Skip to main content
PayPunch handles payroll-grade data, so security is built in rather than bolted on. This page is a plain-language overview for the people who use PayPunch — not an exhaustive technical spec.

How you sign in

PayPunch uses different, appropriate credentials for each kind of user:
  • Admins and client users sign in with email and password. Sessions are carried by a signed JSON Web Token (JWT), sent as a secure cookie (or Authorization: Bearer header for the API). Every protected request is verified before it’s allowed through.
  • Employees clock in with a PIN. PINs are never stored in plain text — they’re hashed with a per-employee salt, so even PayPunch can’t read them back.
  • Password resets use single-use, expiring tokens delivered by email, and every reset attempt is logged for monitoring.

Tenant isolation

PayPunch is multi-tenant: many bookkeeper orgs, each with many client companies, share the platform. Your data stays yours:
  • A client company only ever sees its own employees and timesheets.
  • A bookkeeper org’s data is separated from every other org.
  • Isolation is enforced at the database layer (row-level security) and re-checked on every request by the application, so a link or token from one tenant can’t reach another’s data.

Protecting sensitive data

  • Highly sensitive fields are encrypted — full Social Security numbers and bank account / routing numbers are stored encrypted, and the interface only ever shows the last four digits.
  • Documents (IDs, W-4s, etc.) are access-controlled, and every view or download is recorded in an audit log.
  • Audit trails capture who did what — approvals, rejections, locks, settings changes, user invitations, and admin impersonation of a client (which is time-limited and fully logged).

Safeguards on every request

PayPunch hardens the platform against common web attacks:
  • Encryption in transit — HTTPS is enforced (HSTS), so data is encrypted between your browser and PayPunch.
  • Anti-abuse rate limiting — repeated login attempts and high-volume API calls are throttled to blunt brute-force and abuse.
  • Browser protections — a strict Content Security Policy, clickjacking protection (X-Frame-Options: DENY), MIME-sniffing protection, and a locked-down permissions policy.
  • Strict cross-origin rules — only PayPunch’s own domains may call its APIs with credentials.

Your part

Security is shared. A few habits keep your account safe:
  • Keep your password and PIN private — never share or reuse them.
  • An employee PIN identifies you; never clock in for a coworker.
  • Sign out on shared devices, and reset credentials immediately if you suspect they’ve leaked.