Security at Curra

Bank-grade infrastructure for the payroll your business depends on.

Hosting

Google Cloud

Region

europe-west2 (London)

In transit

TLS 1.2+

At rest

AES-256

SOC 2 Type II

In progress

Status

curra.ai/status

How we keep Curra safe

Infrastructure

Hosted on Google Cloud in europe-west2 (London). Private database, encrypted backups with point-in-time recovery, secrets in Google Secret Manager.

Access control

Identity managed by WorkOS — SSO and passwordless magic links, no shared credentials. Six roles with granular permissions, optional dual-control for payroll approval.

Money safety

Funding is verified per category before any payment moves. Idempotency keys on every external action prevent double-spends. Monetary values stored as BigInt cents — no float rounding errors.

Data protection

TLS 1.2+ in transit, AES-256 at rest. Customer data stays in europe-west2 unless you ask otherwise. Export and deletion on request, subject to statutory retention.

Audit & response

Every state change, approval, payment, and admin action is logged with actor and timestamp. Documented incident runbooks; material incidents reported to affected tenants within 72 hours.

Found a vulnerability? Email security@curra.io. For a DPA, sub-processor list, security questionnaire, or audit pack, email compliance@curra.io.

Need our security pack?

We share our DPA, sub-processor list, and security questionnaire on request.

Email compliance Start free