Data security and compliance are core to us

Kombo's platform is built with security at its core, ensuring your customers' data remains protected at all times.

Security Trust Center
Get a demo
Passed security reviews from 20,000 companies, including:

Designed for enterprise data protection needs

Customer trust and data security are critical to us. Kombo provides comprehensive security controls and compliance frameworks specifically built for the regulatory requirements and data sensitivity of HR tech integrations.

Compliant with security and privacy standards

Built-in security controls and industry-standard certifications protect your customers' data. Kombo complies with SOC 2 Type 2, HIPAA, GDPR, and is also ISO 27001 certified.

Enterprise security needsData minimizationAccountability and compliance

Enterprise security needs

Meet your enterprise customers' security and compliance requirements.
Regional data sovereignty
Store and process your customers’ data where they are based. You can choose between EU or US data centers during onboarding. All customer data processing occurs exclusively within your selected region, with isolated infrastructure preventing cross-border data flows.
Learn more →
Enterprise security certifications
Meet your customers' security requirements out of the box. Kombo maintains ISO 27001 certification, SOC 2 Type II compliance, and GDPR adherence with regular third-party penetration testing. Data is encrypted at rest and in transit using TLS.
Learn more →
Enterprise onboarding support
Make it easy for your customers to onboard securely. Access to security questionnaire responses, compliance documentation, and Data Processing Agreement templates accelerates your customers' security reviews. Detailed integration guides help customer implement secure connections.
Learn more →

Data minimization

Control what data is shared, limit access, and automatically delete data when integrations are disconnected.
Configurable data scoping
Don’t collect more data than you need to. Define exactly which employee fields, candidate information, and payroll data points are handled for each integration. Mark fields as required, optional, or disabled based on your compliance requirements and use case needs.
Learn more →
Filtering
Don't sync more data than you need from your customers' HR systems. Let your customers specify exactly which employees to share based on work location, employment type, department, or custom fields.
Learn more →
Automated data lifecycle management
Ensure data is deleted when integrations are disconnected. When your customers disconnect their integrations, all associated data is automatically removed from Kombo's systems within 14 days, with full audit documentation of the deletion process.
Learn more →

Accountability and compliance

Maintain detailed records of all data processing activities and control access to Kombo.
Audit logging
Understand at all times what happened with your customers' data. Comprehensive audit trails capture all data access events, API calls, synchronization activities, and administrative actions with timestamps for compliance reporting.
Learn more →
Role-based access controls
Restrict what type of access your team members have based on their assigned role. Define precise permissions for who can access production versus development environments, manage user accounts, and modify integration settings.
Learn more →

FAQs

How does Kombo protect and secure data?

All data is encrypted using industry-standard algorithms. Data is encrypted using AES-256 at rest, and using Transport Layer Security (TLS) in transit.

Where are Kombo’s Servers located?

Data is stored regionally depending on where your partner is operating:

• For the US, data is stored in Google Cloud Centers in the US.
• For the EU, data is stored in Google Cloud Centers in the Netherlands.

Why do you require employee data?

Some employee data will be required for the service of your partner to function. For example, a spend management service will require access to bank account data (like IBAN) to enable automatic reimbursements.

Kombo empowers services to stay compliant by enabling them to limit data access to only what's necessary for their functionality. The legal basis of the exchange of data is always the contract between you and the service.

What if not all employees are relevant to the service?

When connecting their HRIS via Kombo, your customers are able to set filters that define which employees will be read. Only employees matching these filters will be exposed to your solution.

Why do you require applicant data?

Some applicant data will be required for the service of your partner to function. For example, a background check provider will require access to candidate information (like name and email) to initiate screening processes, or an assessment tool will need application details to send evaluation links to candidates.

Kombo empowers services to stay compliant by enabling them to limit data access to only what's necessary for their functionality. The legal basis of the exchange of data is always the contract between you and the service.

Further Questions?

If you have any other questions, don’t hesitate to reach out to Kombo directly or visit the security center.

Reach Out
Trusted by the world’s leading B2B companies