TRUST & COMPLIANCE

Your employee data, locked down.

The VertiSource HR Cloud runs on SOC 2 Type II attested infrastructure (Microsoft Azure). Employee data is encrypted at rest and in transit, U.S. hosted, role-based. Security questions answered by a specialist on the phone, not a ticket.

Talk to Your Team 855-565-8747

NAPEO Member SHRM Affiliate All 50 States Founded 2007

TRUST & COMPLIANCE

Everything in one place.

No login walls and no email gates on these security materials. Click anything below to dig in.

Encryption Everywhere

AES-256 encryption at rest, TLS 1.2+ in transit. Your connection to our platform is encrypted end to end with TLS.

Detail

Role-Based Access

Granular permissions per user, per module. Managers see their team. Employees see themselves. Admins see what you let them see.

Detail

Audit Logging

Every login, every change, every export, logged with timestamp, user, and IP. Available for export on request.

Detail

U.S.-Based Hosting

All employee data stored in U.S. data centers, hosted on Microsoft Azure infrastructure that maintains SOC 2 Type II attestation. No offshore processing.

Detail

Backup & Recovery

Continuous backups with point-in-time recovery. Disaster recovery tested quarterly.

Detail

Privacy & Compliance

GDPR-aligned data handling, CCPA-compliant deletion requests, and a real Data Processing Addendum your legal team can read.

Read the policy

WHAT WE DO NOT DO

No selling your data. No offshore processing. No silent breaches.

Your employee roster, salary history, and benefits enrollments are not products we monetize. They are data we protect. We never sell, share, or analyze client data for any purpose other than running your HR services.

500+

U.S. employers served

19yr

In business since 2007

States covered

Same team, every call. No ticket queues. No 1-800 numbers.

DATA PROCESSING & SUB-PROCESSORS

Who touches your data, and where.

VertiSource HR maintains a Data Processing Agreement (DPA) available on request and discloses all sub-processors that handle client data. The list below covers the typical vendors involved in delivering our PEO services.

Microsoft Azure

Primary infrastructure hosting across multiple U.S. regions. Maintains SOC 2 Type II, ISO 27001, and ISO 27018 attestations.

The VertiSource HR Cloud (HRIS Platform)

Core payroll calculation, tax filing, and pay run processing for client employees. Built on a SOC 2 Type II attested HRIS platform. Vendor identity disclosed in our Privacy Policy §7.3.

HubSpot

CRM, prospect form processing, and client communications. Used for sales and onboarding contact only, not payroll data.

Postmark / SendGrid

Transactional email delivery for paystubs, password resets, and system notifications.

Stripe

Billing and ACH processing for client invoices. Card data is tokenized and never stored on our systems.

Request the full list

Need our current DPA and complete sub-processor inventory for your procurement review? Email security@vertisourcehr.com.

SINGLE SIGN-ON & ACCESS CONTROL

Your IdP, your rules.

Identity controls available for clients with internal IT and security requirements.

SAML 2.0 SSO

Available on enterprise plans. Works with Okta, Azure AD / Entra ID, Google Workspace, and other SAML-compliant identity providers.

SCIM Provisioning

Automated user provisioning and deprovisioning on the 2026 roadmap. Available on request for enterprise pilots.

MFA Enforcement

Multi-factor authentication enforced for all internal VertiSource HR users. Configurable for client portal users.

Role-Based Access Control

Granular permissions on the client portal. Separate roles for owners, HR admins, payroll approvers, managers, and employees.

DATA RESIDENCY & RETENTION

Where your data lives, and how long.

U.S. Data Residency

All client HRIS and payroll data is stored in U.S. data centers (multiple U.S. regions); we do not offshore client data processing. Limited cross-border transfers may occur only where a visitor located outside the U.S. submits information through our website, governed by Standard Contractual Clauses as described in our Privacy Policy.

Encryption

Backups encrypted at rest with AES-256. Data in transit protected with TLS 1.2+ (TLS 1.3 where supported). Database snapshots encrypted with managed keys.

Retention

Retention follows statutory recordkeeping requirements (IRS, DOL/FLSA, ERISA). Payroll records are retained for a minimum of seven (7) years. Full per-category retention periods are detailed in our Privacy Policy §8.

Deletion on Request

Client data deleted on written request, except records we are required by law to retain (tax filings, wage records, and similar).

INCIDENT RESPONSE & BREACH NOTIFICATION

If something goes wrong, you hear from us, fast.

Found a security issue? Report a suspected vulnerability to security@vertisourcehr.com. We acknowledge reports promptly and coordinate remediation.

Prompt Breach Notification

Confirmed security incidents affecting client data are reported to impacted clients as soon as reasonably practicable and no later than seventy-two (72) hours after confirmation, consistent with our written incident-response policies and the timing in our Biometric Information Notice.

Documented Runbook

Incident response runbook covering detection, containment, eradication, recovery, and post-incident review.

Tabletop Exercises

Annual tabletop exercises with leadership and IT to validate the runbook and improve response time.

Single Point of Contact

Your team is your incident point of contact, not a generic ticket queue.

COMPLIANCE SNAPSHOT

An honest look at where we stand.

No badge theater. Here is exactly what applies to us today and how we handle each framework.

This Security page was last reviewed June 8, 2026.

SOC 2

Platform attestation. The VertiSource HR Cloud is built on a SOC 2 Type II attested platform and Microsoft Azure infrastructure that maintains SOC 2 Type II, ISO 27001, and ISO 27018 attestations. VSHR direct attestation. VertiSource HR is evaluating an independent SOC 2 Type II attestation timeline. Until that report is issued, VertiSource HR does not represent itself as SOC 2 certified, SOC 2 compliant, or SOC 2 audited.

HIPAA

Business Associate Agreements (BAAs) available for clients whose benefits administration involves Protected Health Information.

GDPR

Limited applicability. VertiSource HR operates U.S.-only. EU-based clients should contact us for bespoke data processing terms.

State Privacy Laws

Programs aligned with California (CCPA / CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA). State privacy programs are subject to ongoing rulemaking; we update controls and notices to track current obligations.

PCI DSS

We do not store cardholder data. All card payments are tokenized and processed through Stripe, a PCI Level 1 service provider.

Request our DPA and sub-processor list.

Procurement reviewing us? Email security@vertisourcehr.com and we'll send our current Data Processing Agreement, sub-processor inventory, and security questionnaire responses within one business day.

Email security@vertisourcehr.com or call 855-565-8747

Talk to a specialist.

Same team, every call. No ticket queues. No 1-800 numbers. Just a real HR professional who knows your business.

Get Your Free HR Review or call 855-565-8747