
Privacy & Security
The safety and security of your personal and account information are kept secure by adhering to top-rated security protocols, as detailed by external security services such as Bitsight and Security Scorecard.
Scroll Down
To Discover More
A Commitment to Privacy and Security
Security Accreditation
-
SOC Reports
SOC Reports
Paychex maintains SOC 1 Type 2 and SOC 2 Type 2 reports over various products and services. Clients may request copies of these reports through their Paychex Sales or Service contact. For additional information regarding SOC reporting and its standard, please visit the AICPA’s Audit and Assurance website.
-
ISO 27001 Certification
ISO 27001 Certification
Certificate number IS 801702
Information Security
-
Safeguarding the Privacy and Personal Information of Our Clients
Safeguarding the Privacy and Personal Information of Our Clients
At Paychex, safeguarding the privacy and personal information of our clients and employees is a top priority. We follow robust security protocols designed to protect both personal and account-related data.
Our Paychex Information Security Management System leverages recognized frameworks, including the NIST Cybersecurity Framework (CSF) and ISO/IEC 27001. These standards guide Our efforts to maintain the confidentiality, integrity, and availability of our data and related assets.
To proactively manage cybersecurity risk. we implement a multi-pronged assessment strategy that includes technical risk evaluations, vulnerability scanning. penetration testing. and bug bounty programs. This approach allows us to continuously identify. assess. and mitigate potential threats within our environment. In addition, our Security Incident Response function operates 24/7/365 to collect and analyze potential security violations or unusual activity.
We also take a rigorous approach to third-party risk management. All vendors are subject to nondisclosure agreements, formal security risk assessments of their information protection practices, and contract terms that define expectations for ongoing data protection.Click here to review our Paychex Security White Paper.
Testing & Validation
-
Vulnerability Scanning
Vulnerability Scanning
Ongoing network vulnerability and configuration baseline scans as well as source code scans are performed. The results are shared with the appropriate IT teams inside Paychex to identify the best mitigation strategy.
-
Penetration Testing
Penetration Testing
Ongoing internal and external penetration testing is performed against our infrastructure and our applications. After management reviews these reports, remediation is performed if necessary.
Security and Internal Controls Training
-
Security and Internal Controls Training
Security and Internal Controls Training
The annual training on Security and Internal Controls is a scenario-based eLearning that puts the learner in the driver’s seat to identify and troubleshoot realistic scenarios that are customized based on sales or non-sales, and manager or individual contributor job roles. The training is completed by all employees including full-time, part-time and contract employees. Throughout the training program, the learner is provided with information on company policies: both within the training content itself, as well as in a downloadable PDF, with links to the site where all policies are located. The learner is recommended to reference the links to obtain the most current policy information. The training also calls out the relevant Paychex values.
Learners dive deep into data security issues, including identifying and reporting security incidents, as well as the dangers of phishing emails and business email compromise (BEC). There are also specialized security modules assigned to employees with specific functions, such as privileged user access, the handling of PHI, and even executive-level security training that are assigned in addition to the general security topics that address areas of security risk to the company. In addition, employees recognize the importance of identifying protected information including:
- HIPAA (Health Insurance Portability and Accountability Act)
- PHI (Protected Health Information)
- NACHA (National Automated Clearing House Association)
- PII (Personally Identifiable Information)
- PCI (Payment Card Information)
The training requires employees to acknowledge that they have received, reviewed, and are following Paychex policies, which includes requirements on handling of confidential information and company assets.
-
Employee Security Awareness Training
Employee Security Awareness Training
In addition to annual security awareness training provided across the enterprise via our RightWay Training, our employees participate in routine phishing simulations designed to test and educate our employees on how to recognize and report phishing emails.
We also provide ongoing training to our Software Development teams where they are instructed in secure code development and provided up to date intelligence on different attack techniques.
Throughout the year, we provide security alerts and education to our employees through our internal employee communication networks to keep them up to date on the latest security hygiene best practices and advisories that may impact them. This includes communications during October as we leverage National Cyber Security Awareness Month to reinforce security concepts and practices.
