Research report
Whichapp Security Disclosure Benchmark
Security certification and disclosure quality across 17 EOR and global payroll providers.
Whichapp Security Disclosure Benchmark
Security certification and disclosure quality across 17 EOR and global payroll providers.
v1 · Last updated: 2026-05-17 · Sample: 17 providers · Next refresh: Aug 2026
Whichapp sample of 17 providers. Observed May 2026. Verified = confirmed from public provider documentation. Methodology →
What this benchmark measures
The Whichapp Security Disclosure Benchmark records what security certifications and compliance documentation each provider makes publicly verifiable, without requiring an NDA, a sales call, or a vendor questionnaire response. The benchmark covers six certification dimensions: SOC 2 Type II, ISO 27001, GDPR data processing agreements, HIPAA, PCI DSS, and Cyber Essentials Plus.
Each dimension is classified as: Verified (certification confirmed from public provider documentation), Public (public-facing compliance document available but formal certification not stated), On request (provider states certification is available on request), or not disclosed (no public evidence found). Not disclosed does not mean the provider lacks the certification; it means Whichapp could not confirm it without a vendor questionnaire.
Key findings
In Whichapp's sample of 17 providers observed in May 2026:
- 10 of 17 providers have verified SOC 2 Type II from public sources. Deel, Papaya Global, Rippling, Pebl, Multiplier, G-P, Plane, Playroll, WorkMotion, and Gusto all publish or explicitly reference current SOC 2 Type II attestation on their trust centres or security pages. A further 2 state SOC 2 is available on request.
- 9 of 17 have verified ISO 27001 from public documentation. Overlap with SOC 2 is high: providers with both certifications tend to publish them together. 7 providers disclose neither certification publicly.
- 14 of 17 publish some form of GDPR data processing documentation: either a public DPA page, a privacy FAQ covering DPA scope, or a stated DPA-on-request process. 3 providers have no publicly discoverable GDPR DPA reference.
- 0 of 17 providers disclose Cyber Essentials Plus. This UK government-backed certification is standard practice for UK government suppliers. Its absence from all 17 providers in the sample reflects that most EOR platforms are US-headquartered and do not pursue UK-specific government certifications.
- HIPAA and PCI DSS are not verified for any provider in this sample. HIPAA applies to healthcare entities, not payroll platforms, and PCI DSS applies to payment card handling; both are niche requirements in the EOR context. Gusto (US-only payroll) does offer HIPAA-compliant plans but this was not confirmed as a formal certification from a public source.
Buyer implications
Buyers in regulated industries (financial services, healthcare, government contractors) typically require SOC 2 Type II reports and ISO 27001 certificates before procurement approval. The 10 providers with verified SOC 2 all represent viable choices on this dimension. For the 7 providers where SOC 2 is not publicly verified, submit a security questionnaire early in the sales cycle and request the SOC 2 Type II report directly. Waiting until contract stage for this document routinely adds 2–4 weeks to procurement timelines.
For GDPR compliance specifically, any provider handling EU employee payroll data is a data processor under GDPR Article 28. Even where a public DPA document is not listed, providers are legally required to execute a DPA on request. The 3 providers with no public GDPR reference are not necessarily non-compliant; they may not be marketing their GDPR documentation publicly.
Limitations
- Not disclosed does not mean the provider lacks certification. Providers frequently hold certifications that are not surfaced in public documentation. This benchmark records public disclosure, not certification status.
- Certification status changes. Providers obtain, renew, or let lapse certifications on their own cycles. Whichapp's observation is a point-in-time record from May 2026.
- This benchmark does not assess underlying security quality, MFA enforcement, penetration testing disclosure, or bug bounty scope. Those dimensions will be added in the Aug 2026 refresh.
Security certification disclosure matrix
| Provider | SOC 2 Type II | ISO 27001 | GDPR DPA | HIPAA | PCI DSS | Cyber Essentials+ | Composite | Confidence |
|---|---|---|---|---|---|---|---|---|
| Deel | Verified | Verified | Public | — | — | — | 9.2 /10 | High |
| Rippling | Verified | Verified | Public | — | — | — | 8.7 /10 | Medium |
| Papaya Global | Verified | Verified | Public | — | — | — | 8.5 /10 | Medium |
| Multiplier | Verified | Verified | Public | — | — | — | 8.2 /10 | Medium |
| Playroll | Verified | Verified | Public | Claimed | — | — | 8.0 /10 | Medium |
| Horizons | Verified | Verified | Public | — | — | — | 7.6 /10 | Medium |
| Remote | On request | Verified | On request | — | — | — | 9.0 /10 | High |
| G-P | Verified | On request | Public | — | — | — | 8.4 /10 | Medium |
| Atlas HXM | — | Verified | Public | — | — | — | 8.8 /10 | Medium |
| Plane | Verified | — | Public | — | — | — | 8.1 /10 | Medium |
| WorkMotion | — | Verified | Public | — | — | — | 7.7 /10 | Medium |
| Gusto | Verified | — | — | — | — | — | 8.3 /10 | Medium |
| Lano | Verified | — | — | — | — | — | 7.9 /10 | Medium |
| Oyster HR | On request | — | Public | — | — | — | 8.0 /10 | Medium |
| Remofirst | — | — | Public | — | — | — | 7.8 /10 | Medium |
| Pebl | — | — | Public | — | — | — | 7.5 /10 | Medium |
| Safeguard Global | — | — | — | — | — | — | 7.2 /10 | Medium |
Research conducted using Whichapp's evidence-first methodology. View full methodology →
Whichapp Research, [Report name], [Month Year]. Available at whichapp.site/research/[slug]/. Sample: [N] providers. Last updated: [date].
For data requests or corrections: contact@whichapp.site