// Trust & Security Report

    Oyster HR, Inc. logo

    Oyster HR, Inc.

    Global employment platform offering Employer of Record (EOR), Global Contractor management, US PEO, Global Payroll, Employee Benefits, Visa Sponsorship, and People Partner advisory services across 180+ countries

    Certifications held

    5

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Oyster's most recent SOC 2 Type II report is available on our Policy and Security Dashboard. Audited by Sensiba San Filippo; covers Security, Availability, Processing Integrity, Confidentiality, and Privacy trust service criteria. First announced January 10, 2023.

    Verify on oysterhr.com
    SOC 1 Type II
    HELD

    'SOC 1 Type 2' is listed under Certificates and Audit Reports on Oyster's SafeBase-powered Trust Center at trust.oysterhr.com (available for review under NDA). Verified present on the vendor's own Trust Center.

    Verify on trust.oysterhr.com
    GDPR (compliance posture)
    HELD

    Oyster states it is 'compliant with various data protection laws, including the General Data Protection Regulation (GDPR)'. DPA incorporates Standard Contractual Clauses (EU Commission Decision 2021/914) and follows privacy-by-design principles throughout the SDLC. A Data Protection Officer is reachable at dpo@oysterhr.com.

    Verify on oysterhr.com
    EU-US Data Privacy Framework (DPF)
    HELD

    Oyster has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles. This also covers the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework. FTC oversight applies.

    Verify on legal.oysterhr.com
    B Corp Certification
    HELD

    Oyster is 'the only B Corp-certified EOR' — stated on homepage. 'Certified B Corporation' badge appears on home page footer. Oyster HR, Inc. is a public benefit corporation.

    Verify on oysterhr.com
    > Show 5 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence that Oyster holds its own ISO 27001 certification. Oyster's DPA states 'Oyster's production environment is hosted by ISO 27001 and SOC 2 certified data centers' (Schedule 3, verified verbatim) — but this is the certification of its cloud host (AWS, listed as a sub-processor in Schedule 4 with data stored in Ireland), not Oyster's own ISMS. The security page does not mention ISO 27001 at all, and no ISO 27001 certificate for Oyster itself appears on any oysterhr.com page or its Trust Center.

    source: oysterhr.com
    HIPAA
    NOT CONFIRMED

    No mention of HIPAA compliance, a Business Associate Agreement, or HIPAA-specific controls anywhere on Oyster's own domain (security page, DPA, Trust Center, or privacy notices). Third-party review sites assert HIPAA compliance but this cannot be confirmed from vendor-domain evidence. Graded held=false pending vendor confirmation.

    source: oysterhr.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification on Oyster's own domain. Their DPA and security page do not mention PCI DSS. Note their AWS data centers are PCI-DSS compliant (host cert, not Oyster's own).

    source: oysterhr.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 certification on Oyster's own domain or Trust Center. No AI-governance certification is claimed or linked.

    source: trust.oysterhr.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR certification on Oyster's own domain.

    source: oysterhr.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Primary data at rest: AWS Servers in Ireland (EU). Processing may occur globally across 30+ countries including US, UK, India, Philippines, and Brazil per local-law requirements.

    Oyster explicitly limits AI use to service enhancement and analytics. The privacy notice lists exactly two AI tools: Snowflake Cortex (support ticket analytics) and Microsoft Clarity (help center optimization). The Terms of Use state Oyster has 'not included any sensitive personal information, trade secrets, or material Confidential Information in any prompts or inputs into any Generative AI Tools without notice, unless we confirm that the Generative AI Tool will not use the information to train the Generative AI Tool.' No evidence of training on customer or employee data.

