Last updated May 2025

Your people's data is handled with care.

MATANA is built for HR teams that need to move fast without compromising on trust. Here's exactly how we protect your employees' information.

Talk to Security

Google & Microsoft SSO only

No passwords to leak

Encrypted in transit and at rest

TLS everywhere, AES-256 at rest

Organization-level data isolation

Your data is structurally separated

Secure token storage on mobile

iOS Keychain / Android Keystore

Employee privacy by design

Employees see only their own data

Instant access revocation

Disable an employee, access stops immediately

Data & Privacy

Employees see only what's theirs.

Employees using the mobile app can view their own wallet, gifts, perks, events, and clubs. They cannot see other employees' personal information, wallet balances, dietary preferences, or birthday dates.

Anonymous messaging is truly anonymous in the UI. When an employee sends a message marked anonymous, their name is hidden from the HR dashboard — even though the system still stores the employee ID internally for integrity.

We don't track your employees for advertising. MATANA's built-in analytics exist solely to give HR teams aggregated usage insights. No advertising networks, analytics platforms, or data brokers receive any MATANA user data.

Authentication

No passwords. Ever.

Dashboard managers sign in with their existing Google or Microsoft account. The mobile employee app works the same way — employees tap “Sign in with Google” or “Sign in with Microsoft” using their work email.

MATANA never handles your password. Identity verification is delegated entirely to Google and Microsoft, whose tokens we validate server-side using their published public keys.

On mobile: We use PKCE (Proof Key for Code Exchange) — a security standard for native apps that eliminates the need to transmit any client secret.

Google / Microsoft→MATANA→JWT→App

Access Control

The right people see the right things.

Every dashboard user has a permission level — Full, Limited, or Custom — which controls exactly which sections they can access. These aren't just UI restrictions; permissions are enforced on the API server.

Full

Limited

Custom

Controlled sections

Overview

Employee Directory

Gifts

Perks

Events

Clubs

Vendors

Budget

Analytics & Insights

Employee Messages

Settings

Security Controls

Your data is yours alone.

Every piece of data in MATANA — employees, gifts, events, perks, budgets — is tagged with your organization's ID. Every query is scoped to that ID, derived from your verified session token.

Structural isolation

There is no path, no API call, no edge case where a user from one organization can read data from another.

Server-side enforcement

Permissions are enforced on the API server — even if someone bypassed the browser, they would still be blocked.

Instant revocation

Disable an employee and access stops immediately, even if they have an active session token.

Infrastructure

Built on infrastructure you can trust.

All production traffic runs over HTTPS. We do not store passwords, credit card numbers, or Social Security numbers.

Provider	Role
Railway	Cloud hosting for the MATANA API and dashboard
Neon	Managed PostgreSQL — encrypted at rest, highly available
Google & Microsoft	OAuth identity providers — zero password storage
Resend	Transactional email for invitations and calendar invites

Compliance

Where we are. Where we're going.

We're honest about our current certifications and what we're working toward.

Encryption at rest & in transitComplete

AES-256 database encryption, TLS on all connections

SSO-only authenticationComplete

Google & Microsoft OAuth, no password storage

Organization-level data isolationComplete

Every query scoped to verified org ID

SOC 2 Type IIn progress

Actively in progress — contact us for timeline

SOC 2 Type IIPlanned

Planned after Type I completion

FAQ

Common questions

Is MATANA SOC 2 certified?

Not yet. We are actively working toward SOC 2 Type I. If your procurement process requires it, we're happy to share our current security practices and timeline. Reach out and we'll make it work.

Where is my data stored?

All data is stored in a Neon-managed PostgreSQL database. Neon encrypts all data at rest by default using AES-256. The database is hosted on infrastructure in accordance with Neon's availability guarantees.

What happens to an employee's data when we offboard them?

When you mark an employee as disabled or revoke their access in the dashboard, access stops immediately — even if the employee has an active session token. Their historical data (gift history, wallet items) remains in the system for HR audit purposes. Full data deletion is available on request.

Can employees see each other's information?

No. Employees only see their own wallet, perks, gifts, and profile. Other employees' personal details — birthday, address, dietary preferences — are never surfaced in the employee app.

How do I report a security concern?

Email us at security@matana-il.com. We take all reports seriously and commit to responding within 2 business days.

Have questions about security?

We'll walk you through exactly how MATANA protects your team's data.

Book a Demo Talk to Security

security@matana-il.com · Response within 2 business days