Security Accreditation

  • SOC Reports

    SOC Reports

    AICPA SOC

    Paychex maintains SOC 1 Type 2 and SOC 2 Type 2 reports over various products and services. Clients may request copies of these reports through their Paychex Sales or Service contact. For additional information regarding SOC reporting and its standard, please visit the AICPA’s Audit and Assurance website.

  • ISO 27001 Certification

    ISO 27001 Certification

    Certificate number IS 801702

    bsi information security management certified

Information Security

  • Safeguarding the Privacy and Personal Information of Our Clients

    Safeguarding the Privacy and Personal Information of Our Clients

    At Paychex, safeguarding the privacy and personal information of our clients and employees is a top priority. We follow robust security protocols designed to protect both personal and account-related data.

    Our Paychex Information Security Management System leverages recognized frameworks, including the NIST Cybersecurity Framework (CSF) and ISO/IEC 27001. These standards guide Our efforts to maintain the confidentiality, integrity, and availability of our data and related assets.

    To proactively manage cybersecurity risk. we implement a multi-pronged assessment strategy that includes technical risk evaluations, vulnerability scanning. penetration testing. and bug bounty programs. This approach allows us to continuously identify. assess. and mitigate potential threats within our environment. In addition, our Security Incident Response function operates 24/7/365 to collect and analyze potential security violations or unusual activity.

    We also take a rigorous approach to third-party risk management. All vendors are subject to nondisclosure agreements, formal security risk assessments of their information protection practices, and contract terms that define expectations for ongoing data protection.

    Click here to review our Paychex Security White Paper.

Testing & Validation

  • Vulnerability Scanning

    Vulnerability Scanning

    Ongoing network vulnerability and configuration baseline scans as well as source code scans are performed. The results are shared with the appropriate IT teams inside Paychex to identify the best mitigation strategy.

  • Penetration Testing

    Penetration Testing

    Ongoing internal and external penetration testing is performed against our infrastructure and our applications. After management reviews these reports, remediation is performed if necessary.

Security and Internal Controls Training

  • Security and Internal Controls Training

    Security and Internal Controls Training

    The annual training on Security and Internal Controls is a scenario-based eLearning that puts the learner in the driver’s seat to identify and troubleshoot realistic scenarios that are customized based on sales or non-sales, and manager or individual contributor job roles. The training is completed by all employees including full-time, part-time and contract employees. Throughout the training program, the learner is provided with information on company policies: both within the training content itself, as well as in a downloadable PDF, with links to the site where all policies are located. The learner is recommended to reference the links to obtain the most current policy information. The training also calls out the relevant Paychex values.

    Learners dive deep into data security issues, including identifying and reporting security incidents, as well as the dangers of phishing emails and business email compromise (BEC). There are also specialized security modules assigned to employees with specific functions, such as privileged user access, the handling of PHI, and even executive-level security training that are assigned in addition to the general security topics that address areas of security risk to the company. In addition, employees recognize the importance of identifying protected information including:

    • HIPAA (Health Insurance Portability and Accountability Act)
    • PHI (Protected Health Information)
    • NACHA (National Automated Clearing House Association)
    • PII (Personally Identifiable Information)
    • PCI (Payment Card Information)

    The training requires employees to acknowledge that they have received, reviewed, and are following Paychex policies, which includes requirements on handling of confidential information and company assets.

  • Employee Security Awareness Training

    Employee Security Awareness Training

    In addition to annual security awareness training provided across the enterprise via our RightWay Training, our employees participate in routine phishing simulations designed to test and educate our employees on how to recognize and report phishing emails.

    We also provide ongoing training to our Software Development teams where they are instructed in secure code development and provided up to date intelligence on different attack techniques.

    Throughout the year, we provide security alerts and education to our employees through our internal employee communication networks to keep them up to date on the latest security hygiene best practices and advisories that may impact them. This includes communications during October as we leverage National Cyber Security Awareness Month to reinforce security concepts and practices.

Business Continuity Planning

  • Business Continuity and Disaster Recovery

    Business Continuity and Disaster Recovery

    Paychex has adopted a business continuity strategy designed to help ensure the continuation of business-critical functions in the event of a significant business disruption at any of our branches or corporate offices, including technical failures affecting our applications, data centers, networks, and the buildings we occupy. Paychex’ business continuity plan also includes measures designed to deal with severe weather, localized and regional disasters, and workforce-impacting events such as pandemics. The documented and tested recovery strategies are designed to mitigate the impact to our clients from any business disruption.

