Why does an HR tech product need an external review?

HR products sit on highly sensitive data with small teams behind them. An external review surfaces overbroad access, role mistakes, and exposed APIs before a client, an incident, or a compliance review finds them first.

What do you check first?

Authentication, authorization, role separation, APIs, exports, document storage, webhooks, and tenant boundaries. The goal is to find access that's too broad and real paths into your data.

Is it useful before an enterprise sale?

Yes. This is usually the right time to get a clear report you can lean on to answer security questionnaires and prioritize fixes before a big deal cycle.

Do you work without source-code access?

Yes. The external review works off what's already visible from the outside: front end, APIs, app behavior, public metadata, configurations, and the architecture you can infer.

What most often exposes employee data?

Usually roles that aren't properly separated, exports that are too easy to pull, documents stored without real protection, or APIs that return more than they should.

Is this still useful if our team is small?

Yes. Small teams ship fast and rarely have the time or the distance to review roles, buckets, webhooks, and externally visible paths through a security lens.

Is an automated scanner enough for HR software?

No. A scanner catches a few technical signals. It doesn't understand role separation, multi-tenant logic, cross-client access, or the business exposure that's specific to HR and payroll.

HR tech, payroll & recruiting

You handle workforce data,
not a basic CRM table.

Name: CleanIssue
Price range: €€

An HR or payroll product sits on identities, salaries, contracts, candidate histories, and supporting documents. An external review shows you fast what an enterprise client, partner, or attacker can already reach from the outside.

Regulatory and business pressure

GDPR — workforce data

In force

Payroll records, contracts, HR files, and supporting documents need proportionate security measures, documented well enough to stand up to scrutiny.

Client security reviews

Every new account

HR buyers and enterprise prospects keep asking for proof of access control, tenant separation, and how you handle data.

Product speed

Now

Teams under 50 people ship fast on Supabase, Firebase, or Next.js — usually without ever running a serious external review of roles, APIs, and exposure paths.

Common HR Tech vulnerabilities

APIs returning employee, candidate, or payroll records with no real access control
Weak separation between admin, manager, and employee roles, front end and back end
CSV exports, contracts, or payslips reachable through direct URLs or loose storage buckets
Missing or incomplete RLS on Supabase or Firebase, opening cross-tenant access
HR webhooks and automations that fire without any real validation
Client portals leaking data across organizations

In this space, the worst findings rarely come from a dramatic CVE. They come from an HR API that returns too much, a sloppy role model, or a sensitive export reachable from the outside.

Why HR and payroll vendors are a priority target

An HRIS, a payroll tool, or an ATS holds everything an attacker or a competitor wants about a company: identities, salaries, social security numbers, partial bank details, contracts, sick leave, performance reviews. French vendors typically host dozens of customer companies on the same multi-tenant database. An isolation bug never hits one client. It hits the whole book. That's the most expensive risk in an HRIS: one missed RLS policy, one forgotten API filter, one sloppy multi-tenant endpoint — and the leak covers dozens of SMBs at once. HR vendor teams stay small: a founder, two to five engineers, rarely a dedicated security lead. Risk scales faster than the team.

The typical exposure surface of a payroll product

Beyond the app itself, a payroll tool usually exposes: an employee portal (payslip download), a manager portal (team view, leave, approvals), an HR back office, integration APIs (accounting, banking, third-party HRIS), outbound webhooks to payroll connectors, regulatory filings (DSN and DPAE in France), and document storage (payslips as PDFs, contracts, bank details). Each surface has its own recurring failure modes. Payslips in public buckets with guessable URLs. Unsigned webhooks that happily accept replays. HR exports leaking another tenant's data through a join bug. Integration tokens sitting in JS bundles that anyone can read. None of this shows up in automated scanners. It takes a manual external review.

Getting ready for an enterprise security questionnaire

A large buyer picking an HRIS sends a security questionnaire before signing. These cover: hosting and certifications (ISO 27001, HDS for health data), access management and SSO (SAML, SCIM), encryption at rest and in transit, logging, backups, business continuity, sub-processors, GDPR Articles 32 and 33, incident response drills. Most vendors under 50 people hit these questionnaires too late, mid-sales cycle. Losing an enterprise deal over a half-filled questionnaire can cost tens of thousands of euros in MRR. A prior external audit gives you the evidence: exposure mapping, applicable GDPR articles, review results, remediation plan. Enough to answer with proof instead of promises. That's often what brings HR vendors to us in the first place.

Sensitive integrations: payroll filings, ATS, banking APIs

A payroll tool pushes monthly regulatory filings to social security bodies. An ATS exchanges data with job boards (LinkedIn, Indeed). An HRIS connects to the payroll tool, to enterprise SSO (Azure AD, Okta), and to banking APIs for transfers. Each integration is a surface. Typical failures: HMAC signatures sent but never verified on the receiving side, OAuth tokens that survive a user reset, integration secrets stored in plaintext in the database, webhooks that accept a timestamp from hours ago (replay). An external audit maps these integrations, tests what can be replayed, and surfaces the secrets already sitting out in public — JS bundles, error logs, .map files shipped to production.

GDPR sub-processor (Article 28): vendor obligations

An HR software vendor is almost always a GDPR data processor for its customers (the employer is the controller). Article 28 frames that relationship: written sub-processing agreement, documented technical and organizational measures, timely breach notification, audit rights for the customer. The points that come back to bite vendors under regulatory scrutiny: no documentation of technical measures (encryption, pseudonymization, isolation tests), no second-tier sub-processor registry (host, email provider, AI service), no defined breach notification timeline, missing Art. 28 clauses in the contract. Our audit report maps every exposure to the applicable GDPR articles (32, 33, 28). It's a document enterprise customers accept as due-diligence evidence.

You handle workforce data,
not a basic CRM table.

Regulatory and business pressure

GDPR — workforce data

Client security reviews

Product speed

Common HR Tech vulnerabilities

Why HR and payroll vendors are a priority target

The typical exposure surface of a payroll product

Getting ready for an enterprise security questionnaire

Sensitive integrations: payroll filings, ATS, banking APIs

GDPR sub-processor (Article 28): vendor obligations

Related reading — HR & payroll

FAQ

Need an external review of your HR SaaS?

You handle workforce data,not a basic CRM table.

Regulatory and business pressure

GDPR — workforce data

Client security reviews

Product speed

Common HR Tech vulnerabilities

Why HR and payroll vendors are a priority target

The typical exposure surface of a payroll product

Getting ready for an enterprise security questionnaire

Sensitive integrations: payroll filings, ATS, banking APIs

GDPR sub-processor (Article 28): vendor obligations

Related reading — HR & payroll

FAQ

Need an external review of your HR SaaS?

You handle workforce data,
not a basic CRM table.