12 HR Software Security Checks Every Vendor Must Pass (2026)

Every HR software platform you evaluate will claim to be secure. The sales deck will mention encryption. The demo will show a clean dashboard. None of that tells you whether your employees’ Social Security numbers, compensation data, performance records, and health information are actually protected.

The only way to know is to run a structured vetting process before you sign anything. This listicle gives you the 12 checks that belong in every HR software security evaluation — ranked by the risk they control, not by how often they appear in vendor marketing. These checks sit at the operational core of the broader HR data compliance framework that governs everything from access management to ethical AI oversight.

Work through them in order. Each check builds on the last. Miss one, and the others cannot compensate.

—

#1 — SOC 2 Type 2 Report (Non-Negotiable Baseline)

A SOC 2 Type 2 report is the single most informative document a vendor can hand you — and the first thing to request.

• What it covers: An independent auditor’s assessment of the vendor’s security, availability, processing integrity, confidentiality, and privacy controls over a minimum 6-month period.
• Type 2 vs. Type 1: Type 1 is a point-in-time snapshot. Type 2 tests whether controls actually operated effectively over time. Demand Type 2.
• What to look for in the report: Exceptions noted by the auditor. A clean opinion with no exceptions is ideal; exceptions with documented remediation are acceptable; unaddressed exceptions are disqualifying.
• Recency: Reports older than 12 months should trigger a follow-up request for the current audit cycle status.
• Red flag: Any vendor who delays, deflects, or conditions access to their SOC 2 report on signing a contract first.

Verdict: No SOC 2 Type 2 = no further evaluation. This is not a negotiating position; it is a minimum threshold.

—

#2 — ISO 27001 Certification

ISO 27001 certifies that a vendor has implemented a formal Information Security Management System (ISMS) and had it independently verified.

• Why it matters alongside SOC 2: SOC 2 is primarily a US standard. ISO 27001 is internationally recognized and carries more weight in GDPR and cross-border compliance conversations.
• Verify the certificate scope: ISO 27001 certificates specify the scope of certification. Confirm that the scope covers the specific product and data centers that will process your employee data — not just a parent company or unrelated business unit.
• Surveillance audits: ISO 27001 requires annual surveillance audits between full recertification cycles. Ask for evidence of the most recent surveillance audit.
• HIPAA applicability: If your organization handles employee health data — medical leave documentation, wellness programs, benefits enrollment — HIPAA compliance documentation is also required. ISO 27001 alone is not a HIPAA substitute.

Verdict: SOC 2 Type 2 plus ISO 27001 is the baseline. For healthcare-adjacent HR functions, add HIPAA attestation. Deloitte research consistently identifies third-party security certifications as the primary control differentiator in enterprise software risk assessments.

—

#3 — Encryption Standards: At Rest and In Transit

Encryption is the technical floor. The question is not whether a vendor encrypts data; it is whether they encrypt it correctly.

• At rest: AES-256 is the current standard for data stored in databases, backups, and file systems. Anything below AES-128 is insufficient for sensitive HR data.
• In transit: TLS 1.2 is the current minimum; TLS 1.3 is preferred. Verify that TLS 1.0 and 1.1 — both deprecated — are disabled.
• Key management: Ask who controls the encryption keys. Customer-managed keys (CMK) give you the ability to revoke access to your data independently of the vendor. Vendor-managed keys are common but carry more risk in a vendor compromise scenario.
• Backup encryption: Confirm that backup copies receive the same encryption treatment as live data. Backups are a common attack surface.

Verdict: AES-256 at rest, TLS 1.2+ in transit, and documented key management practices are the technical minimum. Ask specifically about backups — vendors sometimes exempt them from their headline encryption claims.

—

#4 — Data Residency and Cross-Border Transfer Mechanisms

Where your employees’ data physically lives is a compliance variable, not a preference.

• GDPR exposure: If you employ anyone in the European Union, GDPR restricts transfers of personal data to countries without adequate data protection. Data stored on US servers without a valid transfer mechanism — Standard Contractual Clauses (SCCs) or equivalent — puts you in violation.
• Contract specificity: “We use European data centers” is a sales claim. “EU employee data is stored in Frankfurt and Dublin facilities, with no transfer to non-adequate third countries except under executed SCCs” is a contractual commitment. Get the latter.
• Multi-jurisdiction workforces: If you operate in California, the EU, and Canada simultaneously, your data residency requirements are layered. Confirm the vendor can honor jurisdiction-specific storage for each employee population.
• Sub-processor locations: Sub-processors (Check #7) often introduce cross-border transfers that the primary vendor’s data residency commitments do not cover. Audit the full chain.

For a deeper operational guide on this topic, see the how-to on data sovereignty and employee data residency compliance.

Verdict: Data residency terms must be written into the contract and the DPA — not left to verbal confirmation or a help center article that the vendor can edit without notice.

—

#5 — Data Processing Agreement (DPA) Quality

A DPA is a legally binding contract governing how a vendor processes personal data on your behalf. Under GDPR Article 28, it is legally required — not optional.

