// Trust & Security Report

    Gusto, Inc. logo

    Gusto, Inc.

    All-in-one payroll, HR, and benefits platform for SMBs; includes payroll processing, tax compliance, employee benefits administration, hiring & onboarding, time tracking, and talent management.

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Gusto maintains SOC 1 and SOC 2 reports, which are updated annually. Customers can access these reports via our Trust Center after filling out a nondisclosure agreement.

    Verify on support.gusto.com
    SOC 1 Type II
    HELD

    Gusto maintains SOC 1 and SOC 2 reports, which are updated annually. Customers can access these reports via our Trust Center after filling out a nondisclosure agreement.

    Verify on support.gusto.com
    HIPAA
    HELD

    Gusto follows HIPAA guidelines to safeguard customers' protected health information (PHI), and maintains business associate agreements (BAAs) between employers and Gusto, along with any third parties, like insurance companies.

    Verify on gusto.com
    GDPR Compliance
    HELD

    Gusto offers Service Provider Data Processing Agreement (SPDPA) and Employer Data Processing Addendum referencing GDPR 2016/679 and national implementing legislations. Breach notification procedures documented in DPA.

    Verify on gusto.com
    > Show 3 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No confirmed ISO 27001 certification found on Gusto's public registries or trust center. Search results show Gusto offers integrations (Secureframe, ComplyJet) to help customers achieve ISO 27001, not that Gusto itself is certified.

    source: risclens.com
    PCI DSS
    NOT CONFIRMED

    No PCI DSS certification was detected on Gusto's public trust center or registries. However, Gusto provides guidance for organizations implementing PCI compliance through shared responsibility documentation.

    source: thirdproof.ai
    FedRAMP
    NOT CONFIRMED

    No evidence of FedRAMP certification. Gusto is not listed on the FedRAMP Marketplace.

    source: risclens.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Primary: AWS US-West-2 (Oregon); Backup: AWS US-East-1 (Virginia)

    Gusto does NOT permit third-party AI and LLM service providers to use customer personal information to train, fine-tune, or improve their AI models. Gusto's AI provider operates under a zero-retention agreement. Important caveat: When customers connect Gusto to external platforms (ChatGPT, Claude), those platforms' own privacy policies apply to shared data.

    // Security controls

    Encryption in Transit

    TLS v1.2

    gusto.com

    Encryption at Rest

    AES-256 key encryption in AWS

    gusto.com

    Infrastructure Provider

    Amazon Web Services (AWS); Primary: US-West-2 (Oregon), Backup: US-East-1 (Virginia)

    gusto.com

    Penetration Testing

    Third-party penetration testing conducted regularly

    gusto.com

    Vulnerability Scanning

    Third-party security tools continuously scan applications, systems, and infrastructure; static code analysis on repositories

    gusto.com

    Incident Response

    Documented incident response procedures; breach notification per HIPAA and GDPR requirements

    gusto.com

    // Products & data scope

    PayrollCore Platform

    data: Employee data, tax information, compensation records

    Automated tax filing and compliance; includes R&D tax credits

    HR & People ManagementHR Software

    data: Employee records, documents, onboarding data

    Custom onboarding checklists, document management, talent management

    Benefits (Health & Financial)Benefits Administration

    data: Health insurance enrollment, PHI when applicable via BAA

    Health insurance brokerage; workers' compensation; Gusto Wallet (financial benefits)

    Hiring & OnboardingTalent Acquisition

    data: Job applicants, candidate information, onboarding checklists

    Job posting, applicant tracking, onboarding workflows

    Time & AttendanceTime Tracking

    data: Employee time records, punch data

    Time tracking for payroll sync; mobile-friendly interface

    Insights & ReportingAnalytics

    data: Aggregated business data, payroll analytics

    Dashboards, reports, business metrics; no customer data training

    // What to watch

    • SOC 2 Type II report is not publicly disclosed — requires NDA to access. Third-party compliance registries (ThirdProof, RiscLens) could not confirm SOC 2 on public signals as of 2026, creating a documentation gap for procurement teams.
    • ISO 27001 certification not held — Gusto offers integrations to help customers achieve ISO 27001, but is not itself certified.
    • No PCI DSS or FedRAMP certifications found — appropriate for a payroll/HR platform, but noteworthy for organizations with specific regulatory requirements.
    • Data residency limited to US AWS regions — no explicit EU data center offering despite GDPR DPA availability. May raise concerns for EU customers seeking data localization.
    • AI Training Policy: Explicitly does NOT permit AI providers to train on customer data (positive), but customers must actively manage settings on external platforms (ChatGPT, Claude) if integrated via Gusto, as those platforms' own policies apply once data leaves Gusto.
    • HIPAA applies conditionally — only applies if PHI is present in the platform; basic payroll/HR use may not trigger HIPAA requirements.

    // At a glance

    Pricing model

    Subscription per employee per month; tiered plans by business size and features; free trial available

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Gusto, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.gusto.com

    > Browse all vendor trust reports