EOR Data Security
Three months before a scheduled GDPR audit, a Data Protection Officer at a 280-person Berlin software company sends a routine question to her EOR account manager: where, exactly, is the payroll data for the company’s 42 EU employees stored, and who at the EOR can access it. For a full comparison, see our best employer of record providers guide.
The answer arrives four days later. Payroll runs on infrastructure hosted in the United States. Standard Contractual Clauses were never executed for the EU-to-US transfer.
The Data Processing Agreement signed at procurement covers the EOR’s parent platform, not the in-country partner entity that actually holds the bank details, national ID numbers, and salary records of every German employee on the payroll.
The DPO has two months to remediate before the audit, an unbudgeted external counsel engagement to scope the breach notification question, and an executive team that signed the EOR contract on the assumption that GDPR was the EOR’s problem.
EOR data security looks like a vendor checkbox during procurement and a board-level liability the moment something moves. This guide sets out what international employers actually need to verify before signing, where the legal liability genuinely sits, and which markets carry the highest residual risk.
Check current provider details
What EOR data security actually means for international employers
EOR data security is the operational, contractual, and certification framework governing how an Employer of Record collects, stores, transmits, and deletes the personal data it processes on behalf of your employees. For a 50-person team across 8 countries, an EOR routinely holds over 150 distinct data points per employee: national identity numbers, passport scans, residency documentation, tax identifiers, bank accounts, salary history, bonus structures, equity grants, pension contributions, medical certificates, parental leave records, and disciplinary notes. Health data falls under GDPR Article 9 special category protections.
Identity documents fall under data localisation laws in markets like China and Russia.
GDPR Article 28 requires every processor relationship to be governed by a binding agreement covering documented processing instructions, confidentiality obligations, security measures, sub-processor controls, audit rights, and deletion at end of contract. Article 32 requires technical and organisational security measures including encryption, integrity assurance, and regular testing. Article 33 sets the 72-hour breach notification window.
Beyond the EU: Brazil’s LGPD mirrors the GDPR framework; Singapore’s PDPA imposes penalties up to SGD 1 million; India’s DPDP Act sets fines up to INR 250 crore; the UK GDPR carries a maximum penalty of GBP 17.5 million or 4 percent of global turnover.
In most EOR arrangements the parties are joint controllers under GDPR Article 26, which means liability for breaches can attach to both. Your employee can pursue a claim against either party for the full amount. If the joint controller agreement is silent on apportionment, default joint and several liability applies.
Your finance team may pay a GDPR fine on a breach that originated entirely inside the EOR’s infrastructure.
How EOR data handling works in practice
A single payroll cycle runs through a chain of controllers, processors, and sub-processors: the EOR’s core software, in-country partner entities, banking rails, tax filing portals, benefits administrators, and document storage providers. The employer collects onboarding data through the EOR’s portal. The EOR’s platform validates and stores the records in a regional data centre hosted by AWS, Google Cloud, or Azure.
The data is then transmitted to the in-country entity responsible for local payroll. That entity calculates gross-to-net, files with the tax authority, and instructs the local bank.
Cross-border transfers are the single most common source of unlawful processing in EOR relationships. After Schrems II invalidated the EU-US Privacy Shield in July 2020, Standard Contractual Clauses became the default mechanism for EEA-to-third-country transfers. The European Commission’s modernised SCCs (adopted 4 June 2021) cover four modules.
Picking the wrong module makes the SCC invalid.
SCCs require a Transfer Impact Assessment evaluating the destination country’s surveillance environment. For US transfers, the EU-US Data Privacy Framework (July 2023) provides a partial route but is already under legal challenge. Ask your EOR which mechanism applies to each EU-to-non-EU flow and request the TIA.
Which countries carry the highest EOR data security risk?
Three regulatory regimes drive most of the residual exposure: the EU’s GDPR (cumulative fines passed EUR 4.5 billion by end of 2023, single fine reaching EUR 1.2 billion against Meta in May 2023 for unlawful US transfers); China’s PIPL with cross-border restrictions that require CAC security assessment or approved standard contracts; and Russia’s Federal Law 242-FZ data localisation requirement mandating that the primary copy of personal data sits on Russian soil.
