Data in transit
All data transferred between the user’s browser and Gusto’s servers is encrypted in transit. Gusto uses TLS v1.2

Data at rest
Data is encrypted at rest in AWS using AES-256 key encryption.

Data center provider
Gusto uses Amazon Web Services (AWS) to host its production servers, databases, and supporting services.

Multi-region
Gusto uses a multi-region setup for its infrastructure. The principal region for running the application is AWS region US-West-2 (Oregon), with AWS region US-East-1 (Virginia) for its backup.

Backups
Gusto’s production systems and data are backed up on a regular basis. We run through a checklist to verify data is recorded and usable. Backups are tested on a periodic basis.

Status page
Gusto service statuses, maintenance updates, and any incidents affecting our users are documented and available at gusto.statuspage.io.

Access controls
Access to Gusto’s systems is limited based on employee roles and responsibilities. The principle of least privilege is enforced.

Testing and review
All changes to our application are subject to peer review and testing before being merged.

Separate environments
Gusto maintains segregated testing, development, and production environments.

Penetration testing
Gusto’s security team uses third parties to conduct penetration tests to identify deficiencies in the system that may affect critical assets.

Vulnerability scanning
Gusto uses third-party security tools to continuously scan our applications, systems, and infrastructure for security risks and vulnerabilities.

Code analysis
Gusto’s code repositories are regularly scanned for security issues using static code analysis.

Bug bounty
Gusto offers rewards for user-submitted bugs found in our API. For more information, check out the Bug Bounty Program section at the bottom of the page.

Multi-Factor Authentication
Gusto allows you to add an extra layer of security to your account by enabling two-step verification, also called two-factor authentication. This reduces the risk of having your account accessed by anyone else.

Manager permissions
With Gusto’s Complete plan, admins can provide limited-access permissions to certain accounts.

Transaction monitoring
Gusto proactively monitors customer accounts to help prevent fraudulent transactions.

Learn more about product security here.

Dedicated team
Gusto has a dedicated security team to enforce secure practices and respond to security incidents quickly and efficiently.

Policies
Gusto maintains a robust set of security policies that are updated periodically to meet the demand of an evolving security environment. Policies are communicated to employees and available for review at any time.

Training
All Gusto employees are required to complete security training. Gusto’s security team provides continuous education on emerging security threats, and communicates updates with employees regularly.

Background checks
Gusto performs background checks for potential candidates before hiring.

New-hire reviews
All new hires are required to sign and acknowledge Gusto’s information security policy and confidentiality agreements upon joining the team.

SOC 2 Reports
Gusto updates a SOC 2 type II report every year. Customers can access it after filling out a nondisclosure agreement. Learn more from the AICPA about SOC 2 reports. You can also email Gusto if you have questions.

Download documents

HIPAA guidelines
We follow HIPAA guidelines to safeguard our customers’ protected health information (PHI). Additionally, we maintain business associate agreements (BAAs) between employers and Gusto, along with any third parties, like insurance companies. Read more.