Security & privacy by architecture
EmployDB holds people's employment histories. The platform is designed so the secure path is the only path.
The security model
Six mechanisms carry the whole platform — each one enforced server-side, on every request, with no client-side shortcuts.
Role-based permissions
Owner, HR admin, HR staff, and recruiter roles are resolved server-side on every request. Client input never determines authorization.
DAXTOP identity
One account across daxtop.com, daxtop.app, and employdb.com — HttpOnly session cookies scoped per domain, CSRF protection on every mutation, and strict rate limiting.
Complete audit logs
Every record creation, change, dispute resolution, and profile view is recorded with actor, timestamp, previous value, and new value. Audit entries are append-only.
Secure document storage
Evidence files live in access-controlled cloud storage. Uploads and downloads use short-lived signed URLs bound to the requesting company.
Employee-controlled sharing
No recruiter sees anything without the employee's explicit scoped approval; access expires automatically and is revocable instantly.
Access logs for employees
Employees see exactly who viewed their records and when — transparency is enforced by the data model, not by policy.
What “privacy by architecture” means in practice
Most platforms protect sensitive data with policy — rules about what staff and partners are allowed to do. EmployDB protects it with architecture: the data model itself makes the unsafe path impossible.
Private data has no sharing scope
Salary history, disciplinary records, medical accommodations, and internal documents are stored in structures the verification network cannot address. There is no scope a recruiter could request and no flag an employer could set that would expose them — the sharing mechanism simply does not reach that data.
Opinions cannot be stored
Every record on the network comes from a fixed, factual vocabulary: dates, positions, promotions, training, certifications, awards, employment status. There is no free-text field visible to recruiters, so a subjective review is not merely against the rules — it has nowhere to exist.
Encryption and infrastructure
Data is encrypted in transit (TLS) and at rest on Google Cloud infrastructure. Evidence documents live in access-controlled storage behind short-lived signed URLs. Sessions use HttpOnly, Secure, SameSite cookies, every mutation requires a CSRF token, and rate limiting protects the authentication endpoints.
The same discipline as DAXTOP
EmployDB runs on the security foundation of the DAXTOP platform, which processes daily sales, inventory, and financial data for businesses in 150+ countries — role-based access resolved server-side, append-only audit logs, and infrastructure designed for regulated industries like pharmacy and healthcare.
Reporting a security concern
If you believe you have found a vulnerability or notice suspicious activity on your account, write to support@employdb.com with the details. Security reports are triaged with priority, and we will keep you informed of the resolution.
