Research report

Whichapp Security Disclosure Benchmark

Security certification and disclosure quality across 17 EOR and global payroll providers.

Whichapp Researchv1 · Last updated: 2026-05-17 · Sample: 17 providers · Next refresh: Aug 2026

Whichapp Security Disclosure Benchmark

Security certification and disclosure quality across 17 EOR and global payroll providers.

v1 · Last updated: 2026-05-17 · Sample: 17 providers · Next refresh: Aug 2026


10/17
SOC 2 Type II verified from public sources
9/17
ISO 27001 verified from public sources
14/17
publish a public-facing GDPR DPA document
0/17
disclose Cyber Essentials Plus certification

Whichapp sample of 17 providers. Observed May 2026. Verified = confirmed from public provider documentation. Methodology →

What this benchmark measures

The Whichapp Security Disclosure Benchmark records what security certifications and compliance documentation each provider makes publicly verifiable, without requiring an NDA, a sales call, or a vendor questionnaire response. The benchmark covers six certification dimensions: SOC 2 Type II, ISO 27001, GDPR data processing agreements, HIPAA, PCI DSS, and Cyber Essentials Plus.

Each dimension is classified as: Verified (certification confirmed from public provider documentation), Public (public-facing compliance document available but formal certification not stated), On request (provider states certification is available on request), or not disclosed (no public evidence found). Not disclosed does not mean the provider lacks the certification; it means Whichapp could not confirm it without a vendor questionnaire.

Key findings

In Whichapp's sample of 17 providers observed in May 2026:

  • 10 of 17 providers have verified SOC 2 Type II from public sources. Deel, Papaya Global, Rippling, Pebl, Multiplier, G-P, Plane, Playroll, WorkMotion, and Gusto all publish or explicitly reference current SOC 2 Type II attestation on their trust centres or security pages. A further 2 state SOC 2 is available on request.
  • 9 of 17 have verified ISO 27001 from public documentation. Overlap with SOC 2 is high: providers with both certifications tend to publish them together. 7 providers disclose neither certification publicly.
  • 14 of 17 publish some form of GDPR data processing documentation: either a public DPA page, a privacy FAQ covering DPA scope, or a stated DPA-on-request process. 3 providers have no publicly discoverable GDPR DPA reference.
  • 0 of 17 providers disclose Cyber Essentials Plus. This UK government-backed certification is standard practice for UK government suppliers. Its absence from all 17 providers in the sample reflects that most EOR platforms are US-headquartered and do not pursue UK-specific government certifications.
  • HIPAA and PCI DSS are not verified for any provider in this sample. HIPAA applies to healthcare entities, not payroll platforms, and PCI DSS applies to payment card handling; both are niche requirements in the EOR context. Gusto (US-only payroll) does offer HIPAA-compliant plans but this was not confirmed as a formal certification from a public source.

Buyer implications

Buyers in regulated industries (financial services, healthcare, government contractors) typically require SOC 2 Type II reports and ISO 27001 certificates before procurement approval. The 10 providers with verified SOC 2 all represent viable choices on this dimension. For the 7 providers where SOC 2 is not publicly verified, submit a security questionnaire early in the sales cycle and request the SOC 2 Type II report directly. Waiting until contract stage for this document routinely adds 2–4 weeks to procurement timelines.

For GDPR compliance specifically, any provider handling EU employee payroll data is a data processor under GDPR Article 28. Even where a public DPA document is not listed, providers are legally required to execute a DPA on request. The 3 providers with no public GDPR reference are not necessarily non-compliant; they may not be marketing their GDPR documentation publicly.

Limitations

  • Not disclosed does not mean the provider lacks certification. Providers frequently hold certifications that are not surfaced in public documentation. This benchmark records public disclosure, not certification status.
  • Certification status changes. Providers obtain, renew, or let lapse certifications on their own cycles. Whichapp's observation is a point-in-time record from May 2026.
  • This benchmark does not assess underlying security quality, MFA enforcement, penetration testing disclosure, or bug bounty scope. Those dimensions will be added in the Aug 2026 refresh.

Security certification disclosure matrix

Whichapp Security Certification Disclosure Benchmark, May 2026. Sample: 17 providers. Verified = confirmed from public provider documentation at time of observation. Public = public-facing DPA/compliance document available. On request = stated as available on request. — = not disclosed in public sources. Not disclosed does not mean the provider lacks certification. Composite score = Whichapp 4-dimension provider index.
Provider SOC 2 Type II ISO 27001 GDPR DPA HIPAA PCI DSS Cyber Essentials+ Composite Confidence
DeelVerifiedVerifiedPublic9.2 /10High
RipplingVerifiedVerifiedPublic8.7 /10Medium
Papaya GlobalVerifiedVerifiedPublic8.5 /10Medium
MultiplierVerifiedVerifiedPublic8.2 /10Medium
PlayrollVerifiedVerifiedPublicClaimed8.0 /10Medium
HorizonsVerifiedVerifiedPublic7.6 /10Medium
RemoteOn requestVerifiedOn request9.0 /10High
G-PVerifiedOn requestPublic8.4 /10Medium
Atlas HXMVerifiedPublic8.8 /10Medium
PlaneVerifiedPublic8.1 /10Medium
WorkMotionVerifiedPublic7.7 /10Medium
GustoVerified8.3 /10Medium
LanoVerified7.9 /10Medium
Oyster HROn requestPublic8.0 /10Medium
RemofirstPublic7.8 /10Medium
PeblPublic7.5 /10Medium
Safeguard Global7.2 /10Medium

Research conducted using Whichapp's evidence-first methodology. View full methodology →

How to cite Whichapp Research

Whichapp Research, [Report name], [Month Year]. Available at whichapp.site/research/[slug]/. Sample: [N] providers. Last updated: [date].

For data requests or corrections: contact@whichapp.site