Security
9Box handles sensitive HR data: peer feedback, performance signals, and identifiable employee information. The product is designed around the assumption that this data must never leak between workspaces, and that reviewer identities must never be linked to scores in any visible report.
All traffic is served over TLS 1.2+ with HSTS. Data is encrypted at rest on managed Postgres infrastructure using AES-256. Passwords are hashed with bcrypt; we never store or log them in plain text.
Individual reviewer scores and comments are never shown to the subject, their manager, or HR. Only aggregated results are exposed. This is enforced at the database query layer, not just in the UI.
Every row in the database is gated by row-level security policies tied to workspace membership. A user from one workspace cannot read or write data belonging to another, even if they attempt to call the API directly.
Application code runs on Cloudflare's edge network. Data is stored in EU-region managed Postgres. We do not transfer personal data outside the UK/EEA except via providers with appropriate safeguards.
Production access is restricted to a small number of named engineers. All admin access is logged. We use single sign-on with two-factor authentication for every internal tool.
If you've found a security issue, please email security@9box.co.uk with details and steps to reproduce. We will acknowledge within 2 working days and will not pursue researchers acting in good faith.
Sub-processors
We deliberately keep our sub-processor list short. See our privacy policy for the current list and the data each one handles.
Beta status
9Box is currently in beta. We have not yet completed formal third-party certifications (SOC 2, ISO 27001). If you're evaluating us for an organisation that requires those, get in touch via contact and we'll share the roadmap.
Report a vulnerability
Email security@9box.co.uk. Please do not publicly disclose issues before we've had a chance to fix them. We appreciate the help.