// Trust & Security Report
Gusto, Inc.
All-in-one payroll, HR, and benefits platform for SMBs; includes payroll processing, tax compliance, employee benefits administration, hiring & onboarding, time tracking, and talent management.
Certifications held
4
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on support.gusto.com“Gusto maintains SOC 1 and SOC 2 reports, which are updated annually. Customers can access these reports via our Trust Center after filling out a nondisclosure agreement.”
Verify on support.gusto.com“Gusto maintains SOC 1 and SOC 2 reports, which are updated annually. Customers can access these reports via our Trust Center after filling out a nondisclosure agreement.”
Verify on gusto.com“Gusto follows HIPAA guidelines to safeguard customers' protected health information (PHI), and maintains business associate agreements (BAAs) between employers and Gusto, along with any third parties, like insurance companies.”
Verify on gusto.com“Gusto offers Service Provider Data Processing Agreement (SPDPA) and Employer Data Processing Addendum referencing GDPR 2016/679 and national implementing legislations. Breach notification procedures documented in DPA.”
> Show 3 unconfirmed / not-held certifications
source: risclens.comNo confirmed ISO 27001 certification found on Gusto's public registries or trust center. Search results show Gusto offers integrations (Secureframe, ComplyJet) to help customers achieve ISO 27001, not that Gusto itself is certified.
source: thirdproof.aiNo PCI DSS certification was detected on Gusto's public trust center or registries. However, Gusto provides guidance for organizations implementing PCI compliance through shared responsibility documentation.
source: risclens.comNo evidence of FedRAMP certification. Gusto is not listed on the FedRAMP Marketplace.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Primary: AWS US-West-2 (Oregon); Backup: AWS US-East-1 (Virginia)
Gusto does NOT permit third-party AI and LLM service providers to use customer personal information to train, fine-tune, or improve their AI models. Gusto's AI provider operates under a zero-retention agreement. Important caveat: When customers connect Gusto to external platforms (ChatGPT, Claude), those platforms' own privacy policies apply to shared data.
// Security controls
Infrastructure Provider
Amazon Web Services (AWS); Primary: US-West-2 (Oregon), Backup: US-East-1 (Virginia)
gusto.comVulnerability Scanning
Third-party security tools continuously scan applications, systems, and infrastructure; static code analysis on repositories
gusto.comIncident Response
Documented incident response procedures; breach notification per HIPAA and GDPR requirements
gusto.com// Products & data scope
data: Employee data, tax information, compensation records
Automated tax filing and compliance; includes R&D tax credits
data: Employee records, documents, onboarding data
Custom onboarding checklists, document management, talent management
data: Health insurance enrollment, PHI when applicable via BAA
Health insurance brokerage; workers' compensation; Gusto Wallet (financial benefits)
data: Job applicants, candidate information, onboarding checklists
Job posting, applicant tracking, onboarding workflows
data: Employee time records, punch data
Time tracking for payroll sync; mobile-friendly interface
data: Aggregated business data, payroll analytics
Dashboards, reports, business metrics; no customer data training
// What to watch
- SOC 2 Type II report is not publicly disclosed — requires NDA to access. Third-party compliance registries (ThirdProof, RiscLens) could not confirm SOC 2 on public signals as of 2026, creating a documentation gap for procurement teams.
- ISO 27001 certification not held — Gusto offers integrations to help customers achieve ISO 27001, but is not itself certified.
- No PCI DSS or FedRAMP certifications found — appropriate for a payroll/HR platform, but noteworthy for organizations with specific regulatory requirements.
- Data residency limited to US AWS regions — no explicit EU data center offering despite GDPR DPA availability. May raise concerns for EU customers seeking data localization.
- AI Training Policy: Explicitly does NOT permit AI providers to train on customer data (positive), but customers must actively manage settings on external platforms (ChatGPT, Claude) if integrated via Gusto, as those platforms' own policies apply once data leaves Gusto.
- HIPAA applies conditionally — only applies if PHI is present in the platform; basic payroll/HR use may not trigger HIPAA requirements.
// At a glance
Pricing model
Subscription per employee per month; tiered plans by business size and features; free trial available
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Gusto, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.gusto.com