Security, Compliance & Audit

Optymyze supports modifying compensation rules via effective dating, allowing historical versions and new versions to coexist for different time periods. New rules can be created by copying existing ones and adjusting parameters through a simple, guide-based interface, no coding required. All changes are tracked through comprehensive audit logging that records who made the change, when it was made, and what was modified.

Optymyze captures audit records at the field level, recording before and after values, the timestamp of each change, and the login of the user who made the modification. This granular audit trail enables easy identification and reversal of erroneous changes. Field-level auditing ensures complete traceability for compliance and governance requirements.

Optymyze captures all manual changes to both configuration and data within comprehensive audit logs, showing time-stamped details of values before and after each change along with the user who made it. Audit fields can be included in any report or data view, providing easy visibility into changes without requiring separate audit reports. This integrated audit capability ensures compliance and simplifies investigations.

Optymyze captures all user activities including successful and unsuccessful login attempts, user creation and modification, role assignments, data changes, and security administration events with full timestamps and user identification. Audit logs are protected against tampering with no facility to purge records. This comprehensive audit capability supports compliance, forensic investigations, and regulatory reporting.

Optymyze encrypts all data at rest using AES-256 encryption and all data in transit using TLS 1.2 or higher. Passwords and credentials are stored in hashed or encrypted format, never in plain text, and field-level encryption is available for particularly sensitive data columns. This comprehensive encryption approach ensures compensation and personal data is protected at every stage of processing and storage.

Optymyze undergoes regular third-party security assessments and penetration testing, with reports available for customer review upon request. The platform aligns with industry governance frameworks and supports periodic security audits conducted by customer organizations. A formal information security policy covers risk management, incident response, and business continuity, ensuring continuous validation of the platform’s security posture.

Optymyze ensures complete data isolation between tenants in its multi-tenant SaaS architecture with strict access controls that prevent any cross-tenant data exposure. Customer data access is limited exclusively to authorized personnel, and data masking is supported for non-production environments. These privacy controls ensure customer compensation data remains confidential at all times and comply with regional data privacy requirements.

Optymyze maintains formal information security policies authorized by business leadership, supported by a comprehensive security management program with defined roles and responsibilities. Formal risk assessments are performed at least annually and in conjunction with any information system changes, with risks mitigated to documented acceptable levels. The platform’s governance processes are reviewed alongside supply chain partners for consistency, ensuring alignment with cloud security frameworks and regulatory standards.

Optymyze integrates with CRM systems through native connectors, REST APIs, file imports via SFTP, and iPaaS integration for systems without a native connector. Native connectors include Salesforce and HubSpot, with Microsoft Dynamics 365 supported through Optymyze web services and iPaaS patterns. Each integration is configured with custom field mapping, filters, add/update options, and scheduling through a no-code interface, supporting both real-time event exchange and scheduled batch loads. Salesforce users can also access Optymyze applications inside their CRM through embedded UI integration, keeping reps in their primary workflow for compensation visibility, plan acceptance, and dispute submission without context switching.

Optymyze enforces application-level controls that prevent the creation of duplicate user IDs, ensuring each user has a unique alphanumeric identifier. User accounts support multiple lifecycle states including Active, Disabled, Locked, and Deleted, providing granular control over access management. This aligns with enterprise security policies and regulatory requirements for identity governance.

Optymyze enforces configurable password policies including minimum length requirements, complexity rules for uppercase, lowercase, numeric, and special characters, password history enforcement, and configurable expiration intervals. Users are required to change passwords on first login and subsequent resets, and all password inputs are masked during entry. These policies ensure the platform meets enterprise security standards out of the box.

Optymyze supports industry-standard authentication protocols including SAML v2.0, OAuth 2.0, and OpenID Connect for seamless SSO integration with enterprise identity providers such as Active Directory, Okta, and Azure AD. Multi-factor authentication adds an additional security layer beyond passwords, ensuring compliance with enterprise security standards. This enables organizations to maintain their existing authentication infrastructure while securing access to compensation data.

Optymyze provides granular role-based access control at table, field, and record levels, with support for multiple security administrator tiers. Segregation of duties is enforced so that security administrators, business users, and application administrators operate within clearly defined boundaries. Maker-checker workflows for user creation and critical administrative actions prevent unauthorized changes and strengthen internal controls.

Optymyze enforces configurable session timeouts for inactive sessions, limits users to a single concurrent session, and can automatically disable accounts after prolonged inactivity. Session identifiers are protected from client-side exposure and validated on every request to prevent session hijacking. These controls ensure that compensation data remains secure even when users forget to log out or leave sessions unattended.

Optymyze integrates with Active Directory, LDAP, and other enterprise directory services for user authentication, provisioning, and access management. The platform supports dual authentication modes where some users authenticate via Active Directory while others use native application credentials. This accommodates diverse user populations including external producers and partners who may not have corporate directory accounts.

Optymyze provides fully documented and tested Business Continuity and Disaster Recovery plans with contractual RTO and RPO guarantees aligned to enterprise SLA requirements. The platform supports active-active data center architecture with incremental and full daily encrypted backups, regular failover testing, and recovery within 24 hours. A separate disaster recovery site ensures business operations continue with minimal disruption even in worst-case scenarios.

Optymyze provides contractual SLA targets for platform availability with defined support tiers and 24×7 help desk availability through an online support portal. Standard maintenance windows are communicated in advance, and upgrades are designed to be non-disruptive to minimize downtime. This predictable service model ensures organizations can rely on the platform for critical compensation processing cycles.

Optymyze follows a defined breach notification process that includes timely alerts to affected customers with details on the breach nature, impact assessment, containment measures, and remediation steps. The incident management process includes escalation procedures and SLA-driven response times to ensure quick resolution. This structured approach minimizes the impact of security incidents on customer operations.

Optymyze sends compensation workflow notifications and reminders through email, triggered by workflow events such as approval requests, plan acceptance prompts, dispute submissions, and exception alerts. Notification rules are configurable by event type, recipient group, and role, so each stakeholder receives the messages relevant to their part of the process. In-platform alerts complement email for users actively working in Optymyze applications, surfacing pending approvals, disputes, and scheduled tasks. Notifications can be sent in real time or grouped into scheduled digests, supporting both immediate-response workflows and lower-urgency status communications.