• Mandatory DPA provisions: Subject matter and duration of processing; nature and purpose of processing; types of personal data; categories of data subjects; your obligations and rights as controller.
• Watch for vendor-favorable gaps: Boilerplate DPAs from SaaS vendors often contain broad carve-outs allowing data use for “service improvement” or “aggregate analytics” — which can constitute unauthorized processing of employee data.
• Negotiate, don’t just accept: Vendors with mature privacy programs expect DPA negotiation. Vendors who treat their template DPA as non-negotiable are signaling that privacy controls are not a priority for them.
• US organizations outside GDPR: Even without GDPR applicability, a DPA provides contractual protections that standard SaaS terms of service rarely match. Request one regardless of jurisdiction.

Verdict: Never process employee data under a SaaS agreement without a separate, negotiated DPA. The standard agreement is written to protect the vendor. The DPA is the document that protects you.

—

#6 — Role-Based Access Control (RBAC) and Audit Logging

The majority of data breaches in HR systems involve authorized users accessing data they should not have — not external hackers bypassing encryption.

• RBAC requirements: The platform must allow granular permission assignment — not just “admin vs. user” but role-specific access: recruiters see candidate data, managers see their direct reports, payroll accesses compensation records, and nothing bleeds across those boundaries without explicit authorization.
• Audit logs: Every data access, export, modification, and deletion must generate a tamper-evident log entry. Logs should capture who, what, when, and from where.
• Log retention: Audit logs need retention periods aligned to your compliance obligations. GDPR investigations can surface years after an incident; logs that auto-delete at 90 days create evidentiary gaps.
• Privileged access monitoring: Vendor-side administrator access to your tenant should be logged and, ideally, require your approval or notification. Ask explicitly how vendor support staff access your data.

Verdict: RBAC and audit logging are structural controls, not premium features. If a vendor prices them as add-ons or tiers them to enterprise plans, that is a cost of compliance — not an upsell to decline. See also: essential HR data security practices for how these controls integrate with your internal program.

—

#7 — Sub-Processor Transparency

Your vendor does not operate alone. They use sub-processors — cloud infrastructure providers, analytics platforms, email delivery services, AI model providers — who also touch your employee data.

• What to request: A complete, current list of sub-processors including their name, geographic location, and the function they perform.
• Legal obligation: Under GDPR Article 28(2), you as controller must authorize all sub-processors. A vendor who resists full disclosure is putting you in a compliance position you cannot defend.
• Change notification: Vendors add and remove sub-processors regularly. Your DPA should require advance written notice — typically 30 days — before any new sub-processor is engaged, giving you the right to object.
• Contractual chain: Sub-processors must be bound by data protection obligations equivalent to those in your DPA. Ask for confirmation that this contractual chain exists.

Verdict: A vendor with 40 undisclosed sub-processors is not more secure than a vendor with 40 disclosed and audited ones — but only the latter gives you the compliance visibility you need. Full sub-processor disclosure is standard practice for mature HR technology vendors.

—

#8 — Breach Detection and Incident Response SLAs

Breach response timelines are not a vendor preference. They are a compliance constraint that flows upstream to you.

• GDPR’s clock: GDPR Article 33 requires notification to supervisory authorities within 72 hours of a breach becoming known. Your vendor’s notification to you must happen well before that window closes.
• Contractual SLA minimum: Require written notification within 24 to 48 hours of breach detection. Anything longer leaves you insufficient time to assess scope, engage legal counsel, and meet your own reporting obligations.
• What the notification must include: Nature of the breach; categories and approximate number of individuals affected; categories and approximate number of records affected; likely consequences; measures taken or proposed to address the breach.
• Tabletop exercise question: Ask the vendor to walk you through their last incident response exercise. The answer tells you whether their plan is a living document or a PDF in a folder.

Verdict: Verbal assurances about breach response are worthless. Every timeline, notification content requirement, and escalation path must be written into the contract. This is not paranoia — it is the contractual discipline that the proactive HR data security blueprint treats as foundational.

—

#9 — Data Retention and Deletion Capabilities

Storing employee data longer than legally required is not neutral. It is active risk accumulation.

• Regulatory retention floors and ceilings: Employment law in most jurisdictions mandates minimum retention periods for specific record types. Privacy law — GDPR, CCPA/CPRA — simultaneously limits retention to what is necessary for the stated purpose. These two constraints must be balanced, not averaged.
• Automated retention enforcement: The platform should support configurable retention schedules that automatically flag or archive records reaching their retention limit — not a manual process dependent on someone remembering to run a deletion job.
• Right to erasure mechanics: When an employee submits a GDPR right to erasure or CCPA deletion request, can the vendor execute it technically — across primary systems, backups, and disaster recovery copies — and provide confirmation within the regulatory deadline?
• Offboarding data return: When you terminate the contract, what happens to your data? The contract must specify a data return format, deletion timeline, and written confirmation of destruction for all copies including backups.

Verdict: Data you do not need is data that can be breached, subpoenaed, or misused. Retention controls are not a compliance checkbox — they are active risk reduction. For the operational detail, the guide on building an HR data retention policy covers the legal and ethical framework.