For EU employees, the minimum acceptable posture is: signed DPA covering Article 28 in full, documented SCCs for any non-EEA transfer with a current TIA, sub-processor list with notification rights, audit rights including on-site at the in-country partner, and breach notification SLA tighter than 72 hours. For China, most EOR platforms route data through a domestic processing partner with a separate technical perimeter. For Russia, ask for the data flow diagram and the Roskomnadzor registration.
Without both, the operating model is non-compliant by default.
How EOR platforms differ on data security
| Provider | SOC 2 Type II | ISO 27001 | Entity model | Security perimeter |
|---|---|---|---|---|
| Remote | Yes | Yes | 100% owned | Single perimeter, all countries |
| Deel | Yes | Yes | Mixed (owned + partner) | Varies by country |
| G-P | Yes | Yes | 50+ owned, partners elsewhere | Strong in owned markets |
| Velocity Global | Yes | Yes | Mixed (65 owned, 120+ partners) | Varies by country |
| Oyster | Yes | Not published | Mixed (Direct+ in major markets) | Stronger in Direct+ markets |
| Multiplier | Yes | Not published | Mixed | Partner-dependent in most markets |
| Rippling | Yes (platform) | Not published | 100% partner | Fully partner-dependent |
| Papaya Global | Yes | Yes | 100% partner | Distributed across partner network |
Source: Provider security pages, certification databases, and Whichapp cross-provider evaluation, May 2026.
Strong implementation pairs SOC 2 Type II (independent auditor verifying controls over a minimum six-month period) with ISO 27001 (a certified ISMS covering the EOR entity, not only the SaaS platform). AES-256 encryption at rest, TLS 1.2 or higher in transit, role-based access controls with audit logging, annual penetration testing, and breach notification SLA contractually binding within 24 to 48 hours. Remote and G-P sit at this end.
Remote’s 100% owned-entity architecture means employee data sits within a single organisational boundary across every supported country.
Weak implementation publishes a single SOC 2 report covering the parent SaaS platform and treats it as universal coverage, with no ISO 27001 for the EOR entity, no DPA, no SCCs for cross-border flows, no documented sub-processor list, and vague breach notification language (“promptly,” “without undue delay”) with no contractual SLA. Six contract patterns should end the procurement conversation: refusal to share the SOC 2 Type II report under NDA, certification scope statements that do not name the EOR entity, no DPA for any in-scope country, no SCC documentation for EU-to-non-EU flows, indemnification caps below the relevant GDPR fine ceiling, and audit rights limited to written questionnaires with no on-site option at the in-country partner.
What your EOR contract must say about data security obligations
Seven contract clauses do most of the work. Certification scope clause: the contract must name which legal entity is covered by the SOC 2 Type II and ISO 27001 certifications. Country-specific DPA: a single global DPA does not satisfy GDPR Article 28 for every country.
Cross-border transfer mechanism: SCCs in the modernised 4 June 2021 form with current Transfer Impact Assessments. Encryption and key management: AES-256 at rest, TLS 1.2 or higher in transit, and a clear statement of who holds encryption keys. Retention and deletion schedule: specific retention periods in months for each data category plus a documented deletion process.
Breach notification SLA: contractual commitment to notify within 24 to 48 hours of breach discovery. Sub-processor list and change rights: a current sub-processor list, advance notification of any new sub-processor, and a contractual right to object.
Contract review checkpoint
The SOC 2 scope question that most buyers miss
A SOC 2 Type II report covers a specific system boundary. If the EOR provider’s audit scope is “the cloud platform” but your employee data is processed by a local partner entity using its own infrastructure, the SOC 2 report does not cover the systems that actually handle your data.
Ask this question during procurement: “Does your SOC 2 Type II audit scope include the systems and entities that process employee data in [specific country]?” If the answer is no, you need to evaluate the partner’s security separately.
For employers already in an EOR relationship, an audit takes two to four weeks. Pull the master agreement, every executed DPA, every SCC, the current sub-processor list, and the most recent SOC 2 and ISO 27001 reports, then map each document against your country footprint. Request the data flow diagram for each country, the encryption attestation, access control policy, penetration test summary, and breach notification process.