Business Continuity Planning
-
Business Continuity and Disaster Recovery
Business Continuity and Disaster Recovery
Paychex has adopted a business continuity strategy designed to help ensure the continuation of business-critical functions in the event of a significant business disruption at any of our branches or corporate offices, including technical failures affecting our applications, data centers, networks, and the buildings we occupy. Paychex’ business continuity plan also includes measures designed to deal with severe weather, localized and regional disasters, and workforce-impacting events such as pandemics. The documented and tested recovery strategies are designed to mitigate the impact to our clients from any business disruption.
-
Acute Risks
Acute Risks
Individual events including extreme weather may affect the availability of Paychex client facing services and could lead to financial impact to clients, missed deadlines which carry penalties and eventual financial impacts to Paychex, and the overall Paychex brand reputation. Acute physical risk factors are assessed by business units, real estate, and IT and prioritized for business continuity, disaster recovery, and business resumption planning. The threat from individual events to data center operations is minimal as Paychex has 200% redundancy to protect customer-facing applications across Paychex processing centers. The threat to the Paychex service locations could be more substantial; however, redundancy across the services locations should lead to minimal impact to clients. Examples include, but are not limited to, severe winter weather, hurricanes, tornadoes, wildfires, floods, and power outages.
-
Chronic Risks
Chronic Risks
Sustained events associated with climate change could cause long-term outages leading to financial impact to clients, Paychex revenue, and overall brand reputation as some of our data centers and service locations may be susceptible to increased energy consumption, accessibility to staff, and critical suppliers for our fulfillment centers. Redundant locations that protect against individual events (acute) may also be impacted equally by sustained events and require alternate solutions. Examples include, but are not limited to, rising temperatures, electrical blackouts, and rising sea levels.
-
Managing Risks of Service Disruptions
Managing Risks of Service Disruptions
Paychex supports approximately 740,000 clients using multiple Paychex services and products. While rare, there have been occasions when we have experienced limited, unplanned outages or downtime. We work quickly to restore service and minimize client impact when these events occur. Further, we back up client data in data centers spread out across the U.S., and if there are regional disruptions or outages, client data can be accessed from unaffected locations.
Physical Security
-
Physical Security
Physical Security
In 2019, Paychex launched Active Threat Preparedness Training to help our employees understand what they can do to prepare for, and minimize the impact, should the unthinkable happen.
We partnered with the Monroe County Sheriff’s Office in Rochester, New York to underwrite a comprehensive training video that includes information, statistics, and a re-enactment of an active shooter situation. It was filmed at Paychex locations in Rochester and features our own employees and local law enforcement, who volunteered to be actors and extras in the powerful re-enactment.
All new employees take this important training. Existing employees receive refresher training on a yearly basis to reinforce concepts and principles learned in their initial Active Threat training. Paychex and the Monroe County Sheriff’s Office have made this training available to businesses and individuals through the Monroe County Sheriff’s Office website. The goal, prepare people to take appropriate action and minimize loss of life.
-
Additional Security Measures
Additional Security Measures
Employee Photo Identification: Employee Photo Identification is required to be worn and visible at all times while on Paychex property.
Building Access: Physical access to all buildings and data centers is restricted to employees and those with a justified business need. All access is monitored via an access control system, video surveillance and in some locations, security guards. All data centers have enhanced security systems and protocols.
- Visitor Management: All persons visiting any Paychex location must have a business justification to do so. Visitors to all Paychex locations are required to sign in and are issued a numbered visitor’s badge. Visitors must be accompanied at all times by a Paychex employee.
Client Resources
Your Part: Keep Your Information Secure
Know what to look for and do when it comes to the safety and security of your information, employees, and business.
-
How To Keep Your Information Safe
How To Keep Your Information Safe
- Recognize Potential Risks:
- We urge you to take all the necessary precautions when handling and protecting your company hardware, data, employees, and facilities.
- Use the Highest Level of Authentication Available
- When using any online application that requires a log-in, it is best practice to always leverage the highest level of authentication possible. Multi-Factor Authentication (MFA), available on the Paychex Flex® application across mobile and desktop devices, provides users with an additional layer of protection. While this authentication is an extra step, beyond your user name and password, it authenticates your identity when signing into your account.
