Security Review
Introduction
Regardless of whether you’re integrating with Gusto directly or via one of our approved Unified API partners, in order to be eligible for access to Gusto’s production environment, an approved Production Pre-Approval and subsequent Security Review is required.
In most cases, the information collected in your Production Pre-Approval application is all that’s needed to complete the Security Review; however, in certain cases additional information may be required. Please keep an eye out for such requests as your Security Review will be put on hold until we receive a response.
Preparing for Production Pre-Approval
As noted above, the Production Pre-Approval questionnaire collects the typical information required to complete your Security Review. In order to maximize the likelihood of passing Security Review, please be prepared to provide the following:
- Documentation
- All current security related audits and supporting documentation
- E.g. SOC 2 Type 2, ISO 27001 + SOA, PCI DSS etc.
- Penetration test report(s)
- All other relevant security and privacy related documentation, reports, audits, certificates and policies
- E.g. Incident response, privacy, physical security and data retention/destruction policies
- All current security related audits and supporting documentation
- Points of Contact
- Security contact name, title and email address
- Incident Response contact name, title and email address
- If you do not have a formal security audit (SOC 2 Type 2, ISO 27001, PCI DSS etc.), information on:
- Background check policies
- Confidentiality agreements
- Security awareness trainings
- Physical security controls
- Employee endpoint controls
- Multi-factor authentication
- Access control program
- Vulnerability avoidance
- Bug bounty program
- Privacy policy
- Compliance with relevant data privacy regulations
- Strategies for protecting the confidentiality and integrity of network communication
- Incident response policies and procedures
- Vulnerability scanning
- Vulnerability remediation
- Third party vendor management program
- Encryption of data at rest
- Encryption of data in transit
- Data retention and destruction policies
- Function level authorization
- Access control mechanisms
- Authorization mechanisms at the record level
- Standards for authentication, token generation, password generation and storage
- Brute force protections
- Resource and rate limiting
- API level protections, validations, filters and sanitation
- Security configuration reviews
- API security improvement policies
Next steps
Once you file for Production Pre-Approval, no further action is needed until you hear back from us. Our Partnerships team will review your application within 1-2 weeks and if approved, our Developer Relations team will then kick off your Security Review via our security review vendor, VISO Trust.
Once the results are received:
- If you’ve applied to integrate with Gusto directly, you will receive an email from [email protected] with next steps
- If you’ve applied to integrate with Gusto via an approved Unified API platform, we will notify the Unified API platform of your approval and begin the production setup and onboarding process
Updated about 1 month ago