The right people see the right data
A six-level role hierarchy (lower number = more authority) gates every page, tab, and data query in the system.
| Level | Role | Scope |
|---|---|---|
| 1 | Super Admin | Everything, company-wide |
| 2 | Corporate Admin | Everything, company-wide |
| 3 | Regional Admin | One Regional Office (all Business Units within it) |
| 4 | Business Unit Admin | One specific Business Unit |
| 10 | Employee | Self only (self-evaluations, own review status) |
| 20 | Reviewer | Only employees/groups they’re assigned to review |
Regional and Business Unit Admins are automatically scoped everywhere — employee lists, group lists, assignment queues, exports — to only their assigned slice of the org. A Business Unit Admin literally cannot see, query, or export data belonging to another Business Unit, even by manipulating a URL — every server-side query enforces the same scope check as the UI.
Built with real security discipline, not an afterthought
- Mandatory email-based two-factor authentication on every login — 6-digit code, 15-minute expiry, 5-attempt lockout
- Bcrypt password hashing, session-based authentication with httponly + secure + SameSite=Strict cookies
- Strong password policy enforced on reset, with a live strength meter
- CSRF protection on every single AJAX endpoint, verified with hash_equals() to prevent timing attacks
- Full security header suite: X-Content-Type-Options, X-Frame-Options: DENY, Referrer-Policy, Permissions-Policy, Content-Security-Policy
- Parameterized queries throughout, with class-restricted deserialization
Your system, your server, your brand
Ironwood Reviews installs on infrastructure you control, wears your company’s name and logo everywhere — including the emails your employees receive — and only ever talks to the outside world for the integrations you turn on. It’s not a shared multi-tenant SaaS; it’s your review system.
Performance review data is sensitive — compensation-adjacent, career-defining information. Ironwood Reviews treats it that way.