Trust
Payrollandpersonaldatadeservethehighestbar.
Office handles the most sensitive records a company keeps — salaries, contracts, leave, performance. Security here isn't a badge on a page; it's the architecture. Here is exactly how your data is protected, in plain language.
Data protection
GDPR-first, by design rather than by disclaimer.
Office is built for European teams under European rules. Data is processed and stored in an EU region with data residency, and every document lives in private, access-controlled storage — never a public bucket, never a shared link by default.
- EU data residency
- Records and backups stay in an EU region. No silent cross-border copies.
- Private document storage
- Contracts, payslips and certificates sit behind row-level rules — access is granted, never assumed.
- Lawful by default
- Data-subject rights, retention windows and minimisation are part of the model, not a bolt-on.
Access control
Everyone sees exactly what they're meant to. Never more.
Every organisation's data is isolated at the database row, enforced by row-level security — not by application code that could be bypassed. On top of that sits least-privilege role design, so a manager never sees another team's salaries and an employee only ever sees their own record.
Row-level isolation per organisation
One organisation can never read another's data. Isolation is enforced in the database itself, so a bug in the app cannot leak across tenants.
Least-privilege roles
Employee, manager and HR each get the narrowest access that does the job: employees see their own, managers their team, HR the organisation.
Token-scoped accountant access
Your external accountant gets read-only, time-bound, token-scoped access to payroll prep and the documents they need — never a full seat, never write access.
Auditability
Sensitive actions leave a trail that can't be quietly rewritten.
Changes to payroll, governance decisions and role assignments are written to an append-only audit log. Every entry records who acted, what changed and when — so an investigation, a works-council request or a routine review has a single, trustworthy source.
- 01Append-only by design: entries are added, never edited or deleted in place.
- 02Payroll runs, role changes and governance overrides are all captured.
- 03Each record carries the actor, the before-and-after and a timestamp.
Payroll & jurisdiction
Built for the rules of the places you actually operate.
Pay runs export to DATEV for Germany and to a Croatian format, with a generic CSV adapter for everything else. Statutory retention periods are respected, so records are kept exactly as long as the law requires — no longer, no shorter.
DATEV & Croatian export
Reviewed, locked pay runs export in the formats your accountant and authorities expect.
Statutory retention
Payroll and personnel records are retained for the legally required window, then handled per policy.
Principles
The commitments behind every decision.
Least access, always
Default to the narrowest permission that does the job. Access is granted deliberately, never inherited by accident.
Collect the minimum
We store the data the work needs and no more — the smallest footprint is the safest one.
Transparent by record
Sensitive actions are logged and attributable, so trust rests on evidence rather than assurance.
Resident in the EU
Your data stays in an EU region under European rules — residency is the baseline, not an upgrade.
Have a security or compliance question?
Talk to the people who built the model. We're happy to walk a security team, a works council or an accountant through exactly how Office protects your data.