AnywrksBack

Security

Built to protect sensitive employee data

Anywrks handles SSNs, bank account numbers, immigration documents, and employment records for IDD and Medicaid providers. Here's exactly how that data is protected — and what we rely on to protect it.

Your organization owns its data

Anywrks acts as a processor of employee onboarding records on your behalf. Organizations may export completed packets and documents at any time. We do not sell, share, or use your employee data for any purpose other than providing the Anywrks platform.

Security through certified providers

Anywrks is built on Vercel (hosting), Supabase (database), and Clerk(authentication) — all SOC 2 Type II certified. We don't claim to hold these certifications ourselves; we build on infrastructure that does, so your data benefits from independently audited security controls.

AES-256

Encryption at rest

TLS 1.3

Encryption in transit

SOC 2

Infrastructure certified

2FA

Required for all admins

How your data is protected

Encryption at Rest & in Transit

All data stored in Anywrks is encrypted using AES-256 — the same standard used by financial institutions and the U.S. federal government. All data transmitted between your browser and our servers is protected with TLS 1.3. SSNs, bank account numbers, and uploaded documents are never stored unencrypted.

SOC 2 Certified Infrastructure Providers

Anywrks is built on Vercel (hosting), Supabase (database), and Clerk (authentication) — all of which have completed SOC 2 Type II certification. This means the infrastructure your data lives on has been independently audited for security, availability, and confidentiality controls. Anywrks itself is not the certificate holder; our providers are.

Two-Factor Authentication

All admin accounts require two-factor authentication (2FA) to log in. Employees access their onboarding packet through a secure, time-limited access code — no password required. This limits exposure even if credentials are compromised.

Role-Based Access Control

Employees can only access their own onboarding packet — they cannot see other employees' data. Admin users can only access data belonging to their own organization. Access to customer data is restricted to authorized personnel and governed by internal access controls.

Audit Logs

Key actions in the platform are logged with a timestamp — link opened, form completed, document uploaded. These logs support your compliance recordkeeping and can be referenced in the event of an audit.

Backups & Availability

Your data is automatically backed up through Supabase's managed database infrastructure with point-in-time recovery. We leverage Vercel and Supabase's managed infrastructure to provide reliable platform availability.

Incident Response

Anywrks maintains an incident response process and will notify customers in accordance with applicable laws and contractual obligations. A post-incident summary will be provided upon request.

Responsible Disclosure

If you discover a potential vulnerability in Anywrks, please report it to security@anywrks.com. We take all reports seriously and will respond within 5 business days.

How we handle sensitive data

Social Security Numbers (SSN)

SSNs are collected only for IRS-required forms (W-4, I-9). They are encrypted before storage and masked by default in the admin dashboard — only the last 4 digits are visible unless explicitly revealed. SSNs are transmitted to the employer for payroll purposes and are never used by Anywrks for any other purpose.

Bank Account Information

Direct deposit account and routing numbers are collected solely for payroll setup. They are encrypted at rest and transmitted to the employer's payroll system. Anywrks does not process payroll and does not retain bank details beyond what's required for the employer's records.

Government-Issued ID Documents

Driver's Licenses, Passports, and USCIS documents are stored in encrypted object storage with access restricted to the provider organization. Files are served via time-limited signed URLs — they cannot be directly linked or cached by third parties.

I-9 Verification Documents

I-9 documents are treated as especially sensitive. Access is logged on every view. Records are retained for the legally required period (3 years from hire date or 1 year after termination, whichever is later) and then flagged for admin review before any deletion.

Additional practices

  • Passwords are hashed — we never store plain-text credentials
  • Sensitive fields (SSN, account numbers) are masked by default in the UI
  • Session tokens expire after inactivity
  • Dependencies are regularly reviewed for known vulnerabilities
  • Production database access is restricted to authorized staff only
  • All third-party vendors are evaluated for security and compliance posture
  • Anywrks carries professional liability (E&O) insurance

Security questions or concerns?

If you have a security question, want to report a vulnerability, or need documentation for compliance purposes, reach out directly.

Contact Security Team

security@anywrks.com · We respond within 5 business days