Your payroll data is safe with us
You trust us with your employees' most sensitive information: what they earn, where they bank, and how they are taxed. We take that responsibility seriously.
ISO 27001:2022
Certified
InterCert
Certification Body
Payroll data is high-value, high-risk
Payroll systems hold names, addresses, tax file numbers, IRD numbers, bank account details, salary information, and leave records. A breach does not just affect your organisation. It affects every employee on your payroll and their families.
The regulatory environment across Australia and New Zealand demands that this data is protected, auditable, and recoverable. The Privacy Act (NZ), Australian Privacy Principles, and the Notifiable Data Breaches scheme set the floor. We build above it.
The cost of getting this wrong
A payroll data breach can result in regulatory penalties, reputational damage, and a loss of employee trust that takes years to rebuild. The question is not whether your payroll provider has security features. It is whether security is built into how they operate.
ISO 27001:2022 certified
Affinity Payroll holds ISO 27001:2022 certification, the international standard for information security management systems (ISMS). This is not a self-assessment. It is an independent, externally audited certification by InterCert, covering our entire operation: platform, people, processes, and infrastructure.
ISO 27001:2022 requires organisations to identify information security risks, implement controls to address them, and maintain those controls through continuous monitoring and improvement. It covers:
- Risk assessment and treatment methodology
- Access control and identity management
- Cryptographic controls and key management
- Physical and environmental security
- Operations security and change management
- Supplier relationship security
- Incident management and response
- Business continuity and disaster recovery
Certification is maintained through regular surveillance audits and a full recertification cycle every three years.
How we protect your data
Security is not a feature we bolt on. It is built into the platform, our processes, and how we operate every day.
Encryption at rest and in transit
All payroll data is encrypted using AES-256 at rest and TLS 1.2+ in transit. Encryption keys are managed through dedicated key management infrastructure with regular rotation.
Access control
Role-based access control with the principle of least privilege. Multi-factor authentication for all administrative access. Full audit trails on every data access event.
AU/NZ data residency
All payroll data is held in secure Australian and New Zealand data centres. Your data does not leave the jurisdictions where your employees are located.
Continuous monitoring
Real-time security monitoring, intrusion detection, and automated alerting. Security events are triaged and investigated by our operations team, not outsourced to a third party.
Business continuity
Redundant infrastructure with automated failover. Regular disaster recovery testing. Defined recovery time and recovery point objectives aligned to payroll processing windows.
Backup and recovery
Automated encrypted backups with geographically separated storage. Point-in-time recovery capability. Regular restore testing to verify backup integrity.
People and training
All Affinity staff complete security awareness training. Background checks for all employees. Security responsibilities are defined in every role, not just the IT team.
Incident response
Documented incident response procedures with defined escalation paths. Notification processes aligned to Notifiable Data Breaches (AU) and Privacy Act (NZ) requirements.
Regulatory alignment
Full alignment with Australian Privacy Principles, NZ Privacy Act 2020, IRD security requirements, and ATO data standards. Compliance is not an afterthought.
Testing and assurance
Certification is a starting point, not a finish line. We validate our security posture continuously through independent testing and internal review.
External penetration testing
Regular penetration tests conducted by independent security firms. Findings are remediated and verified before the next test cycle.
Vulnerability management
Automated vulnerability scanning across infrastructure and application layers. Defined SLAs for remediation based on severity.
Internal audits
Regular internal audits against our ISMS controls. Findings drive continuous improvement across security policies and procedures.
Surveillance audits
Annual surveillance audits by InterCert to verify ongoing conformity with ISO 27001:2022 requirements.
Payroll-specific security
Generic security frameworks are necessary but not sufficient for payroll. Payroll data has specific risks and regulatory requirements that general-purpose platforms do not address.
Tax file number and IRD number handling
TFN and IRD numbers are subject to specific handling requirements under Australian and New Zealand law. Affinity applies additional access controls, masking, and audit logging beyond standard personal information protections.
Bank account verification
Changes to employee bank account details are logged, flagged, and subject to configurable approval workflows. This protects against both external fraud and internal errors.
Pay run integrity
Payroll IQ provides automated anomaly detection before the payslip is produced, flagging unusual variances, missing data, and compliance risks. This is both an accuracy tool and a security control.
Segregation of duties
Configurable role-based access ensures that the person who sets up a pay run is not the same person who approves it. Segregation of duties is enforced at the platform level, not just by policy.
Audit trail
Every change to payroll data, every access event, and every pay run action is logged with timestamps, user identity, and before/after values. Audit trails are immutable and available for compliance reporting.
Why organisations trust Affinity
Security is not a department at Affinity. It is how we operate.
ISO 27001:2022
Independently certified
500,000+
Employees processed securely
40+ years
AU/NZ payroll operations
100% local
AU/NZ data residency
Frequently asked questions
What security certifications does Affinity hold?
Affinity holds ISO 27001:2022 certification, independently audited by InterCert. This covers our information security management system across all payroll processing, data storage, and support operations for AU and NZ clients.
Where is payroll data stored?
All payroll data is stored in Australia. We maintain strict data residency requirements — no payroll data leaves Australian jurisdiction. Data is encrypted at rest and in transit using bank-grade encryption standards.
How does Affinity protect sensitive employee information like TFNs and IRD numbers?
Tax file numbers, IRD numbers, and bank account details are encrypted at rest, masked in the user interface, and access-controlled through role-based permissions. Audit trails log every access event for compliance and investigation purposes.
Does Affinity support single sign-on (SSO)?
Yes. Affinity supports SAML-based single sign-on integration with enterprise identity providers including Azure AD, Okta, and other SAML 2.0 compliant platforms. Multi-factor authentication is also available.
How often is the platform independently audited?
Our ISO 27001:2022 certification requires regular surveillance audits by InterCert. We also conduct internal security assessments, vulnerability scanning, and penetration testing on an ongoing basis.
What happens during a security incident?
Affinity maintains a documented incident response plan as part of our ISO 27001 framework. This includes defined escalation procedures, containment protocols, client notification processes, and post-incident review to prevent recurrence.
Questions about our security practices?
We are happy to discuss our security controls, provide documentation for your procurement or risk team, or walk through our ISO 27001:2022 certification scope in detail.