Empuls is deployed on AWS using a security-first architecture built entirely on native AWS services — including VPC isolation, EKS, managed Kafka, WAF, and AES-256 encryption — rather than custom-built security controls.
Network isolation and compute
Empuls tenants run inside an AWS Virtual Private Cloud (VPC) with segregated subnets and security-group controls applied to every application component. Traffic between microservices never traverses the public internet, and each tenant’s data environment is logically isolated from all others. AWS Elastic Kubernetes Service (EKS) orchestrates the Empuls microservice fleet, providing automated scaling, rolling updates, and built-in container runtime security.Managed data services
Rather than operating self-managed databases, Empuls uses AWS-managed offerings for all core data workloads. Managed Kafka powers real-time event streaming, while managed Elasticsearch underpins search, audit trails, and log aggregation. MySQL databases run in high-availability mode with native replication and disaster-recovery snapshots, all handled through cloud-native mechanisms that align with the Empuls Data Backup Policy.Perimeter and transport security
All inbound traffic is terminated at AWS load balancers over HTTPS (TLS 1.3) before being routed to EKS workloads, ensuring encrypted transit from the client browser or HR integration — including connections from Workday, SAP SuccessFactors, and Darwinbox — through to the application layer. A Web Application Firewall (WAF) sits in front of Empuls and filters every request against the OWASP Top 10 threat set, blocking injection and scripting attacks before they reach any workload.Encryption and key management
All personally identifiable data stored in Empuls is encrypted at rest using AES-256. Encryption keys are managed through a centralised key-management service equivalent to a hardware security module (HSM), following AWS encryption best practices. This encryption posture is independently validated as part of Xoxoday Empuls’ ISO 27001 certification and SOC 2 Type II audit programme.Backup, resilience, and observability
Empuls uses AWS backup and restore capabilities to run both full and incremental backup schedules, ensuring data durability with configurable retention windows. Monitoring relies on cloud-native telemetry — logs and metrics — fed into the Empuls observability stack to drive real-time alerting and structured incident response. When an employee recognises a colleague through the Slack or Microsoft Teams integration, the event is logged, replicated, and backed up through the same AWS-native pipeline, giving administrators complete audit visibility without any additional configuration.Learn more: Empuls Help Centre — General
Data Encryption at Rest and in Transit
How Empuls protects employee and reward data using AES-256 encryption and managed key services across all storage and transport layers.
SOC 2 Type II and ISO 27001 Certifications
An overview of the independent security certifications Empuls holds, what each audit covers, and how to request audit reports.