We recently landed our SOC2 Type II report and refreshed our GDPR posture. Both live in the Trust Center now, alongside the documents procurement teams actually need: DPA, sub-processor list, SLA details, security questionnaire, audit summary.
The boring stuff. The stuff that doesn't make it into a demo. The stuff most vendors hide behind an NDA.
We're publishing it openly because the bar for "enterprise-ready" HR tech has slipped. A SOC2 badge in the footer used to mean something. Now it shows up next to fonts and bumper stickers. The badge is the floor — and the category has trained buyers to confuse the floor with the ceiling.
What SOC2 Type II and GDPR actually cover
SOC2 Type II is an audit, not a certification. An independent firm — ours is Johanson Group — watches the operation and verifies the controls described are being followed in practice. Logical access, encryption, change management, vendor risk, incident response, availability, confidentiality. The Type II report is what real auditors read. The badge is the cover page.
GDPR is a posture, not a checkbox. It's enforced by the actions the buyer can ask the vendor to take: process individual data within EU borders, sign a redlinable DPA, delete an employee's record on request, hand over a full export, name every sub-processor that touches workforce data.
Both matter. Both are the floor.
Where most HR tech buyers get gamed
"Enterprise-ready" has become a sticker, not a posture. Buyers see SOC2 in the footer and stop asking. Vendors learn that the badge gets them through procurement, so they stop investing past it. Five questions go unasked, and three years later somebody finds out the hard way during M&A diligence or a regulator inquiry.
Here's the shorter procurement checklist worth running — these are the questions our enterprise customers ask us during evaluation, and the questions we test our own vendors against:
Data residency. Where does workforce data physically live? Can it be pinned to a region? What does the vendor do when a customer in Frankfurt asks for EU-only processing — flip a settings flag, or rebuild the data pipeline?
DPA terms. Is the data processing agreement redlinable, or take-it-or-leave-it? Is there an NDA gate before you even see it? Look for clear sub-processor change notification (30 days minimum), termination assistance with a defined export window, indemnity that doesn't cap at a month of fees.
Audit trail. Is the activity log immutable — append-only at the database level? Can you export it as evidence for an internal audit or a regulator? What's logged, and who can suppress events? "Soft delete" is not an audit trail.
Sub-processor disclosure. Who else touches your workforce data — analytics, support tools, AI providers, infrastructure platforms? Is the list public? Do they notify before changes? "Trust us, we vet our vendors" isn't a sub-processor list.
Off-boarding. What happens to the data when you leave? Can you export it all in a structured format? How long is it retained after termination? Is there a defined deletion timeline with proof of destruction?
These aren't moonshots. They're the boring middle of an enterprise procurement review. The vendors that earn long-term trust treat them like the actual product. The ones that don't route them to a contract queue and hope you go away.
The pricing position
Security should never be a tier upgrade. Audit logs, sub-processor disclosure, SLA, the DPA itself — these are floor-level features for any enterprise workforce platform. The minute a vendor moves any of them above a tier line, they're telling you the floor is negotiable.
Our position: bundled in every paid plan. The trust center is public. The DPA is viewable without an NDA. The sub-processor list is current. No upsells to enable the floor.
What the bar should look like
Eighteen years of selling into HR teams has taught us that "enterprise-ready" is whatever the worst vendor in your shortlist managed to clear. That's a problem for the category, not just for us. So we're going to keep publishing the boring stuff openly — the cover sheet and the audit report, the DPA and the sub-processor list, the off-boarding terms and the response-time SLAs.
Trust isn't a badge. It's a posture you can verify line by line — and it's the floor under every workforce strategy decision a CHRO will make this year.
If you're evaluating us — or any other workforce platform — start at trust.skillsdb.com. If a vendor doesn't have the equivalent, that's its own answer.