Security
LeaveSync handles real payroll and leave data. Security is not an afterthought. Here is how data is protected at every layer.
LeaveSync uses Clerk for all authentication and authorisation. There are no custom user tables or password storage. Clerk handles session management, MFA options, and identity verification. All authenticated routes are protected by Clerk middleware.
LeaveSync is multi-tenant. Each Clerk Organisation is a strict tenant boundary. Every database query that accesses tenant data filters by the Clerk organisation ID. It is not possible for one organisation to access another organisation's data.
Roles are managed in Clerk and enforced at the application layer. Owner and admin roles have full organisational access. Manager roles have access scoped to their team and direct reports. Viewer roles have read-only access. Permissions are checked on every request.
All data is encrypted at rest using Neon PostgreSQL's encryption layer. All data in transit is protected by TLS. Xero OAuth tokens are encrypted at rest using application-level encryption and are never stored in plaintext or exposed to client-side code.
LeaveSync stores Xero OAuth refresh tokens encrypted at rest. Access tokens are short-lived and refreshed proactively before sync runs. Token refresh is handled server-side. If access is revoked in Xero, the LeaveSync connection is deactivated on the next sync attempt.
ICS feed URLs are secured with a signed token. Tokens are short, URL-safe, and revocable. The plaintext token value is never persisted in the database. If a feed URL is compromised, the token can be regenerated, immediately invalidating any existing subscriptions.
LeaveSync runs on Vercel (application layer) and Neon PostgreSQL (database layer). Both are cloud-hosted in data centres that comply with standard data protection requirements. Data is not intentionally replicated across regions. Specific data residency requirements for enterprise customers: contact us to discuss.
ICS feeds publish only the availability information you configure. Privacy controls let administrators specify which leave categories and availability types appear on published feeds. Sensitive leave categories can be hidden entirely or shown as unavailable without category detail.
If you have specific security requirements, a compliance obligation to assess, or want to report a vulnerability, please contact us directly. We take all reports seriously and respond promptly.
Contact: security@leavesync.com
