Policy

Security Policy

The formal StoreSync security policy covering access control, data protection, shared responsibilities, availability and responsible disclosure.

Effective: 2 May 2026 Company: OJR Software LTD Company no: 17005151
Summary: StoreSync is designed around authenticated access, organisation-level separation, role-based permissions and extra care around sensitive workforce records such as payslips, timesheets, billing and staff administration. Security is shared: we protect the service, and organisation customers must manage users, roles, devices and leavers responsibly.
Access control Accounts, organisation membership, roles, module permissions, sites and groups.
Sensitive records Extra protection for payslips, billing and other high-risk app areas where appropriate.
Operational resilience Backups, maintenance processes and supplier controls to support reliable service delivery.

1. Security model

StoreSync is built for organisation customers that need to manage staff, sites, rotas, time and attendance, time off, timesheets, payslips and related admin. Access is based on a user’s account, their organisation membership and the permissions assigned by that organisation.

Permissions may be scoped by role, module, primary site, assigned sites, primary group, assigned groups, department or organisation-wide access. This helps customers give managers access to the parts of the business they actually run, without giving every user broad access by default.

2. Account access and authentication

  • Users must sign in before accessing the StoreSync app.
  • Passwords should be strong, unique and kept confidential.
  • Sensitive actions or pages may require password re-confirmation.
  • Sessions, access checks and account state are used to reduce the risk of unauthorised access.
  • Customers should remove or restrict access promptly when a user leaves the organisation or changes role.

3. Organisation separation and permissions

StoreSync separates customer workspaces by organisation. Users should only see organisations, sites, groups, modules and records they are authorised to access.

Organisation owners and admins are responsible for setting up roles and permissions carefully. Access should be reviewed regularly, especially after staff changes, manager changes, site changes or subscription/admin changes.

4. Sensitive workforce data

StoreSync may hold sensitive operational records such as timesheets, clock records, time-off history, payslip files, staff details, employment information, emergency contacts, role permissions and support tickets.

Payslip and billing-related areas should be treated as higher-risk areas. Where StoreSync applies additional password checks or page-level gates, those checks are intended to reduce casual or shared-device exposure; they are not a replacement for secure devices, strong passwords and careful administrator access.

5. Payments and card data

Subscription payments and payment methods are handled through Stripe or another payment provider used by StoreSync. StoreSync does not need to store full payment card numbers to provide subscription billing.

6. Application, hosting and supplier controls

StoreSync uses technical and organisational measures intended to protect the service, including access checks, defensive coding practices, restricted operational access, supplier selection, backups and monitoring appropriate to the size and stage of the service.

Where third-party providers are used for hosting, payment processing, email, analytics, infrastructure or support, StoreSync remains responsible for choosing suitable providers and managing those relationships appropriately.

7. Availability, maintenance and backups

We aim to keep StoreSync available and reliable, but no online service can be guaranteed to be uninterrupted. Availability may be affected by maintenance, updates, hosting incidents, internet disruption, cyber attacks, payment-provider disruption, email-provider disruption or events outside our reasonable control.

Backups and recovery processes support resilience. They are not a substitute for organisation customers keeping any legally required payroll, accounting, employment, tax or business records outside StoreSync where required by law or internal policy.

8. Customer responsibilities

  • Use strong, unique passwords and keep login details confidential.
  • Limit owner, billing and administrator access to people who genuinely need it.
  • Review roles, module permissions, site scopes and group scopes regularly.
  • Remove or restrict leavers promptly, including managers and admins.
  • Keep devices, browsers and email accounts secure.
  • Train users not to share accounts or access records without a work-related need.
  • Report suspected unauthorised access or data exposure quickly.

9. Staff-user responsibilities

Staff users must only access StoreSync using their own account and only for authorised work-related purposes. They must not share passwords, bypass access controls, export data without permission or view records they do not have a legitimate reason to access.

If a staff user believes they can see the wrong organisation, site, staff record, payslip, timesheet or other data, they should stop accessing that information and report it to their employer or StoreSync.

10. Responsible disclosure

Report suspected security issues to security@storesync.uk. Include a clear description, the affected page or workflow, steps to reproduce if safe, and any relevant screenshots or timestamps.

Do not: access, modify, delete, download or disclose data that is not yours; disrupt the service; perform denial-of-service testing; social-engineer users or staff; run automated scanning at scale; or publicly disclose an issue before we have had a reasonable opportunity to investigate and respond.

StoreSync does not operate a public bug bounty unless we say otherwise in writing. Security testing must be authorised in advance.

11. Incident response

When we become aware of a potential security incident, we assess the issue, take reasonable steps to contain and investigate it, and communicate with affected customers or users where appropriate. Where required, we will also take steps needed under applicable data protection law.

12. What this page is not

This policy is not a guarantee of uninterrupted service, a formal service level agreement, a certification claim, or a complete description of every control used by StoreSync. Security practices may change as the product, infrastructure and legal requirements develop.

13. Security contact

Security issues: security@storesync.uk
Urgent account/support issues: support@storesync.uk