// Trust & Security Report
Remote Technology, Inc.
Global employment infrastructure (Employer of Record, Global Payroll, Contractor of Record/Management, PEO) plus a REST API and 'Remote MCP', an MCP server that gives AI agents live access to payroll, contract, compliance, and org-structure data.
Certifications held
4
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.remote.com“SOC2 Type 2 — Remote's most recent SOC2 Type2 certificate report (Request)”
Verify on trust.remote.com“ISO 27001 — Certification of Remote's ISMS compliance with the ISO27001 standard (Download)”
Verify on trust.remote.com“Listed under 'Compliance' on the trust center alongside SOC 2/ISO 27001/CSA STAR; corroborated by Remote's Data Protection Addendum: 'Data Protection Laws means all applicable data protection and privacy laws... [Remote] act[s] as Processor and You shall act as Controller' for Payroll/HRIS/Contractor Management services, with EU SCCs applied for international transfers.”
> Show 5 unconfirmed / not-held certifications
source: support.remote.comNo HIPAA certification or BAA program found. Remote's own support content states BAAs are not required for its Employment Services because assigned personnel are treated as client personnel acting under the client's instruction/supervision, not as Remote processing PHI on the client's behalf. Not directly re-fetchable (support.remote.com returned HTTP 403 to automated fetch) but confirmed via search-indexed vendor page: 'Can we enter into HIPAA business associate agreements with Remote or the employees you assign to us?'
source: trust.remote.comNo public evidence of a PCI DSS attestation. Remote is not a card-payment processor for merchants; no PCI DSS reference appears on the trust center, security whitepaper listing, or marketing pages captured.
source: trust.remote.comNo public evidence. Not listed on the trust center's Compliance section (SOC 2 Type 2, ISO 27001, GDPR, CSA STAR Level 1 only) and no search results surface an ISO 42001 claim from Remote.
source: trust.remote.comNot listed on the trust center's compliance section; no public evidence found.
source: trust.remote.comNo public evidence; not applicable to Remote's commercial HR/payroll offering as captured.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Global, multi-region; Remote operates owned legal entities in-market. International personal-data transfers rely on the EU-US Data Privacy Framework (plus UK and Swiss extensions) and the 2021 EU Standard Contractual Clauses.
Remote's privacy policy explicitly restricts third-party AI suppliers: 'we contractually ensure that Personal Data is not available to the supplier's other users and is not used to train the supplier's AI models.' This covers Remote's own use of AI vendors, not a first-party model Remote trains itself. DPA coverage is nuanced by product: Remote acts as Processor (standard Art. 28 DPA terms via Terms of Service) for Payroll, HRIS, Contractor Management, Mobility, and Perform, but acts as an independent Controller (no standard client-DPA) for Employer of Record (EOR) and Contractor of Record services, since Remote itself directly employs/contracts the worker in those models.
// Security controls
Encryption in transit
Listed as an active control ('Encryption-in-Transit') under the trust center's Network/Access Security category.
trust.remote.comContinuous compliance monitoring
Trust center controls are continuously monitored via Secureframe, a third-party compliance automation platform.
trust.remote.comPenetration testing
Third-party penetration testing is a listed control; an executive summary of the latest platform pentest is available on request.
trust.remote.comIncident response
Documented Incident Response Plan, incident tracking, and lessons-learned process listed as controls.
trust.remote.comBusiness continuity / disaster recovery
Business Continuity and Disaster Recovery Policy with periodic testing listed as a control.
trust.remote.comVendor risk management
Vendor Due Diligence Review and Vendor Risk Management Policy listed as controls.
trust.remote.comAccess control
Administrative access restricted; Access Control and Termination Policy listed as a control.
trust.remote.com// Products & data scope
data: Full employee PII, employment contracts, tax and benefits data; Remote is Controller (not a client processor) for this data.
Handled under owned local legal entities; no standard client DPA since Remote acts as independent Controller.
data: Payroll amounts, bank details, tax filings across multiple currencies/jurisdictions.
Remote acts as Processor; covered under Art. 28-style DPA terms in the Terms of Service.
data: Contractor identity, payment, and compliance/misclassification data.
COR follows the EOR (Controller) model; standalone Contractor Management follows the Processor model.
data: Programmatic read/write access to employment, payroll, and org data via REST API and webhooks.
API-first access layer for customer-built integrations.
data: Live connection exposing payroll, contracts, compliance data, and org structure directly to AI agents, per Remote's own description ('no API keys, no exports, no custom integrations needed').
The product most relevant to an AI-tools directory listing; no separate AI-specific certification (e.g. ISO 42001) or AI-data-handling disclosure was found beyond the general privacy policy and trust center controls, so its AI-agent data-access model should be evaluated against the same enterprise-wide certs, not an AI-specific one.
// What to watch
- Category mismatch risk: Remote is fundamentally an HR/Employer-of-Record/payroll infrastructure company, not an AI model or AI-native SaaS tool. Its relevance to an AI-tools directory rests on 'Remote MCP' (an MCP server for AI agents) — confirm the AIFOXX listing scopes/labels it correctly (e.g. under MCP servers / HR-infra category) rather than implying Remote itself is an AI product.
- DPA is nuanced, not a flat yes/no: Remote is Processor (standard DPA) for Payroll/HRIS/Contractor Management but independent Controller (no client-facing Art. 28 DPA) for Employer of Record and Contractor of Record. A blanket 'has DPA: true' badge without this caveat would overstate the EOR product's DPA coverage.
- No AI-specific governance certification (e.g. ISO/IEC 42001, CSA STAR AI) found for the Remote MCP product; the only AI-training disclosure found is a restriction on Remote's own third-party AI suppliers, not an attestation about the Remote MCP agent-access feature itself.
// At a glance
Pricing model
Per-employee/contractor subscription pricing (EOR, payroll, contractor management); custom/quote-based for PEO and enterprise; API/MCP access bundled with underlying employment products (no distinct public price list captured).
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Remote Technology, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.remote.com