- Use Logout Feature
- After viewing your account or performing any transaction online, use the Log Out button when finished, and close your browser completely. This ensures that no one can view your account information after you've logged out.
- Keep Login Credentials Confidential
- Your user ID, username, password, picture, and/or pin code all represent keys that allow you to access your account information on our system. Do not disclose these credentials to others.
- Recognize Potential Risks:
-
Privacy Policy
Privacy Policy
-
View Our Active Security Notifications
View Our Active Security Notifications
- New Paychex Security Update: Be Aware of Fake Job Texts
- Paychex Security Notice: Be Aware of Fake Paychex Flex®Login Pages
- Paychex Security Notice: Know What to Do About Fake Websites Using the Paychex Name
- Paychex Security Notice: Suspected Fraudulent Investment Scheme in Brazil
- Paychex Security Update: Fake Job Postings
- Paychex Security Notice: Spoof Email coming from Paychex Domains
- Paychex Security Notice: New Google Ads Phishing Scam Targeting PEO Users
- Paychex Security Update: Beware of Phishing Campaigns Targeting W-2 Information
- Paychex Security Update: Trickbot Using Fake Paychex Email Domain to Deliver Malware
- Paychex Security Update: Beware of False IRS "Tax Transcript" Email
-
Report a Security Vulnerability
Report a Security Vulnerability
Responsible Disclosure
Integrity is one of the core values at Paychex. As such, the security of our systems, applications, and data is paramount. If you believe you have discovered a vulnerability, we appreciate your help in disclosing it to our Enterprise Data Security team in accordance with our Responsibility Disclosure Requirements.
Paychex encourages researchers to share with our team the details of any suspected vulnerability by submitting the form.
-
Prohibited Conduct
Prohibited Conduct
While we encourage you to report any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited:
- Executing, or attempting to execute, a Denial of Service (DoS) attack against any product or website;
- Posting, transmitting, uploading, linking to, sending, or storing any malicious software or ransomware;
- Any act of cyber extortion, including threatening the availability of Paychex data or Paychex client data unless a payment is received;
- Social engineering of any Paychex employee, contractor, client, or prospective client including but not limited to phishing and any testing that would result in unsolicited email, spam, or messages;
- Unapproved vulnerability or penetration testing;
- Selling, bartering, or otherwise benefitting from a vulnerability or data that does not belong to you;
- Downloading, exfiltrating, copying, or otherwise retaining Paychex data or Paychex client data that does not belong to you;
- Please note that if data that does not belong to you is uncovered as the result of a vulnerability, it must be removed from unapproved systems and further attempts to exploit it must be ceased immediately.
- Deliberately destroying, corrupting, or modifying, or attempting to destroy, corrupt or modify data or information that does not belong to you;
Violating any applicable international, federal, state, and/or local laws or any applicable agreements
Report a Security Issue
If you believe an unauthorized party has accessed your account or information, please contact us immediately.
Once you suspect potentially fraudulent activity, you must take action to safeguard your personal and account information. See what steps you can take to address specific examples, and learn some best practices for handling your account information.
Paychex Package
Example: There was a problem with my Paychex package delivery.
Next Steps:
Contact your local Paychex branch.
Payroll support is available 24/7, 365 days per year.
Online Accounts
Example: I am an employee of a Paychex client and I need technical support
Next Steps:
Please log into www.paychexflex.com and click on the ? mark icon on the bottom right side of the page to get support via chat.
Communications
Example: I received a suspicious telephone call, text message, email, or letter from someone who claimed to be from Paychex.
Next Steps:
Contact your local Paychex branch.
Payroll support is available 24/7, 365 days per year.
Computer Viruses
Example: I clicked on a link in a suspicious email. I gave out my online account information. My anti-virus software notified me that I had a virus.
Next Steps:
Have your computer reviewed by an information technology professional at your business.
If you believe the virus affects your Paychex account, please contact your local Paychex branch.
Payroll support is available 24/7, 365 days per year.
Learn how to help reduce future risks to your online information.