How Tako-HR protects employee and applicant data under a multi-tenant architecture.
Last updated: 24 Jun 2026
| Level | Examples | Control |
|---|---|---|
Public | Job postings (public recruitment) | Open |
Internal | Org structure, positions | Scoped by companyId |
Personal (PII) | ID card, address, emergency contacts | By permission + PDPA |
Highly sensitive | Salary, payslips, appraisals, health/benefit data | Strict — owner & specific permission only |
The system's most important rule: one company's data must never leak to another.
companyId comes only from the user's JWT, via assertCompanyId(req)companyId from request body / query / paramsWHERE company_id = …company_id IS NULL deliberately, and only for non-sensitive dataAudit status
Authentication
Authorization (RBAC)
resource:action e.g. payroll:approve, leave:writeauthenticate + authorize(...)createdBy / updatedBy from req.user| Party | Responsibility |
|---|---|
| Engineering | Scope every query by company_id, add authorize, never commit secrets |
| Admin / HR | Grant least-privilege access, review roles periodically |
| Everyone | Use data for its purpose; don't share sensitive data needlessly |