What is CitoHR and who is it for?

CitoHR is a comprehensive HR software platform designed specifically for UK small to medium businesses and startups. It provides employee management, payroll processing, recruitment tools, and HR compliance features to help growing companies streamline their HR operations.

Is CitoHR compliant with UK regulations?

Yes, CitoHR is fully compliant with UK regulations including HMRC requirements for payroll and tax reporting, GDPR for data protection, and UK employment law. The platform is built specifically for UK businesses and includes all necessary compliance features.

How much does CitoHR cost?

CitoHR offers a free trial to get started. Pricing is transparent and scales with your business size, making it affordable for startups and SMEs. There are no hidden fees or long-term contracts required.

What features does CitoHR include?

CitoHR includes employee management, payroll processing, recruitment tools, leave management, document storage, performance reviews, AI-powered HR assistant, custom reports, and compliance tracking. All features are designed for UK businesses.

How quickly can I get started with CitoHR?

You can start using CitoHR immediately with our instant setup process. The platform is designed to be user-friendly and requires no technical expertise. You can import your existing employee data and begin managing your HR processes right away.

Security - CitoHR

1. Overview

CitoHR is built on enterprise-grade infrastructure provided by industry-leading security-focused platforms. We leverage the security expertise and certifications of Vercel and Supabase to ensure your data is protected with the highest standards of security and compliance.

2. Infrastructure Security

Our application infrastructure is hosted on platforms that maintain the highest security certifications and standards:

Vercel - Frontend & Edge Network

Vercel provides our frontend hosting and global edge network, delivering exceptional security and performance:

ISO 27001 Certified: Vercel maintains ISO 27001 certification for information security management
SOC 2 Type II Compliant: Annual audits verify security, availability, and confidentiality controls
DDoS Protection: Built-in DDoS mitigation and protection against distributed attacks
Global Edge Network: Content delivered from 100+ edge locations worldwide with automatic SSL/TLS encryption
Zero-Trust Architecture: Strict access controls and network segmentation
Automated Security Updates: Continuous security patches and updates
Web Application Firewall (WAF): Protection against common web vulnerabilities
Compliance: GDPR, CCPA, and other regional data protection regulations

Supabase - Backend & Database

Supabase provides our backend infrastructure, database, and authentication services with enterprise-level security:

SOC 2 Type II Certified: Annual third-party audits of security controls
ISO 27001 Compliant: Information security management system certification
HIPAA Ready: Infrastructure supports HIPAA compliance requirements
End-to-End Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
Database Security: PostgreSQL with row-level security (RLS) policies
Network Isolation: Private networking and VPC isolation options
Automated Backups: Point-in-time recovery with configurable retention
Access Controls: Role-based access control (RBAC) and audit logging
Multi-Factor Authentication: Built-in MFA support for enhanced account security
Compliance: GDPR, CCPA, and regional data residency options

3. Data Protection

Your data is protected through multiple layers of security:

Encryption in Transit: All data transmitted between your browser and our servers uses TLS 1.3 encryption
Encryption at Rest: All stored data is encrypted using AES-256 encryption
Database Encryption: Full database encryption with automatic key rotation
Secure Connections: Enforced HTTPS for all connections with HSTS headers
Data Residency: Data stored in EU/UK regions to comply with GDPR requirements

4. Authentication & Access Control

We implement robust authentication and access control measures:

Multi-Factor Authentication (MFA): Optional MFA for enhanced account security
Role-Based Access Control: Granular permissions based on user roles
Session Management: Secure session handling with automatic timeout
Password Security: Enforced strong password policies and secure password hashing
OAuth Integration: Secure third-party authentication options
Audit Logging: Comprehensive logs of all access and changes

5. Monitoring & Incident Response

Continuous monitoring and rapid incident response capabilities:

24/7 Monitoring: Continuous monitoring of infrastructure and application performance
Intrusion Detection: Automated detection of suspicious activities
Security Alerts: Real-time alerts for security events and anomalies
Incident Response: Documented procedures for security incident handling
Vulnerability Scanning: Regular automated vulnerability assessments
Penetration Testing: Periodic third-party security testing

6. Backup & Disaster Recovery

Comprehensive backup and disaster recovery strategies:

Automated Backups: Daily automated backups with configurable retention
Point-in-Time Recovery: Ability to restore data to any point in time
Geographic Redundancy: Data replicated across multiple geographic regions
Disaster Recovery Plan: Documented procedures for business continuity
Recovery Time Objectives (RTO): Defined recovery time targets
Recovery Point Objectives (RPO): Minimal data loss objectives

7. Compliance & Certifications

Our infrastructure providers maintain the following certifications and compliance standards:

Vercel Certifications

ISO 27001
SOC 2 Type II
GDPR Compliant
CCPA Compliant

Supabase Certifications

SOC 2 Type II
ISO 27001
HIPAA Ready
GDPR Compliant
CCPA Compliant

8. Security Best Practices

In addition to infrastructure security, we implement application-level security best practices:

Secure Development: Security-first development practices and code reviews
Dependency Management: Regular updates and vulnerability scanning of dependencies
Input Validation: Comprehensive input validation and sanitization
SQL Injection Prevention: Parameterized queries and ORM usage
XSS Protection: Content Security Policy (CSP) headers
CSRF Protection: Cross-site request forgery protection
Rate Limiting: Protection against brute force and DDoS attacks

9. Third-Party Security

We carefully vet all third-party services and subprocessors. For a complete list of our subprocessors and their security certifications, please see our Subprocessors page.

10. Security Updates

Security is an ongoing commitment. We regularly update our security practices, conduct security assessments, and stay informed about emerging threats. This page will be updated to reflect any significant changes to our security posture.

11. Reporting Security Issues

If you discover a security vulnerability, please report it responsibly:

Email: security@citosoft.co.uk
Response Time: We will acknowledge your report within 48 hours
Disclosure: Please allow us time to address the issue before public disclosure

We take security vulnerabilities seriously and will work with you to resolve any issues promptly.

12. Contact Information

For questions about our security practices, please contact:

Company: Citosoft Ltd
Address: Ipswich, Suffolk, UK
Security Email: security@citosoft.co.uk
General Email: legal@citosoft.co.uk

Related Documents: