Before signing any HR software contract, run these 12 security checks in order: SOC 2 Type 2 report, ISO 27001 certification, encryption standards, data residency terms, DPA quality, access controls, sub-processor audits, breach notification SLAs, penetration testing, data deletion guarantees, business continuity proof, and regulatory compliance documentation. Each check controls a distinct risk layer that the others cannot cover.

Every HR software platform you evaluate will claim to be secure. The sales deck will mention encryption. The demo will show a clean dashboard. None of that tells you whether your employees’ Social Security numbers, compensation data, performance records, and health information are actually protected.

The only way to know is to run a structured vetting process before you sign anything. These 12 checks belong in every HR software security evaluation — ranked by the risk they control, not by how often they appear in vendor marketing. This vetting process connects directly to the HRIS data validation decisions your team makes daily and the HRIS configuration defaults that quietly create exposure. It also reinforces the operational discipline required to avoid errors like the $27K overpayment David’s team experienced from a single data entry failure.

Work through them in order. Each check builds on the last. Miss one, and the others cannot compensate.

#1 — SOC 2 Type 2 Report

A SOC 2 Type 2 report is the single most informative document a vendor can hand you — and the first thing to request.

What it covers

An independent auditor’s assessment of the vendor’s security, availability, processing integrity, confidentiality, and privacy controls over a minimum six-month period.

Type 2 vs. Type 1

Type 1 is a point-in-time snapshot. Type 2 tests whether controls actually operated effectively over time. Demand Type 2.

What to look for in the report

• Exceptions noted by the auditor. A clean opinion with no exceptions is ideal.
• Exceptions with documented remediation are acceptable.
• Unaddressed exceptions are disqualifying.
• Reports older than 12 months require a follow-up request for current audit cycle status.

Red flag: Any vendor who delays, deflects, or conditions access to their SOC 2 report on signing a contract first.

Verdict: No SOC 2 Type 2 means no further evaluation. This is a minimum threshold, not a negotiating position.

#2 — ISO 27001 Certification

ISO 27001 certifies that a vendor has implemented a formal Information Security Management System (ISMS) and had it independently verified.

Why it matters alongside SOC 2

SOC 2 is primarily a US standard. ISO 27001 carries more weight in GDPR and cross-border compliance conversations because it is internationally recognized.

What to verify

• Certificate scope: ISO 27001 certificates specify scope. Confirm the scope covers the specific product and data centers processing your employee data — not just a parent company or unrelated business unit.
• Surveillance audits: ISO 27001 requires annual surveillance audits between full recertification cycles. Request evidence of the most recent surveillance audit.
• HIPAA applicability: If your organization handles employee health data — medical leave, wellness programs, benefits enrollment — HIPAA compliance documentation is also required. ISO 27001 alone is not a HIPAA substitute.

Verdict: SOC 2 Type 2 plus ISO 27001 is the baseline. For healthcare-adjacent HR functions, add HIPAA attestation.

#3 — Encryption Standards: At Rest and In Transit

Encryption is the technical floor. The question is not whether a vendor encrypts data — it is whether they encrypt it correctly.

• At rest: AES-256 is the current standard for data stored in databases, backups, and file systems. Anything below AES-128 is insufficient for sensitive HR data.
• In transit: TLS 1.2 is the current minimum; TLS 1.3 is preferred. Verify that TLS 1.0 and 1.1 — both deprecated — are disabled.
• Key management: Ask who controls the encryption keys. Customer-managed keys (CMK) give you the ability to revoke access to your data independently of the vendor. Vendor-managed keys are common but carry more risk in a vendor compromise scenario.
• Backup encryption: Confirm that backup copies receive the same encryption treatment as live data. Backups are a common attack surface that vendors sometimes exempt from their headline encryption claims.

Verdict: AES-256 at rest, TLS 1.2+ in transit, and documented key management practices are the technical minimum.

#4 — Data Residency and Cross-Border Transfer Mechanisms

Where your employees’ data physically lives is a compliance variable, not a preference.

