DreamHR-Ai logo DREAMHR-Ai
Non-invasive employee monitoring
Non-invasive employee monitoring Attendance monitoring Live view anytime Active time monitoring Productivity monitoring Work from home / remote monitoring

Legal

Security policy

Protecting customer and workforce data is central to DreamHR-Ai. This Security Policy summarizes technical and organizational measures we apply to our cloud service and corporate systems.

Last updated: May 23, 2026

1. Security program overview

Our security program aligns with SOC 2 Trust Services Criteria (security, availability, confidentiality) and incorporates privacy-by-design for monitoring features.

Leadership reviews risk annually; penetration tests and vulnerability scans are performed on a recurring schedule.

2. Data protection

  • Encryption in transit: TLS 1.2+ for web and agent communications
  • Encryption at rest for databases and object storage using industry-standard algorithms
  • Key management via cloud provider KMS with restricted access
  • Logical tenant isolation between customer environments
  • Pseudonymization options for display names in certain reports

3. Access control

  • Role-based access control (RBAC) for customer administrators
  • Principle of least privilege for DreamHR-Ai staff
  • MFA enforced for production systems and support tools
  • Quarterly access reviews and immediate revocation on role change
  • Privileged access logged and monitored

4. Application security

Secure development lifecycle includes code review, dependency scanning, and static analysis on critical repositories.

Production deployments require approval; secrets are not stored in source control.

Administrative actions are audit-logged with timestamp and actor.

5. Infrastructure & network

  • Hosted in reputable cloud data centers with physical security certifications
  • Network segmentation between application tiers
  • Web application firewall and DDoS mitigation at edge
  • Backups encrypted and tested for restore periodically

6. Agent & endpoint security

Agents are signed; tamper detection alerts administrators when configured.

Updates distributed through authenticated channels; customers may stage rollouts.

Agents collect only categories of data enabled in policy—no covert modules.

7. Vulnerability management

Critical patches prioritized; customers notified of agent updates requiring action.

Responsible disclosure: report vulnerabilities to security@dreamhrai.com. We acknowledge within 3 business days and coordinate remediation timelines.

8. Incident response

  • Documented incident response plan with roles and communication templates
  • Containment, eradication, recovery, and post-incident review
  • Customer notification without undue delay when their data is affected, per contract and law
  • Cooperation with customer forensic requests under enterprise agreements

9. Business continuity

Redundant infrastructure components and monitored uptime targets defined in SLAs for enterprise tiers.

Disaster recovery exercises conducted annually; RPO/RTO objectives documented per tier.

10. Vendor management

Subprocessors assessed for security posture; contracts require security and breach notification terms.

11. Your security responsibilities

  • Protect administrator credentials and enforce MFA
  • Deploy agents only to managed work devices per policy
  • Limit manager Live View access to authorized roles
  • Review audit logs and offboard users promptly
  • Maintain endpoint protection on employee devices

12. Security contact

security@dreamhrai.com · For urgent incidents, include "SECURITY" in subject and contact your account team.