HCM Integrations & Analytics Hub logo with text around a circle conating a graphic of three people in a rising bar graph split with an right upward arrow.
Tap Innovations Logo and Paycor logo side-by-side

Enterprise Security

Disclaimer & Limitation
of Liability

TAP Innovations’ technical, administrative, and physical safeguards protecting the confidentiality, integrity, and availability of Customer Data in FlowIQ.

Last Updated: June 1, 2026

help@tapinnov.com

TAP Innovations, LLC — Security & Data Protection Policy

This policy describes the technical, administrative, and physical safeguards TAP Innovations, LLC maintains to protect the confidentiality, integrity, and availability of Customer Data processed through FlowIQ and our other Services, and how we align with prevailing privacy frameworks including GDPR, the UK GDPR, and CCPA/CPRA.

3.1 Our Security Program

Security is led by a dedicated function within engineering and reports to executive leadership. The program is risk-based and continuously improving, with controls mapped to recognized frameworks including:

  • NIST Cybersecurity Framework (CSF) — risk-based controls and continuous improvement.
  • ISO/IEC 27001 — information security management standards.
  • OWASP Application Security Verification Standard (ASVS) — application-level security controls.
  • Cloud Security Alliance Cloud Controls Matrix (CCM) — cloud-specific security guidance.

Where applicable, controls are evaluated against SOC 2 (Trust Services Criteria) and HIPAA Security Rule expectations.

3.2 Hosting and Cloud Infrastructure

FlowIQ is hosted on Microsoft Azure, which provides physically secure, geographically distributed data centers, network isolation, encryption services, identity management, and continuous infrastructure monitoring.

Azure Attestations Include:
ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 1/2/3, PCI DSS, HIPAA-eligible services, and FedRAMP authorization for relevant regions.
  • Region Selection. Production services run in U.S. Azure regions by default; alternative regions are available for enterprise customers with data residency requirements, subject to contract.
  • Redundancy. Critical components are deployed across availability zones with automated failover and routine recovery exercises.
  • Physical Security. Data center physical access, environmental controls, and disposal of media are managed by Microsoft under their published security and compliance programs.

3.3 Network Security

  • Production networks are segmented from corporate networks and from non-production environments.
  • Inbound traffic is restricted by managed firewalls, web application firewalls (WAF), and DDoS mitigation provided by the cloud platform.
  • Administrative access uses bastion hosts and identity-aware proxies — direct production access from the public internet is not permitted.
  • Egress is restricted by allow-lists where practical, and traffic between services is encrypted.

3.4 Encryption

  • In Transit. All Customer Data transmitted between you and the Services is encrypted using TLS 1.2 or higher with modern cipher suites. Internal service-to-service traffic in the production environment is also encrypted.
  • At Rest. Customer Data and backups are encrypted at rest using AES-256 (or stronger) through managed Azure encryption services.
  • Key Management. Encryption keys and secrets are stored in managed key vault services with role-based access control, rotation, and audit logging. For eligible enterprise customers, customer-managed keys may be supported under a Negotiated Agreement.

3.5 Identity and Access Management

  • Access to production systems and Customer Data is granted on a least-privilege, need-to-know basis and is approved through documented workflows.
  • All administrative access requires multi-factor authentication.
  • Privileged actions are logged centrally and reviewed periodically.
  • Access is revoked promptly on role change or termination as part of our joiner-mover-leaver process.
  • Customers can configure single sign-on (SAML/OIDC), role-based permissions, and MFA enforcement within FlowIQ where supported.

3.6 Secure Software Development Lifecycle (SSDLC)

  • Threat modeling and security review are integrated into design for significant features.
  • Code is peer-reviewed before merge.
  • Static application security testing (SAST), dependency / software composition analysis (SCA), and secret scanning run in continuous integration.
  • Container and infrastructure-as-code scanning are performed before deployment to production.
  • Dynamic application security testing (DAST) and periodic third-party penetration testing are conducted; remediation is tracked through closure.
  • We maintain a coordinated vulnerability disclosure channel and welcome responsible reports from security researchers.

3.7 Vulnerability and Patch Management

We monitor for security advisories affecting our platform, dependencies, and base images, and prioritize remediation based on exploitability and impact. Critical vulnerabilities affecting production are remediated on an expedited schedule.

3.8 Logging, Monitoring, and Detection

Production environments emit security, application, and infrastructure telemetry to centralized log management. Alerts route to on-call engineers, and high-severity events are escalated to the incident response function. Audit logs are retained consistent with the Data Retention & Deletion Policy (Section 7) and applicable law.

3.9 Personnel Security

  • Employees and contractors with access to Customer Data sign confidentiality agreements and complete role-appropriate security and privacy training at hire and annually.
  • Background checks are conducted where permitted by law.
  • Access is provisioned through role-based policies and reviewed periodically.

3.10 Data Protection Rights (CCPA/CPRA and Similar Laws)

Where applicable law gives individuals rights over their personal information, we honor those rights including:

  • Access, correction, and deletion of personal data.
  • Restriction, portability, and objection to processing.
  • The right to opt out of sale or sharing of personal information.

We act on instructions from our customers (where we process personal data on their behalf) and from individuals directly (where we are the data controller). Requests may be submitted as described in Section 6.

3.11 Business Continuity and Backups

  • Customer Data is backed up on a regular schedule and stored in encrypted form.
  • Restoration procedures are tested periodically.
  • Recovery time objectives (RTO) and recovery point objectives (RPO) are documented internally and may be shared with enterprise customers under a Negotiated Agreement.

3.12 Subprocessors

A current list of subprocessor categories is maintained in our Third-Party Services & Subprocessor Disclosure (Section 10). Enterprise customers may subscribe to receive notice of material changes.

3.13 Incident Response

Security incidents are managed in accordance with the Incident Response & Breach Notification Policy (Section 13).

Customer Responsibilities
Security is a shared responsibility. Customers should configure SSO and MFA, manage user roles, protect API keys, follow least-privilege principles for integrations, and promptly report any suspected security issue to help@tapinnov.com.

3.14 Contact

Security & Data Protectionhelp@tapinnov.com

Registered Address6210 North Belt Line Road, Suite 150
Irving, Texas 75063, USA
GET IN TOUCH

Contact the TAP Security Team

Questions about our security program or data protection practices? We’re here to help.

Get in Touch

EXPERT SOLUTIONS

HCM Integrations & Analytics

Restaurant Integrations & Analytics

Custom Applications 

Talent Solutions

INDUSTRIES

CUSTOMER SUCCESSES

STRATEGIC PARTNERS

BLOG

ABOUT TAP

CONTACT

Mailing Address

539 West Commerce Street, #249
Dallas, TX 75208

Office Address

6210 North Belt Line Road, Suite 150
Irving, TX 75063 

Phone

972-842-4554

All Policies | Terms of Use | Security Policies | © 2024 TAP Innovations, LLC

TAP Innovations | the App Place