CNIL 2026: updated API security recommendations for SaaS vendors
Why the CNIL cares about APIs
APIs have become the primary channel for exchanging data in HR SaaS products. Every time a payroll platform sends a payslip to a digital vault, an ATS shares a candidate profile with an assessment tool, or an HRIS syncs absences with the national declaration system, an API is at work.
The issue: many of these APIs expose more data than necessary, fail to properly check permissions, or don't log calls adequately. The CNIL noticed during its 2025 inspections and decided to update its guidance.
What actually changes
Authentication and authorization
The CNIL now insists on strict separation between authentication (who's calling?) and authorization (are they allowed?). API tokens must have limited lifetimes — the recommendation is 15 minutes max for access tokens — and refresh tokens must be individually revocable.
For a payroll vendor, this means a token generated to sync salaries should not be able to access disciplinary records. Least privilege, applied endpoint by endpoint.
Data minimization
Key new point: every endpoint must return only the fields required for the declared use. A partner that needs an employee's name and email should not receive their social security number in the same response, even if the field exists in the database.
The CNIL now recommends server-side projection mechanisms (field filtering) rather than relying on the client to ignore irrelevant fields.
Logging
Any API processing sensitive data must log:
These logs must be retained for a minimum of 6 months and be usable in case of an audit.
Impact for HR SaaS vendors
If you build HR, payroll, or recruiting software, these recommendations are not optional. The CNIL uses them as a reference framework during inspections. Not following them exposes you to formal notice.
Action items:
read:employees is too broad — prefer read:employees:identity and read:employees:payroll.How CleanIssue can help
Our API and webhooks audit checks exactly these points. We test your endpoints the way an attacker would: manipulating parameters, testing access controls, looking for data leaks in responses. The report maps each finding to the CNIL's recommendations.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
CNIL 2025: €487M in fines. What small SaaS teams should take away
Record CNIL fines in 2025. Analysis and concrete lessons for businesses.
GDPR Article 32: technical security obligations for web applications
What "appropriate technical measures" means concretely — encryption, access control, testing, pseudonymization. With code examples.
Silae, PayFit, Lucca APIs: where to look at integration security
Payroll and HR integrations often create their own exposure surface: secrets, webhooks, identity mapping, and logs.
Sources
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.