DiurnaDiurna

Security Architecture

How we protect your clients’ data

Privacy by Design (Art. 25 GDPR)

Security is not an add-on to Diurna: it’s the foundation of the architecture. Every layer of the system, from the database to the user interface, was designed with privacy as a primary requirement.

Row Level Security (RLS) ensures that every database query is automatically filtered by user. A user can NEVER access data that doesn’t belong to them, regardless of the type of request. Isolation is guaranteed by the architecture, not by a configurable policy.

Privacy Wall

The platform developer cannot access the personal data (PII) of your clients and employees. This is not a policy choice: it is architecturally impossible.

RLS DENY policies prevent access to tax IDs, names, sensitive data, and personal information even with administrative database access. Only aggregated and anonymized data is visible to the platform operator.

Data Minimization

We collect exclusively the data strictly necessary for attendance management and payroll processing. The principle of minimization is rigorously applied.

✓ Data collected

  • Employee personal details
  • Attendance, absences, overtime
  • Essential contract data
  • Tax identification number (for regulatory filings)

✕ Data NOT collected

  • Banking data (IBAN/BIC/SWIFT)
  • Detailed health records
  • Financial information
  • Data not essential to payroll

Encryption & Infrastructure

TLS in transit

All data is encrypted during transmission using the TLS protocol.

EU data center

Data resides in European data centers (Ireland) with enterprise-grade certifications.

Supabase Managed

Managed infrastructure with enterprise-level security and automatic backups.

Segregated access

Access keys rotated and managed through a secure vault.

Audit Trail & Accountability

Every creation, modification, and deletion operation in the system is logged with:

  • Precise timestamp of the operation
  • Identity of the user who performed the action
  • Complete operational details (old value, new value)
  • Operation type (CREATE, UPDATE, DELETE)

Full compliance with GDPR accountability obligations (Art. 5, 25, 32).

Data Subject Rights

Right of access

Users can view their registered data in the system at any time.

Right to erasure

Cascade constraints ensure complete data removal upon request, in compliance with legal obligations.

Breach notification

Documented procedures for notifying any data breach within 72 hours (Art. 33-34 GDPR).

Data Protection Compliance

In addition to GDPR, Diurna complies with applicable national data protection laws and their amendments.

  • Full compliance with national data protection regulations
  • Data retention in accordance with applicable legal requirements
  • Data Processing Agreement (DPA) available upon request