    // Security controls

    Encryption at rest

    Yes — data asset classification and encryption at rest implemented; endpoint disk encryption also confirmed

    trust.oysterhr.com

    Encryption in transit

    Yes — implied by AWS infrastructure and 2FA/SSO login flows; not explicitly quoted with cipher details on public pages

    oysterhr.com

    Multi-factor authentication

    Supported via SSO or Google login with 2FA

    oysterhr.com

    Penetration testing

    Regular external penetration tests; continuous monitoring via Breachlock (PtaaS platform)

    oysterhr.com

    Infrastructure

    Amazon Web Services (AWS), data centers in Ireland; Anti-DDoS protection; status monitoring

    oysterhr.com

    Compliance automation

    Drata used for continuous monitoring of policies, procedures, and IT infrastructure

    oysterhr.com

    Access control

    Internal SSO, least-privilege access, comprehensive audit logging, role-based access control

    trust.oysterhr.com

    Endpoint security

    Anti-malware, disk encryption, EDR (Endpoint Detection and Response) deployed

    trust.oysterhr.com

    Incident response

    Formal Incident Response Policy; designated response personnel; pager service; anonymous Ethics Helpline; Responsible Disclosure Program

    oysterhr.com

    Backup and recovery

    Regular data backups; RTO 5 hours; RPO 2 minutes

    trust.oysterhr.com

    Staff impersonation / audit trail

    Platform supports staff 'Impersonation' for troubleshooting; all such activity is logged for audit and security purposes

    legal.oysterhr.com

    International data transfers

    Standard Contractual Clauses (EU 2021/914) — Modules 1, 2, and 3 — incorporated into DPA for EEA, UK, and Swiss transfers. DPF also applies where eligible.

    legal.oysterhr.com

    // Products & data scope

    Employer of Record (EOR)Global HR / EOR

    data: Full employee data: personal details, salary, benefits, payroll, PTO, employment contracts across 180+ countries

    Most data-intensive product; SOC 2 Type II and SOC 1 Type II cover this. DPA auto-incorporated into Terms. $699/employee/month.

    Global ContractorsContractor Management

    data: Contractor personal and payment data

    $29/contractor/month. Separate Contractor Privacy Notice available.

    US PEOProfessional Employer Organization

    data: US employee data including benefits and payroll

    US-only product; subject to US state employment laws.

    People Partner ServicesHR Advisory

    data: HR strategy data shared during consultation

    $300/hour white-glove advisory. Separate People Partner Privacy Notice.

    Employee BenefitsBenefits Administration

    data: Health and benefits enrollment data

    Managed as part of EOR; may include health data sensitive under local laws.

    Developer APIAPI / Integration

    data: Dependent on customer integration scope

    Governed by separate Developer Terms. Integrates with HRIS, ATS, and accounting systems.

    // What to watch

    • ISO 27001 HOST-VS-VENDOR AMBIGUITY: The DPA states Oyster's production environment is hosted by 'ISO 27001 and SOC 2 certified data centers' — this is the certification of its cloud host (AWS, data stored in Ireland), not Oyster's own. Oyster's security page does not mention ISO 27001 at all, and no certificate for Oyster's own ISMS is published. Third-party sources and search engines conflate the AWS infrastructure's ISO 27001/27017/27018 and PCI-DSS compliance with Oyster's own; they are not the same. Do not list ISO 27001 as held by Oyster.
    • HIPAA UNCONFIRMED: Third-party review sites claim Oyster is HIPAA-compliant and signs BAAs, but no HIPAA mention found on oysterhr.com, in the DPA, Trust Center, or any privacy notice. Needs direct vendor confirmation before listing as held.
    • AI DATA USAGE DISCLOSED BUT WORTH MONITORING: Privacy Notice discloses AI tool usage (Snowflake Cortex, Microsoft Clarity) for support analytics using employee messaging data and names. Appropriate disclosure exists; terms explicitly limit use to service improvement, not model training.
    • SOC 2 TYPE II REPORT AGE: The public announcement dates to January 2023. While the trust center offers the 'most recent' report, the original audit age means customers should request the current-year report via SafeBase access.
    • STAFF IMPERSONATION FEATURE: Platform includes a feature allowing Oyster staff to log in as a user ('Impersonation') for troubleshooting. While audit-logged and user-controlled, enterprise buyers handling sensitive HR data should review this access control.

    // At a glance

    Pricing model

    Per-seat SaaS: EOR at $699/employee/month, Contractors at $29/contractor/month, People Partner at $300/hour. No exit fees.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Oyster HR, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.oysterhr.com

    > Browse all vendor trust reports