—

#10 — Multi-Factor Authentication and Identity Controls

Compromised credentials are the leading initial access vector in enterprise data breaches. MFA is the single highest-impact control against it.

• MFA enforcement: Confirm that MFA is not just available but enforceable — meaning administrators can require it for all users, not merely offer it as an opt-in.
• MFA method quality: TOTP (time-based one-time passwords via authenticator app) and hardware security keys provide strong protection. SMS-based MFA is significantly weaker due to SIM-swapping attacks and should not be the only option.
• Single Sign-On (SSO) integration: SSO allows your existing identity provider to manage authentication, extending your existing MFA and access policies to the HR platform without a separate credential set.
• Session management: Inactive session timeouts, concurrent session limits, and geographic anomaly alerts should be configurable to match your internal security policies.

Verdict: MFA enforcement is table stakes. If a vendor charges extra to enforce MFA organization-wide — rather than offering it as an individual opt-in — price that cost into your compliance budget before comparing bids.

—

#11 — AI Feature Governance and Algorithmic Accountability

AI-powered features in HR software — resume screening, compensation benchmarking, performance scoring, flight-risk prediction — are the fastest-growing source of compliance risk in HR technology evaluations right now.

• Model documentation: Request documentation of what data was used to train any AI model that influences HR decisions. Bias in training data propagates into decisions about hiring, compensation, and advancement.
• Bias audit schedule: Ask when the model was last audited for disparate impact and what the results were. Annual audits are the current baseline expectation; less frequent than that is insufficient given how quickly model behavior can drift.
• Human override guarantee: GDPR Article 22 prohibits purely automated decisions with legal or similarly significant effects unless specific conditions are met. Your contract should guarantee that any AI recommendation affecting an employment decision can be reviewed and overridden by a human decision-maker.
• Training data use: Confirm explicitly that your employee data is not used to train the vendor’s AI models without your written consent. This is a data use boundary that many SaaS AI vendors blur in their terms of service.

For the strategic framework behind this check, the post on ethical AI implementation in HR covers the governance controls that should be non-negotiable in any AI-enabled HR technology stack.

Verdict: Re-audit any vendor who has added AI features since your last contract review. New features that were not in scope at signing are not covered by your original due diligence — or, in many cases, your original DPA.

—

#12 — Contractual Audit Rights and Change-of-Control Protections

The final check is about preserving your ability to verify everything in checks 1 through 11 over the life of the contract — not just at signing.

• Audit rights clause: Your contract should give you the right to audit the vendor’s security controls — directly or through a third-party auditor — with reasonable notice. Most enterprise vendors will negotiate this to a right to review audit reports rather than direct on-site access, which is acceptable if the reports are comprehensive and current.
• Change-of-control provisions: If the vendor is acquired, your data should not automatically transfer to the acquiring entity under the acquirer’s privacy practices. The contract should require your written consent to any data transfer following a change of control, or grant you a termination right with data return.
• Insolvency protections: In bankruptcy, your employee data can become an asset transferred to creditors. A well-drafted contract includes provisions for data return or destruction in insolvency scenarios before that outcome occurs.
• Unilateral contract modification: SaaS vendors routinely update their terms of service. Confirm that material changes to data handling practices — sub-processor additions, data use expansions — require your affirmative consent, not just a posted notice.

Verdict: A vendor agreement without audit rights and change-of-control protections is a one-sided document. The goal is not to antagonize a vendor relationship — it is to ensure that the controls you verified at signing remain verifiable throughout the contract term. For the vendor risk management process that frames these contractual controls, see the comprehensive guide on HR vendor risk management.

—

How to Use These 12 Checks in Practice

Run these checks as a formal scorecard, not a conversation. Send them in writing before the demo stage so vendors have time to pull the requested documentation. A vendor who responds with complete, current materials — SOC 2 Type 2 report, ISO 27001 certificate, sub-processor list, sample DPA — in under a week is demonstrating operational maturity. One who escalates the request to legal after three reminders is showing you how incidents will go.

Involve legal counsel in DPA negotiation from the start. Involve your security team in reviewing the SOC 2 report. HR leaders do not need to become security experts — they need to know which questions require expertise to evaluate, and route those questions accordingly.

After vendor selection, these checks become the baseline for ongoing vendor oversight. An annual review of the SOC 2 report, a sub-processor list refresh, and a contract amendment review when the vendor adds AI features — that cycle is what separates a one-time vetting exercise from a sustainable data privacy culture in HR.

The stakes are clear. Forrester research identifies HR systems as one of the highest-value targets in enterprise data breaches precisely because of the density and sensitivity of the data they hold. APQC benchmarking data shows that organizations with structured vendor security vetting processes resolve compliance gaps before breach — not after. The 12 checks above are how that proactive posture is operationalized at the contract level.

For the full compliance and privacy framework that sits behind these vendor-facing controls, return to the parent guide on secure HR data: compliance, AI risks, and privacy frameworks.