• GDPR exposure: If you employ anyone in the European Union, GDPR restricts transfers of personal data to countries without adequate data protection. Data stored on US servers without a valid transfer mechanism — Standard Contractual Clauses (SCCs) or equivalent — puts you in violation.
• Contract specificity: “We use European data centers” is a sales claim. “EU employee data is stored in Frankfurt and Dublin facilities, with no transfer to non-adequate third countries except under executed SCCs” is a contractual commitment. Get the latter in writing.
• Multi-jurisdiction workforces: If you operate in California, the EU, and Canada simultaneously, your data residency requirements are layered. Confirm the vendor can honor jurisdiction-specific storage for each employee population.
• Sub-processor locations: Sub-processors (Check #7) introduce cross-border transfers that the primary vendor’s data residency commitments do not cover. Audit the full chain.

For a deeper look at this topic, review the guidance on inherited HR operations that create compliance bleed — data residency gaps are among the most commonly overlooked.

Verdict: Data residency terms must be written into the contract and the DPA — not left to verbal confirmation or a help center article the vendor can edit without notice.

#5 — Data Processing Agreement (DPA) Quality

A DPA is a legally binding contract governing how a vendor processes personal data on your behalf. Under GDPR Article 28, it is legally required — not optional.

Mandatory DPA provisions

• Subject matter and duration of processing
• Nature and purpose of processing
• Types of personal data and categories of data subjects
• Controller obligations and rights
• Sub-processor authorization and control mechanisms
• Data return or deletion obligations at contract termination
• Audit rights for the controller

What distinguishes a strong DPA from a weak one

A strong DPA specifies deletion timelines, names sub-processors, grants audit rights, and defines breach notification windows. A weak DPA uses language like “reasonable efforts” and “at our discretion” in place of concrete commitments.

Red flag: Vendors who present a non-negotiable standard DPA and refuse to modify provisions that conflict with your legal obligations.

Verdict: Have legal counsel review the DPA before signing. The DPA is where liability is assigned — every ambiguous clause transfers risk to you.

#6 — Access Controls and Role-Based Permissions

Insider threats and misconfigured access are among the most common sources of HR data breaches. A platform’s access control architecture determines your exposure.

• Multi-factor authentication (MFA): MFA must be available and enforceable — not optional — for all administrative accounts. Systems that allow MFA bypass “for convenience” are not secure.
• Role-based access control (RBAC): The platform must support granular role definitions. A payroll administrator needs no access to performance review data. A hiring manager needs no access to compensation records. Confirm these restrictions are configurable and enforced at the data level, not just the UI level.
• Audit logs: Every access event, data export, and administrative change must be logged with a timestamp, user ID, and action. Logs must be immutable — meaning users cannot delete or modify their own audit trail.
• Privileged access management: Ask how vendor support staff access your environment. Support tunnels that bypass your RBAC configuration are a significant risk surface.

Verdict: No MFA enforcement and no granular RBAC are both disqualifying conditions for any platform handling compensation, health, or personally identifiable employee data.

#7 — Sub-Processor Audit

Your HR software vendor does not operate in isolation. They use sub-processors — third-party companies that handle data on their behalf — for functions like cloud hosting, email delivery, analytics, and customer support tooling.

What to request

• A complete, current sub-processor list with each company’s name, location, and function
• Evidence that each sub-processor is bound by a DPA equivalent to the one the vendor has with you
• Notification procedures for when sub-processors are added or changed

Why this matters

Your GDPR liability does not stop at your vendor’s front door. If a sub-processor in a non-adequate country handles EU employee data without proper transfer mechanisms, that is your compliance problem — even if you never chose that sub-processor.

Red flag: Vendors who provide a sub-processor list only upon request and do not have a proactive notification process for changes.

Verdict: The sub-processor list should be publicly accessible or contractually available. Update notifications should be automatic, not reactive.

#8 — Breach Notification SLAs

When a breach occurs, your regulatory clock starts immediately. GDPR requires notification to supervisory authorities within 72 hours of discovery. Your vendor’s breach notification SLA must fit inside that window.

