Security6 min readNovember 1, 2024

Security Best Practices for Commission Data

Commission data is sensitive: it reveals earnings, performance rankings, and business financials. Protecting this information isn't optional—it's essential. Here's how to do it right.

Understanding What You're Protecting

Commission data typically includes:

  • Individual earnings and payout amounts
  • Performance metrics tied to specific people
  • Commission structures (your competitive advantage)
  • Bank account or payment details
  • Business revenue and margin information

A breach could expose personal financial information, give competitors insight into your compensation strategy, or enable fraud. The stakes are high.

Access Control: Who Sees What

Not everyone needs access to everything. Implement role-based permissions:

  • Chatters: See only their own clockouts, commissions, and performance
  • Managers: See their team's data, but not other teams
  • Admins: Full access to all data and settings
  • Owners: Admin access plus billing and account management

ReportFlow enforces these boundaries automatically. Someone logging in as a Chatter literally cannot access another person's commission data—the system won't return it.

Authentication Best Practices

Strong authentication is your first line of defense:

  • Enforce strong passwords: Minimum 12 characters, complexity requirements
  • Enable two-factor authentication (2FA): Require it for admin accounts at minimum
  • Use SSO where possible: Single sign-on reduces password sprawl
  • Review access regularly: Remove accounts for people who've left

Critical: Offboarding Process

When someone leaves your organization, revoke their access immediately. This includes ReportFlow accounts, Discord permissions, and any API keys they may have created. Don't wait for the end of the pay period.

API Key Security

If you're using the ReportFlow API, treat API keys like passwords:

  • Store keys in environment variables, never in code
  • Use different keys for development and production
  • Rotate keys periodically (quarterly is a good cadence)
  • Revoke and replace any key that may have been exposed
  • Use IP allowlisting for production keys (Enterprise plan)

Audit Logging

Know who did what and when. ReportFlow maintains comprehensive audit logs:

  • All login attempts (successful and failed)
  • Commission rule changes
  • Clockout approvals and rejections
  • User permission changes
  • Data exports

Review these logs periodically. Unusual patterns—like someone exporting all commission data at 3am—warrant investigation.

Data Retention and Deletion

Keep data as long as you need it, but not forever:

  • Define retention policies based on legal and business requirements
  • Archive old data if you need it for historical analysis
  • Securely delete data you no longer need
  • Honor data deletion requests from individuals (GDPR, CCPA)

What ReportFlow Does for You

Security is a shared responsibility. Here's what ReportFlow handles:

  • Encryption: All data encrypted at rest and in transit
  • Infrastructure: Hosted on SOC 2 compliant cloud infrastructure
  • Backups: Automated daily backups with point-in-time recovery
  • Monitoring: 24/7 security monitoring and alerting
  • Updates: Regular security patches and vulnerability scanning

Your Security Checklist

  • ✓ Role-based permissions configured correctly
  • ✓ 2FA enabled for all admin accounts
  • ✓ Offboarding process includes ReportFlow access revocation
  • ✓ API keys stored securely (not in code)
  • ✓ Audit logs reviewed monthly
  • ✓ Data retention policy documented