For partner-dependent providers, request evidence of the partner’s certification status and processing infrastructure location: GDPR Article 28(3)(h) gives controllers audit rights down through the sub-processor chain.
For broader procurement context, see our guides on how to choose an EOR, EOR contract red flags, and the related dimension of EOR compliance guarantees.
Whichapp view
Security certifications tell you that a provider’s controls have been independently verified. The entity model tells you how far those controls extend.
A provider with SOC 2 Type II and ISO 27001 operating through 100% owned entities (Remote) gives you a single, audited security perimeter. A provider with the same certifications operating through partners gives you a certified platform with unverified local infrastructure. The certification matters.
The architecture matters more. Where you need coverage outside Remote's owned-entity footprint, though, you are back to a partner-dependent provider regardless of which certifications it holds.
Check current provider details
Frequently asked questions about EOR data security
What employee data does an EOR handle under EOR data security obligations?
An EOR collects and processes national identity numbers, tax identifiers, bank account details, salary and bonus history, equity grants, pension contributions, health records under GDPR Article 9, and disciplinary notes. As the legal employer, the EOR is the data controller or joint controller with direct regulatory obligations in every country in scope.
Is my EOR GDPR compliant by default?
No. GDPR compliance requires demonstrable evidence: a signed DPA covering Article 28, executed SCCs for any non-EEA transfer with a current Transfer Impact Assessment, a sub-processor list with notification rights, documented retention periods, and a breach notification SLA. Claiming compliance and demonstrating it are different things.
What security certifications should an EOR have for adequate EOR data security?
SOC 2 Type II requires an independent auditor to verify operating effectiveness of security controls over a minimum six-month period. ISO 27001 certifies a documented ISMS. The strongest providers hold both, and the certification scope explicitly covers the EOR legal entity processing your data.
Ask for the certification report under NDA, not a marketing PDF.
How do EOR providers handle cross-border data transfers under current GDPR rules?
The primary mechanism is the modernised Standard Contractual Clauses (adopted 4 June 2021), requiring a Transfer Impact Assessment for each EU-to-third-country transfer. For US transfers, the EU-US Data Privacy Framework (July 2023) covers participating organisations. Ask which mechanism applies to each of your country pairs and request the executed documentation.
What happens to employee data when we leave an EOR?
This varies sharply by provider. Your contract should specify retention periods in months (typically 6 to 24 months for HR records, longer for tax and statutory filings) and a documented deletion process with verification. Some providers retain data indefinitely under broad “legal obligation” language, so ask before signing, not at termination.
Who is liable if my EOR has a data breach affecting EU employees?
Most EOR arrangements operate as joint controllers under GDPR Article 26, so liability can attach to both parties and your employee can pursue a claim against either for the full amount. Negotiate the indemnification cap and the carve-outs for gross negligence before signing. Recovery against the EOR is a separate commercial dispute that may take years.
What is a Data Processing Agreement in the EOR context?
A DPA is a legally binding document required under GDPR Article 28 whenever personal data is processed by a third party on behalf of a controller. In the EOR context, it governs data collection, processing, storage, access, sub-processors, audit rights, breach notification, and deletion or return of data at end of contract.
How do PIPL and Russian data localisation rules affect EOR data security strategy?
China’s PIPL restricts cross-border transfers through CAC security assessments, certification, or standard contracts, with mandatory assessment for sensitive data above 10,000 individuals or non-sensitive data above one million. Russia’s Federal Law 242-FZ requires the primary copy of personal data to be stored inside Russia. Ask for the data flow diagram and local registration evidence before signing.
Methodology and disclosure
Whichapp is an independent comparison site. We do not sell EOR, payroll, or contractor management services. This page draws on all 8 providers’ data security postures, reviewed across published security certifications, Data Processing Agreement frameworks, cross-border transfer mechanisms, encryption standards, and entity model implications.
Security certification specifics are based on published information current as of May 2026. No provider’s internal infrastructure was directly audited by Whichapp.
Related guides
- EOR compliance guarantees
- EOR owned entities and partner models
- EOR IP protection
- How to choose an EOR
- EOR contract red flags
Last reviewed: May 2026