• Contractual SLA: Vendor notification of a confirmed breach — or a suspected breach — must be defined in the contract. “Without undue delay” is insufficient. Specify hours, not aspirational language.
• Scope of notification: The notification must include the nature of the breach, categories and approximate numbers of data subjects affected, likely consequences, and measures taken or proposed. Confirm the vendor is contractually obligated to provide all of this, not just a generic alert.
• Historical breach record: Ask directly whether the vendor has experienced any data breaches in the past three years and how they were handled. This is a legitimate due diligence question. Refusal to answer is informative.

Verdict: A breach notification SLA that exceeds 24 hours creates serious risk for GDPR-covered organizations. Anything above 48 hours is contractually dangerous regardless of jurisdiction.

#9 — Penetration Testing and Vulnerability Management

A vendor’s security certifications tell you what controls exist. Penetration testing tells you whether those controls hold against adversarial pressure.

• Third-party pen tests: Request the most recent third-party penetration test summary. Internal pen tests conducted by the vendor’s own security team do not carry the same evidentiary weight.
• Frequency: Annual penetration testing is the minimum. Vendors processing high volumes of sensitive HR data should test more frequently, and after every major platform release.
• Vulnerability disclosure: Ask how the vendor handles discovered vulnerabilities — internally and when reported by external researchers. A formal vulnerability disclosure policy (VDP) with defined response timelines is a positive signal.
• CVE monitoring: Confirm the vendor actively monitors the Common Vulnerabilities and Exposures (CVE) database for risks affecting their technology stack and has a documented patch deployment timeline.

Verdict: No third-party pen test in the last 12 months is a disqualifying condition. A vendor who cannot demonstrate adversarial testing has untested assumptions about their own security posture.

#10 — Data Deletion and Right-to-Erasure Guarantees

GDPR’s right to erasure and CCPA’s deletion rights create contractual obligations that flow upstream to your HR software vendor. You need guarantees — not policies — about what happens to data when you need it gone.

• Employee deletion requests: Confirm the platform supports complete deletion of an individual’s record — not just deactivation or archiving. Confirm that deletion propagates to backups within a defined timeframe.
• Contract termination: Define what happens to your organization’s data when the contract ends. The DPA should specify a deletion or return timeline, typically 30-90 days, and require written confirmation of destruction.
• Backup retention: Ask specifically how long deleted data persists in backups. A vendor who deletes production records but retains them in 12-month-old backups has not fulfilled a deletion request.
• Retention schedules: For data you are legally required to retain — I-9 records, payroll records, EEOC data — confirm the platform supports custom retention schedules that comply with federal and state requirements.

This connects directly to the operational risks covered in auditing inherited I-9 records — retention and deletion controls are two sides of the same compliance obligation.

Verdict: Vague deletion policies that reference “industry standard practices” without contractual specificity transfer erasure risk entirely to you.

#11 — Business Continuity and Disaster Recovery

HR software handles time-sensitive operations — payroll processing, benefits enrollment, onboarding workflows. A vendor who cannot demonstrate operational resilience creates downstream business risk that extends well beyond data security.

• Recovery Time Objective (RTO): How long does the vendor’s system take to restore full functionality after an outage? Get the contractual RTO, not a marketing number.
• Recovery Point Objective (RPO): How much data can be lost in a worst-case recovery scenario? An RPO of 24 hours means up to a day of payroll entries or benefits changes could be unrecoverable.
• Geographic redundancy: Confirm that data is replicated across geographically separate data centers. A single-region architecture means a regional outage takes the platform offline entirely.
• Tested DR: Ask when the vendor last conducted a full disaster recovery test and request documentation of the results. A DR plan that has never been tested is a theoretical document, not an operational guarantee.
• SLA uptime commitments: 99.9% uptime means approximately 8.7 hours of downtime annually. 99.99% means approximately 52 minutes. Know what you are buying and what the SLA credits are if the vendor falls short.

Verdict: Request the vendor’s most recent Business Continuity Plan (BCP) summary and DR test results. A vendor who refuses to share either has not tested either.

#12 — Regulatory Compliance Documentation

Security certifications cover technical controls. Regulatory compliance documentation covers the legal obligations that govern your specific industry, employee population, and jurisdiction.

