// Trust & Security Report

    Remote Technology, Inc. logo

    Remote Technology, Inc.

    Global employment infrastructure (Employer of Record, Global Payroll, Contractor of Record/Management, PEO) plus a REST API and 'Remote MCP', an MCP server that gives AI agents live access to payroll, contract, compliance, and org-structure data.

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    SOC2 Type 2 — Remote's most recent SOC2 Type2 certificate report (Request)

    Verify on trust.remote.com
    ISO 27001
    HELD

    ISO 27001 — Certification of Remote's ISMS compliance with the ISO27001 standard (Download)

    Verify on trust.remote.com
    GDPR (compliance posture)
    HELD

    Listed under 'Compliance' on the trust center alongside SOC 2/ISO 27001/CSA STAR; corroborated by Remote's Data Protection Addendum: 'Data Protection Laws means all applicable data protection and privacy laws... [Remote] act[s] as Processor and You shall act as Controller' for Payroll/HRIS/Contractor Management services, with EU SCCs applied for international transfers.

    Verify on trust.remote.com
    CSA STAR Level 1
    HELD

    CSA STAR Level 1 (Visit)

    Verify on trust.remote.com
    > Show 5 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No HIPAA certification or BAA program found. Remote's own support content states BAAs are not required for its Employment Services because assigned personnel are treated as client personnel acting under the client's instruction/supervision, not as Remote processing PHI on the client's behalf. Not directly re-fetchable (support.remote.com returned HTTP 403 to automated fetch) but confirmed via search-indexed vendor page: 'Can we enter into HIPAA business associate agreements with Remote or the employees you assign to us?'

    source: support.remote.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of a PCI DSS attestation. Remote is not a card-payment processor for merchants; no PCI DSS reference appears on the trust center, security whitepaper listing, or marketing pages captured.

    source: trust.remote.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence. Not listed on the trust center's Compliance section (SOC 2 Type 2, ISO 27001, GDPR, CSA STAR Level 1 only) and no search results surface an ISO 42001 claim from Remote.

    source: trust.remote.com
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    Not listed on the trust center's compliance section; no public evidence found.

    source: trust.remote.com
    FedRAMP
    NOT CONFIRMED

    No public evidence; not applicable to Remote's commercial HR/payroll offering as captured.

    source: trust.remote.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Global, multi-region; Remote operates owned legal entities in-market. International personal-data transfers rely on the EU-US Data Privacy Framework (plus UK and Swiss extensions) and the 2021 EU Standard Contractual Clauses.

    Remote's privacy policy explicitly restricts third-party AI suppliers: 'we contractually ensure that Personal Data is not available to the supplier's other users and is not used to train the supplier's AI models.' This covers Remote's own use of AI vendors, not a first-party model Remote trains itself. DPA coverage is nuanced by product: Remote acts as Processor (standard Art. 28 DPA terms via Terms of Service) for Payroll, HRIS, Contractor Management, Mobility, and Perform, but acts as an independent Controller (no standard client-DPA) for Employer of Record (EOR) and Contractor of Record services, since Remote itself directly employs/contracts the worker in those models.

    // Security controls

    Encryption in transit

    Listed as an active control ('Encryption-in-Transit') under the trust center's Network/Access Security category.

    trust.remote.com

    Continuous compliance monitoring

    Trust center controls are continuously monitored via Secureframe, a third-party compliance automation platform.

    trust.remote.com

    Penetration testing

    Third-party penetration testing is a listed control; an executive summary of the latest platform pentest is available on request.

    trust.remote.com

    Incident response

    Documented Incident Response Plan, incident tracking, and lessons-learned process listed as controls.

    trust.remote.com

    Business continuity / disaster recovery

    Business Continuity and Disaster Recovery Policy with periodic testing listed as a control.

    trust.remote.com

    Vendor risk management

    Vendor Due Diligence Review and Vendor Risk Management Policy listed as controls.

    trust.remote.com

    Access control

    Administrative access restricted; Access Control and Termination Policy listed as a control.

    trust.remote.com

    // Products & data scope

    Employer of Record (EOR)HR / Employment

    data: Full employee PII, employment contracts, tax and benefits data; Remote is Controller (not a client processor) for this data.

    Handled under owned local legal entities; no standard client DPA since Remote acts as independent Controller.

    Global PayrollPayroll / Finance

    data: Payroll amounts, bank details, tax filings across multiple currencies/jurisdictions.

    Remote acts as Processor; covered under Art. 28-style DPA terms in the Terms of Service.

    Contractor of Record (COR) / Contractor ManagementHR / Contractor compliance

    data: Contractor identity, payment, and compliance/misclassification data.

    COR follows the EOR (Controller) model; standalone Contractor Management follows the Processor model.

    Remote APIDeveloper / Integration

    data: Programmatic read/write access to employment, payroll, and org data via REST API and webhooks.

    API-first access layer for customer-built integrations.

    Remote MCPAI agent integration (MCP server)

    data: Live connection exposing payroll, contracts, compliance data, and org structure directly to AI agents, per Remote's own description ('no API keys, no exports, no custom integrations needed').

    The product most relevant to an AI-tools directory listing; no separate AI-specific certification (e.g. ISO 42001) or AI-data-handling disclosure was found beyond the general privacy policy and trust center controls, so its AI-agent data-access model should be evaluated against the same enterprise-wide certs, not an AI-specific one.

    // What to watch

    • Category mismatch risk: Remote is fundamentally an HR/Employer-of-Record/payroll infrastructure company, not an AI model or AI-native SaaS tool. Its relevance to an AI-tools directory rests on 'Remote MCP' (an MCP server for AI agents) — confirm the AIFOXX listing scopes/labels it correctly (e.g. under MCP servers / HR-infra category) rather than implying Remote itself is an AI product.
    • DPA is nuanced, not a flat yes/no: Remote is Processor (standard DPA) for Payroll/HRIS/Contractor Management but independent Controller (no client-facing Art. 28 DPA) for Employer of Record and Contractor of Record. A blanket 'has DPA: true' badge without this caveat would overstate the EOR product's DPA coverage.
    • No AI-specific governance certification (e.g. ISO/IEC 42001, CSA STAR AI) found for the Remote MCP product; the only AI-training disclosure found is a restriction on Remote's own third-party AI suppliers, not an attestation about the Remote MCP agent-access feature itself.

    // At a glance

    Pricing model

    Per-employee/contractor subscription pricing (EOR, payroll, contractor management); custom/quote-based for PEO and enterprise; API/MCP access bundled with underlying employment products (no distinct public price list captured).

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Remote Technology, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.remote.com

    > Browse all vendor trust reports