// Trust & Security Report
Oyster HR, Inc.
Global employment platform offering Employer of Record (EOR), Global Contractor management, US PEO, Global Payroll, Employee Benefits, Visa Sponsorship, and People Partner advisory services across 180+ countries
Certifications held
5
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on oysterhr.com“Oyster's most recent SOC 2 Type II report is available on our Policy and Security Dashboard. Audited by Sensiba San Filippo; covers Security, Availability, Processing Integrity, Confidentiality, and Privacy trust service criteria. First announced January 10, 2023.”
Verify on trust.oysterhr.com“'SOC 1 Type 2' is listed under Certificates and Audit Reports on Oyster's SafeBase-powered Trust Center at trust.oysterhr.com (available for review under NDA). Verified present on the vendor's own Trust Center.”
Verify on oysterhr.com“Oyster states it is 'compliant with various data protection laws, including the General Data Protection Regulation (GDPR)'. DPA incorporates Standard Contractual Clauses (EU Commission Decision 2021/914) and follows privacy-by-design principles throughout the SDLC. A Data Protection Officer is reachable at dpo@oysterhr.com.”
Verify on legal.oysterhr.com“Oyster has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles. This also covers the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework. FTC oversight applies.”
Verify on oysterhr.com“Oyster is 'the only B Corp-certified EOR' — stated on homepage. 'Certified B Corporation' badge appears on home page footer. Oyster HR, Inc. is a public benefit corporation.”
> Show 5 unconfirmed / not-held certifications
source: oysterhr.comNo public evidence that Oyster holds its own ISO 27001 certification. Oyster's DPA states 'Oyster's production environment is hosted by ISO 27001 and SOC 2 certified data centers' (Schedule 3, verified verbatim) — but this is the certification of its cloud host (AWS, listed as a sub-processor in Schedule 4 with data stored in Ireland), not Oyster's own ISMS. The security page does not mention ISO 27001 at all, and no ISO 27001 certificate for Oyster itself appears on any oysterhr.com page or its Trust Center.
source: oysterhr.comNo mention of HIPAA compliance, a Business Associate Agreement, or HIPAA-specific controls anywhere on Oyster's own domain (security page, DPA, Trust Center, or privacy notices). Third-party review sites assert HIPAA compliance but this cannot be confirmed from vendor-domain evidence. Graded held=false pending vendor confirmation.
source: oysterhr.comNo public evidence of PCI DSS certification on Oyster's own domain. Their DPA and security page do not mention PCI DSS. Note their AWS data centers are PCI-DSS compliant (host cert, not Oyster's own).
source: trust.oysterhr.comNo public evidence of ISO/IEC 42001 certification on Oyster's own domain or Trust Center. No AI-governance certification is claimed or linked.
source: oysterhr.comNo public evidence of CSA STAR certification on Oyster's own domain.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Primary data at rest: AWS Servers in Ireland (EU). Processing may occur globally across 30+ countries including US, UK, India, Philippines, and Brazil per local-law requirements.
Oyster explicitly limits AI use to service enhancement and analytics. The privacy notice lists exactly two AI tools: Snowflake Cortex (support ticket analytics) and Microsoft Clarity (help center optimization). The Terms of Use state Oyster has 'not included any sensitive personal information, trade secrets, or material Confidential Information in any prompts or inputs into any Generative AI Tools without notice, unless we confirm that the Generative AI Tool will not use the information to train the Generative AI Tool.' No evidence of training on customer or employee data.
// Security controls
Encryption at rest
Yes — data asset classification and encryption at rest implemented; endpoint disk encryption also confirmed
trust.oysterhr.comEncryption in transit
Yes — implied by AWS infrastructure and 2FA/SSO login flows; not explicitly quoted with cipher details on public pages
oysterhr.comPenetration testing
Regular external penetration tests; continuous monitoring via Breachlock (PtaaS platform)
oysterhr.comInfrastructure
Amazon Web Services (AWS), data centers in Ireland; Anti-DDoS protection; status monitoring
oysterhr.comCompliance automation
Drata used for continuous monitoring of policies, procedures, and IT infrastructure
oysterhr.comAccess control
Internal SSO, least-privilege access, comprehensive audit logging, role-based access control
trust.oysterhr.comEndpoint security
Anti-malware, disk encryption, EDR (Endpoint Detection and Response) deployed
trust.oysterhr.comIncident response
Formal Incident Response Policy; designated response personnel; pager service; anonymous Ethics Helpline; Responsible Disclosure Program
oysterhr.comStaff impersonation / audit trail
Platform supports staff 'Impersonation' for troubleshooting; all such activity is logged for audit and security purposes
legal.oysterhr.comInternational data transfers
Standard Contractual Clauses (EU 2021/914) — Modules 1, 2, and 3 — incorporated into DPA for EEA, UK, and Swiss transfers. DPF also applies where eligible.
legal.oysterhr.com// Products & data scope
data: Full employee data: personal details, salary, benefits, payroll, PTO, employment contracts across 180+ countries
Most data-intensive product; SOC 2 Type II and SOC 1 Type II cover this. DPA auto-incorporated into Terms. $699/employee/month.
data: Contractor personal and payment data
$29/contractor/month. Separate Contractor Privacy Notice available.
data: US employee data including benefits and payroll
US-only product; subject to US state employment laws.
data: HR strategy data shared during consultation
$300/hour white-glove advisory. Separate People Partner Privacy Notice.
data: Health and benefits enrollment data
Managed as part of EOR; may include health data sensitive under local laws.
data: Dependent on customer integration scope
Governed by separate Developer Terms. Integrates with HRIS, ATS, and accounting systems.
// What to watch
- ISO 27001 HOST-VS-VENDOR AMBIGUITY: The DPA states Oyster's production environment is hosted by 'ISO 27001 and SOC 2 certified data centers' — this is the certification of its cloud host (AWS, data stored in Ireland), not Oyster's own. Oyster's security page does not mention ISO 27001 at all, and no certificate for Oyster's own ISMS is published. Third-party sources and search engines conflate the AWS infrastructure's ISO 27001/27017/27018 and PCI-DSS compliance with Oyster's own; they are not the same. Do not list ISO 27001 as held by Oyster.
- HIPAA UNCONFIRMED: Third-party review sites claim Oyster is HIPAA-compliant and signs BAAs, but no HIPAA mention found on oysterhr.com, in the DPA, Trust Center, or any privacy notice. Needs direct vendor confirmation before listing as held.
- AI DATA USAGE DISCLOSED BUT WORTH MONITORING: Privacy Notice discloses AI tool usage (Snowflake Cortex, Microsoft Clarity) for support analytics using employee messaging data and names. Appropriate disclosure exists; terms explicitly limit use to service improvement, not model training.
- SOC 2 TYPE II REPORT AGE: The public announcement dates to January 2023. While the trust center offers the 'most recent' report, the original audit age means customers should request the current-year report via SafeBase access.
- STAFF IMPERSONATION FEATURE: Platform includes a feature allowing Oyster staff to log in as a user ('Impersonation') for troubleshooting. While audit-logged and user-controlled, enterprise buyers handling sensitive HR data should review this access control.
// At a glance
Pricing model
Per-seat SaaS: EOR at $699/employee/month, Contractors at $29/contractor/month, People Partner at $300/hour. No exit fees.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Oyster HR, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.oysterhr.com