Common regulatory layers for HR software

• HIPAA: Required if the platform processes any protected health information (PHI) — which includes ADA accommodations documentation, FMLA records, and wellness program data. A Business Associate Agreement (BAA) is legally required.
• CCPA/CPRA: If you have California employees, the California Consumer Privacy Act applies. Confirm the vendor supports CCPA data subject rights — access, deletion, opt-out of sale — at the employee level, not just for consumers.
• EEOC data handling: Applicant and employee EEO data carries specific retention and access restrictions. Confirm the vendor’s handling of demographic data complies with EEOC guidance and does not expose this data in contexts where it creates hiring bias risk.
• State-specific biometric laws: If the platform uses biometric data — fingerprint time clocks, facial recognition — Illinois BIPA, Texas, and Washington have specific notice, consent, and retention requirements. Verify compliance before deployment.
• Self-attestation: A vendor who asserts compliance without third-party documentation is taking a legal position, not making a factual claim. Require evidence: BAAs, attestation letters from qualified auditors, or certification documentation.

For teams navigating AI-assisted HR tools alongside these platforms, the EEOC AI compliance requirements for 2026 and EU AI Act requirements for HR leaders add another compliance layer that sits on top of — not instead of — the vendor security checks above.

Verdict: Build a compliance requirements matrix before vendor evaluation begins. List every regulation that applies to your employee population and geography, then score each vendor against it. Self-attestation earns zero points.

How to Use These 12 Checks as a Vendor Scorecard

Running these checks informally is less useful than building a structured scorecard. Here is the operating framework:

1. Send a formal security questionnaire before the demo. Vendors who refuse to answer security questions before a sales call have already told you something important.
2. Request documents, not claims. Every check above has a corresponding document: SOC 2 report, ISO certificate, pen test summary, DPA, sub-processor list, BCP documentation. Oral confirmations are not evidence.
3. Score each check as Pass / Conditional Pass / Fail. A Conditional Pass requires documented remediation with a timeline. More than two Conditional Passes in Checks 1-6 is a disqualifying pattern.
4. Escalate DPA review to legal counsel. The DPA is a legal document. HR teams should flag provisions but not make final determinations without qualified legal review.
5. Repeat the evaluation at renewal. A vendor who passed all 12 checks 36 months ago may not pass today. Security posture changes. Certifications lapse. Sub-processors change. Treat renewal as a new evaluation.

If your organization is simultaneously working to standardize HR processes and reduce the manual overhead that creates security gaps, the operational foundation covered in how TalentEdge achieved $312K in savings through HR process standardization shows how security and efficiency improvements reinforce each other when executed together.

For HR teams managing these evaluations alongside a full operational load, the guide to fixing broken HR operations for small teams addresses how to prioritize vendor risk management when bandwidth is the constraint.

Additional Reading

• HRIS Required Fields vs Manual Data Validation: Which Is Safer for Small HR Teams?
• 9 HRIS Configuration Defaults Every Small HR Team Should Change
• The $27K Overpayment: How One HRIS Data Entry Mistake Cost a Manufacturer a Year of Salary
• 11 Warning Signs Your Inherited HR Operation Is Bleeding Money
• How to Audit Inherited I-9 Records Without Creating New Violations
• 9 EEOC AI Compliance Requirements HR Teams Must Meet in 2026
• 11 EU AI Act Requirements Every HR Leader Must Know in 2026
• How TalentEdge Saved $312K with HR Process Standardization
• Drowning in Admin: How Solo and Small HR Teams Can Fix Broken HR Operations Without Burning Out
• What Is HR Triage Risk Mapping? How HR Leaders Prioritize Inherited Messes
• How to Build a 90-Day HR Triage Plan Your CEO Will Sign
• In-House HR Cleanup vs Fractional HR Consultant: 2026 Decision Guide
• 12 HR-of-One Tools That Actually Reduce Admin Load in 2026
• Global AI Regulations: Reshaping HR Compliance & Strategy
• How to Reconcile a Broken Benefits Carrier Feed: Step by Step