Support

Where your data is stored

adminsecurity Last updated 26 April 2026

This article covers the technical details of where the platform runs and where your data lives. It’s intended for admins and anyone reviewing the platform for security or vendor due diligence purposes.

The infrastructure

Your HR Toolkit is built entirely on Cloudflare’s developer platform. There are no third-party hosting providers in the data path:

  • Cloudflare Pages serves the platform’s web interface and the support centre.
  • Cloudflare Workers runs the application logic and API.
  • Cloudflare D1 is the relational database (SQLite based, with replication for durability).
  • Cloudflare R2 is the object storage for uploaded files (contracts, employee documents, incident attachments, policy PDFs).
  • Cloudflare KV stores ephemeral state (rate limiting, short-lived cache).

This single-vendor infrastructure means your data flows through Cloudflare end to end without crossing into any other provider’s network.

Cloudflare’s certifications

Cloudflare maintains a comprehensive set of independent security certifications and attestations. As of writing, these include:

  • ISO 27001:2022 (information security management)
  • ISO 27018:2019 (privacy in the cloud)
  • SOC 2 Type II
  • PCI DSS (Cloudflare is a Level 1 PCI DSS service provider)
  • C5 Type 2 (Germany’s cloud computing compliance)
  • FedRAMP Moderate (US Federal authorisation, for relevant products)

The full and current list, with downloadable attestations, is at cloudflare.com/trust-hub.

We rely on these certifications for the underlying infrastructure controls (data centre physical security, hardware lifecycle, network isolation, employee background checks, change management at the infrastructure layer). Application-layer security (the platform code itself) is our responsibility.

Data residency

Cloudflare D1 and R2 store data in specific geographic regions. The primary location is set when the database or bucket is created. As of writing, the production database has its primary region in Cloudflare’s global network with the data accessible to the worker from any of Cloudflare’s data centres.

For organisations that need to know data residency specifics, contact security@yourhrtoolkit.com.au and we can confirm the current configuration.

Encryption summary

  • In transit: TLS 1.2 or higher for every connection. Cloudflare terminates TLS at the edge. The connection between Cloudflare’s edge and your browser is end to end encrypted.
  • At rest, infrastructure layer: D1 and R2 encrypt all stored data at rest by default.
  • At rest, application layer: Sensitive employee fields (TFN, bank details, super member numbers) are encrypted by the platform itself using AES-256-GCM before being written to the database. This means even at the database layer, those fields are unreadable without the application’s encryption key.
  • Encryption keys: Stored as Cloudflare Workers secrets, separate from the database. They are not visible to anyone with read access to the database alone.

Backups

Cloudflare D1 includes point-in-time recovery: the database is continuously backed up and we can restore to any point within the retention window (currently 30 days). The platform also runs a daily system maintenance check that confirms the database is healthy.

R2 storage is durable by design (Cloudflare replicates objects across their network for durability).

Access to the underlying infrastructure

Only a small number of platform engineers at Your HR Toolkit have production-level access to the Cloudflare account. All such access is:

  • Authenticated with 2FA
  • Logged at the Cloudflare account level
  • Limited to operational needs

We do not give third-party support providers, contractors, or anyone outside of the platform team production-level access to the infrastructure or the database.

Vendor due diligence requests

If your organisation needs:

  • A signed information security questionnaire (SIG, CAIQ, etc.)
  • Cloudflare’s audit reports under NDA
  • A statement of data flow for your DPIA
  • Confirmation of specific controls for a third-party assessment

Email security@yourhrtoolkit.com.au with what you need and your timeframe (or privacy@yourhrtoolkit.com.au for privacy-specific matters). We respond to vendor due diligence requests promptly.

Subprocessors

Apart from Cloudflare, the platform uses a small number of trusted subprocessors for specific functions:

  • Resend for transactional email delivery
  • Anthropic for AI features (policy drafting, performance document drafting, the Ask YHRTK assistant, the Reports AI Assistant)

The current subprocessor list is available on request via security@yourhrtoolkit.com.au.