Skip to main content

Data Security

How Your Data Is Protected

Omeny protects your data with industry-standard technical and organizational measures:

  • Secure connections: All traffic between your browser and the app uses HTTPS (TLS). Data in transit is encrypted.
  • Encryption at rest: Stored data (e.g. employees, time logs, schedules) is encrypted where it is held by the platform.
  • Access controls: You sign in with email and password. Sessions are managed securely. API routes that change data (e.g. profile updates, organization settings) use CSRF protection to reduce cross-site request forgery risks.
  • Security headers: The app sends security headers (e.g. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security on HTTPS) to help prevent common attacks.

Your organization's data (employees, shifts, time off, time logs) is separate from other organizations. Only members of your organization with the right role can access it.

Access Controls

  • Login: Dashboard users sign in with email and password. Time clock users identify with a 4‑digit PIN (and, when required, location). PINs are unique per organization and should be shared only with the right people.
  • Roles: Owner, Admin, Manager, and Viewer roles control who can see and change what. Edits to employees, shifts, time off, and time logs require manager or admin (or owner) access. Organization settings (e.g. departments, employment types, devices) are managed by owners and admins only. Viewers can only view data. See Roles and Permissions and User Permissions.
  • Device authorization: Time clock devices must be authorized (e.g. 8‑digit code) before employees can check in. Only managers or admins can authorize devices. Deauthorize devices when they're no longer in use. See Kiosk System, Managing Time Clock Devices, and Best Practices – Time Clock Deployment.

Row-Level Security

The database uses row-level security (RLS). In practice, this means:

  • You only see your organization's data. Employees, shifts, time off, time logs, and settings are scoped by organization. When you switch organizations, you see only that organization's data.
  • No cross-organization access. Users in Organization A cannot access Organization B's data. Each organization's data is isolated. See User Permissions.

Next: Privacy Considerations