Does Your HR Tech Partner Keep Your Data Secure? Here’s How to Tell

August 16th, 2018

Jon-Mark Sabel


Data security is critical, particularly for sensitive information about your employees and candidates.

But the world of data security is full of nuance, and can be difficult to navigate. If you partner with an cloud-based HR technology vendor, your data will likely be accessible through two different systems:

  1. Your vendor’s system (e.g. the service you’re buying); and
  2. Your vendor’s cloud hosting provider (e.g. where your vendor hosts their resources - think Amazon Web Services, Microsoft Azure, or Google Cloud)

These cloud hosting providers are regularly certified to a range of data security standards, from SOC 2 Type 2 to ISO 27001 (more on these later). The audits performed against these standards provide their clients with assurances that the vendor has appropriately implemented baseline security controls.

Although the security practices of these cloud hosting providers create a great foundation of security on which to deploy a product, it is not a guarantee that the products deployed on their infrastructure have the same level of security. 

It is the responsibility of the SaaS vendor to ensure that they have implemented their own policies, procedures, and controls to ensure appropriate operation of their product in the cloud space. Implementing data security standards is difficult, and earning individual security certifications is a lengthy, rigorous process.

Sometimes it is unclear whether a vendor’s data security certifications are their own, or the certifications of their cloud hosting provider. 

To protect the data of your employees and candidates, you need to ensure your partners - not just their partners - have implemented their own security program. Using the examples of some common security standards (SOC 2 and ISO 27001), we’ll show you how to check if your partners (or prospective partners) are taking the crucial steps to keep your data safe.

SOC 2 Type 2

A SOC 2 Type 2 report is a data security audit that measures the efficacy of a vendor’s data security controls (basically the steps and procedures in place to ensure data security). The result of the audit is a report that includes the third-party assessor’s opinion regarding the effectiveness of the assessed controls. The Type 2 designation implies that the audit took into account evidence of control effectiveness over a set period of time. These controls include things like:

  • Regular information security training for employees;
  • Annual penetration testing to identify vulnerabilities;
  • Automated network and application vulnerability scanning;
  • Data encryption, in transit and at rest.

There can be 40+ controls that undergo inspection in a SOC 2 Type 2 audit, relating to cloud infrastructure, software, employees, procedures, and data handling protocols.

If your vendor is SOC 2 Type 2 Certified, they can provide you with a full copy of their audit report under NDA.

Soc 2 type 2

An example of a SOC 2 Type 2 report cover page, with NDA watermark.

There’s also something called a SOC 3 report. This covers the same data security controls, but removes sensitive company information. These are available without a NDA. Software-as-a-service vendors usually cannot provide their cloud hosting provider’s SOC 2 Type 2 report, but they can provide their publicly available SOC 3 report.

You can see what these look like from the major cloud hosting vendors below:

No matter what type of report you receive from a vendor (SOC 2 Type 2 or SOC 3), ensure that you are asking for a copy of the vendors report and a report from the underlying cloud hosting provider.

ISO 27001

Where a SOC 2 Type 2 report provides a detailed overview of a vendor’s specific security controls, as well as the opinion of the auditor, ISO 27001 promotes the implementation of an organizational framework around information security. This framework is referred to as an Information Security Management System (ISMS) and emphasises a risk assessment / risk treatment process resulting in the selection of relevant security controls.

An Information Security System (ISMS) is a risk management process for people, processes, and IT.

An ISO 27001 audit certifies that the framework or information security management system (ISMS) has been implemented appropriately and that appropriate controls have been selected and properly implemented. Put simply, an ISMS is a risk management process for people, processes, and IT. It provides a systematized approach to managing data security with regular risk assessments, and helps vendors comply with information security regulations and legal requirements.

The deliverable that comes with an ISO 27001 audit, is a formal certification issued by the assessor. Cloud hosting vendors frequently make their ISO 27001 certifications publicly available. You can see what these look like from the major vendors below.

As with SOC 2 Type 2, it is important to consider whether a vendor claiming ISO 27001 compliance has achieved their own certification or whether they may be relying on the certification of the underlying cloud hosting provider. A vendor-provided ISO 27001 certification should look like this, with the vendor’s name clearly listed:

iso 27001

As a rule of thumb, if a vendor claims a data security certification, ask them for a copy of it. If it doesn’t have their name on it, they may be missing a key component of keeping your data safe.