution designed to simplify employee management, payroll processing, attendance tracking, recruitment, and compliance with Indian labor laws. With advanced automation and seamless integration, we help businesses save time, reduce costs, and enhance workforce efficiency.
© 2025 Zfour HRMS. All Rights Reserved. ZFour is a registered trademark of Pantheon Digital Pvt. Ltd.
DO NOT USE OR SELL ANY INFORMATION
Data Protection & Security Policy
Document Version: 1.0 | Last Updated: June 27, 2025
1. Our Commitment to Security & Quality
At Pantheon Digital Private Limited, the protection of our clients' sensitive Human Resources data is fundamental to our operations. As the developer and legal owner of the ZFour HRMS platform, we are deeply committed to implementing, maintaining, and continually improving a robust data security and quality assurance framework.
​
ZFour HRMS is a proprietary product of Pantheon Digital Private Limited, and all legal responsibilities, data protection measures, and associated licenses or declarations related to data privacy and compliance are issued and governed under the name of Pantheon Digital Private Limited.
​
Our policies are aligned with industry-leading practices and applicable data protection regulations to ensure the confidentiality, integrity, and security of all client and employee data processed through the ZFour HRMS system.
Our approach is built upon the principles of internationally recognized standards:
​
-
ISO/IEC 27001 (Information Security Management): Our security practices are governed by a comprehensive Information Security Management System (ISMS). This ensures we systematically identify, assess, and mitigate risks to client data.
-
SOC 2 (Service Organization Control): We align our controls with the AICPA's Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. This provides our clients with assurance that their data is managed responsibly.
-
ISO 9001 (Quality Management): Our commitment to a Quality Management System (QMS) ensures that our operational processes, from development to support, are consistent, reliable, and focused on client satisfaction and data integrity.
This policy outlines the technical and organizational measures we have implemented to protect the data you entrust to us.
​
2. Data Architecture & Logical Segregation
Our multi-tenant HRMS platform, zfour, is architected with strict data isolation as a core design principle.
-
Dedicated Tenant Databases: Each client (tenant) is provisioned with a dedicated, logically separate database. This database is automatically generated upon account creation. This architecture ensures that one tenant's data is never stored or co-mingled with another's.
​
-
Network-Level Isolation: Tenant databases are configured with stringent network security rules. They are only accessible from our internal application servers and are not exposed to the public internet. This prevents any possibility of direct external access.
​
-
Application-Level Enforcement: All data requests are processed through a secure middleware layer that maps every authenticated user exclusively to their designated tenant database, enforcing strict data boundaries at every stage of the request lifecycle.
​
3. Security Controls & Measures
3.1. Confidentiality & Access Control
-
Role-Based Access Control (RBAC): We provide a powerful RBAC system within the application, allowing client administrators to define granular permissions and ensure their users can only access the information necessary for their roles.
-
Secure File Management (AWS S3): Client files and documents are stored in private AWS S3 buckets. Direct access is disabled. Files are only accessible to authorized users through secure, time-limited presigned URLs generated on-demand by the application.
-
Principle of Least Privilege (Internal): Our internal access control policy ensures that Pantheon Digital Pvt. Ltd. employees have the minimum level of access required to perform their duties. Access to production environments and client data is highly restricted, requires multi-factor authentication (MFA), and is logged and regularly audited.
-
Password Security: User passwords are never stored in plaintext. We utilize the industry-standard bcrypt hashing algorithm to securely hash and store credentials.
​
3.2. Data Encryption
-
Data in Transit: All data transmitted between your users and our application, as well as between our internal services, is encrypted using Transport Layer Security (TLS) 1.2 or higher.
-
Data at Rest: All data at rest is encrypted. This includes tenant databases residing on encrypted storage volumes and all files stored within our AWS S3 buckets, which are protected by default server-side encryption (SSE-S3).
​
3.3. Availability and Resilience
-
High-Availability Infrastructure: Our platform is built on the resilient and scalable infrastructure of Amazon Web Services (AWS), designed to withstand component failures and ensure high uptime.
-
Backup and Disaster Recovery: Regular, automated backups of all tenant databases are taken to enable point-in-time recovery. All backup data is encrypted. We maintain and test a disaster recovery plan to ensure swift service restoration in the event of a major outage.
​
3.4. Processing Integrity
Our adherence to ISO 9001 principles ensures that our systems are designed to process data reliably and accurately. This includes application-level checks, data validation, and robust error handling to maintain the integrity of your HR data.
​
3.5. Privacy & Data Subject Rights
We act as a "Data Processor" on behalf of our clients, who are the "Data Controllers." Our platform is designed to help you meet your data privacy obligations (e.g., under GDPR, CCPA). We provide built-in tools to help you service Data Subject Requests, including the right to access, rectify, and erase personal data.
​
4. Continuous Monitoring and Improvement
-
Security Monitoring: We utilize a suite of monitoring and logging tools to maintain visibility over our infrastructure and application, enabling us to detect and respond to potential threats.
-
Vulnerability Management: We employ continuous vulnerability scanning and dependency analysis to proactively identify and remediate security weaknesses in our platform.
-
Continual Improvement: In line with our ISO 9001 and ISO 27001 commitments, our security controls and policies are reviewed at least annually and are subject to a process of continual improvement based on risk assessments, performance metrics, and emerging threats.
​
5. Independent Third-Party Audits
Pantheon Digital Pvt. Ltd. is committed to validating the effectiveness of our controls through independent, third-party audits. We will pursue and maintain formal certifications for ISO/IEC 27001 and SOC 2 to provide our clients with transparent, validated assurance of our security posture.
6. Contact
For any questions regarding this policy or our security practices, please contact us at security@zfour.in.