Security & compliance

Security you can actually audit.

Payroll holds your most sensitive data — salaries, bank details and statutory identifiers. Vintage is built so that protection is the default, every change is traceable, and you can run it in our cloud or inside your own walls. Here is exactly how.

NDPR-alignedField-level encryptionSaaS or on-premise

Data protection

Your sensitive data, encrypted by design

Encryption at rest

Statutory identifiers and sensitive fields are encrypted field-level using app-layer envelope encryption with keys held in a KMS — not just disk encryption.

Encryption in transit

All traffic is served over TLS. Data moving between your browser, the app and the database is encrypted end to end.

Tenant isolation

Each organisation's data lives in its own database schema — isolation is structural, not just a filter in a shared table.

Access control

Only the right people, only the right data

Role-based access (RBAC)

A two-stage permission model: what a role can see, and what it can do — down to the node and action, mapped to your org structure.

MFA & least privilege

Multi-factor authentication for privileged access, and roles scoped to the least a person needs — including row-level scope on lists.

Immutable audit trail

Every change is logged by user, action and timestamp. Closed payroll periods stay exactly as filed — what you submitted is what's preserved.

Compliance

Compliant with how Nigeria works

Statutory rules are data you own — effective-dated and versioned — so a change in the law is a change you make, not a release you wait for.

NDPR-aligned data handling, with a Data Processing Agreement

PAYE (NTA-2025), pension, NHF, NSITF & ITF kept current

Sensitive-field masking and access logging for statutory IDs

Data residency options, including fully on-premise

Lifecycle of a change

Change requestedApproved (RBAC)Effective-datedAudit loggedPeriod closed · immutable

Availability & deployment

Run it our way, or yours

Backups & recovery

Automated backups with defined recovery objectives, so a bad day never becomes a lost month of payroll history.

SaaS or on-premise

The same platform runs in our managed cloud or inside your own data centre under a signed licence — your governance, your controls.

Responsible disclosure

Found something? Email security@vintageerp.com — we investigate every report and credit responsible researchers.

NDPR-alignedNigeria data-protection

AES-256 encryptionEnvelope keys + KMS

RBAC + MFALeast-privilege access

Immutable auditEvery change logged

Tenant isolationSchema per organisation

SaaS or on-premSigned on-prem licence

ISO 27001 — in progressInformation security

See our security & compliance

Security FAQ

The questions buyers actually ask

Where is our data stored?

In our managed cloud by default, with data-residency options — or fully on-premise inside your own infrastructure under a signed licence, if regulation requires it.

Are you ISO 27001 certified?

ISO 27001 certification is in progress. Today we already operate to its core controls — encryption, role-based access, MFA, audit logging and tenant isolation — and we'll publish the certificate the moment it's granted.

How are bank details and statutory IDs protected?

Sensitive fields are encrypted field-level with app-layer envelope encryption and KMS-held keys, masked in the UI, and every access is logged.

Can we restrict who sees what?

Yes. Role-based access controls what each role can see and do, including row-level scope so managers see only their own team where configured.

What happens to closed payroll periods?

They're immutable. What you filed stays exactly as filed, and the audit trail records every change that led there.

Want the full security overview?

Talk to us for the security pack, the DPA, and answers for your IT and compliance teams.

Talk to us Read the DPA