HR data is among the most sensitive information a business holds. Here is exactly how TinyMIS protects it.
Each organisation runs in its own isolated environment with its own dedicated database. There is no shared tenant data store — one organisation cannot see another's records, by design.
All traffic between browsers, mobile apps, devices and the server is encrypted with TLS using Let's Encrypt certificates. HTTP requests are redirected to HTTPS.
Every module is gated by granular permissions. Administrators can give a user access to exactly the modules and actions they need — and no more.
Significant actions are logged with the user, subject, action text and timestamp, so changes can always be traced back to their source.
Owner-level full-system backup and per-tenant backup — on demand or on schedule — with restore for fast recovery from any incident.
Configuration files, source control and storage paths are explicitly denied at the web server, and a default catch-all vhost drops unknown hosts.
TinyMIS is built on a container-per-tenant, database-per-tenant model. Each organisation has its own database, its own environment configuration, and its own running instance — sharing only the application codebase.
A catch-all default server block refuses requests with an unknown or missing Host header, so a misrouted device that skips certificate validation is dropped rather than silently landing on the wrong tenant.
Registering a personal mobile device uses a one-time QR token or short bind code, validated server-side and revocable by an administrator — so a lost or replaced phone can be unbound instantly.
Payslip and performance-report downloads use Laravel signed URLs — cryptographically verified by the server, with expiry — so a link cannot be reused or forged, even without a session.
State-changing requests are protected by CSRF tokens, including the token-gated public visitor and job-application forms.
Push subscriptions are stored per-user, expired endpoints are pruned automatically, and push sending is wrapped so a delivery failure can never break a core request.
Read our full privacy statement to see exactly what data TinyMIS collects, why, and how long it is kept.
Read the Privacy Statement