  • Acute Risks

    Acute Risks

    Individual events including extreme weather may affect the availability of Paychex client facing services and could lead to financial impact to clients, missed deadlines which carry penalties and eventual financial impacts to Paychex, and the overall Paychex brand reputation. Acute physical risk factors are assessed by business units, real estate, and IT and prioritized for business continuity, disaster recovery, and business resumption planning. The threat from individual events to data center operations is minimal as Paychex has 200% redundancy to protect customer-facing applications across Paychex processing centers. The threat to the Paychex service locations could be more substantial; however, redundancy across the services locations should lead to minimal impact to clients. Examples include, but are not limited to, severe winter weather, hurricanes, tornadoes, wildfires, floods, and power outages.

  • Chronic Risks

    Chronic Risks

    Sustained events associated with climate change could cause long-term outages leading to financial impact to clients, Paychex revenue, and overall brand reputation as some of our data centers and service locations may be susceptible to increased energy consumption, accessibility to staff, and critical suppliers for our fulfillment centers. Redundant locations that protect against individual events (acute) may also be impacted equally by sustained events and require alternate solutions. Examples include, but are not limited to, rising temperatures, electrical blackouts, and rising sea levels.

  • Managing Risks of Service Disruptions

    Managing Risks of Service Disruptions

    Paychex supports approximately 740,000 clients using multiple Paychex services and products. While rare, there have been occasions when we have experienced limited, unplanned outages or downtime. We work quickly to restore service and minimize client impact when these events occur. Further, we back up client data in data centers spread out across the U.S., and if there are regional disruptions or outages, client data can be accessed from unaffected locations.

Physical Security

  • Physical Security

    Physical Security

    In 2019, Paychex launched Active Threat Preparedness Training to help our employees understand what they can do to prepare for, and minimize the impact, should the unthinkable happen.

    We partnered with the Monroe County Sheriff’s Office in Rochester, New York to underwrite a comprehensive training video that includes information, statistics, and a re-enactment of an active shooter situation. It was filmed at Paychex locations in Rochester and features our own employees and local law enforcement, who volunteered to be actors and extras in the powerful re-enactment.

    All new employees take this important training. Existing employees receive refresher training on a yearly basis to reinforce concepts and principles learned in their initial Active Threat training. Paychex and the Monroe County Sheriff’s Office have made this training available to businesses and individuals through the Monroe County Sheriff’s Office website. The goal, prepare people to take appropriate action and minimize loss of life.

  • Additional Security Measures

    Additional Security Measures

    • Employee Photo Identification: Employee Photo Identification is required to be worn and visible at all times while on Paychex property.

    • Building Access: Physical access to all buildings and data centers is restricted to employees and those with a justified business need. All access is monitored via an access control system, video surveillance and in some locations, security guards. All data centers have enhanced security systems and protocols.

    • Visitor Management: All persons visiting any Paychex location must have a business justification to do so. Visitors to all Paychex locations are required to sign in and are issued a numbered visitor’s badge. Visitors must be accompanied at all times by a Paychex employee.

Client Resources

Your Part: Keep Your Information Secure

Know what to look for and do when it comes to the safety and security of your information, employees, and business.

  • How To Keep Your Information Safe

    How To Keep Your Information Safe

    • Recognize Potential Risks:
      • We urge you to take all the necessary precautions when handling and protecting your company hardware, data, employees, and facilities.
    • Use the Highest Level of Authentication Available
      • When using any online application that requires a log-in, it is best practice to always leverage the highest level of authentication possible. Multi-Factor Authentication (MFA), available on the Paychex Flex® application across mobile and desktop devices, provides users with an additional layer of protection. While this authentication is an extra step, beyond your user name and password, it authenticates your identity when signing into your account.
    • Use Logout Feature
      • After viewing your account or performing any transaction online, use the Log Out button when finished, and close your browser completely. This ensures that no one can view your account information after you've logged out.
    • Keep Login Credentials Confidential
      • Your user ID, username, password, picture, and/or pin code all represent keys that allow you to access your account information on our system. Do not disclose these credentials to others.
  • Privacy Policy

    Privacy Policy

  • View Our Active Security Notifications

    View Our Active Security Notifications

  • Report a Security Vulnerability

    Report a Security Vulnerability

    Responsible Disclosure

    Integrity is one of the core values at Paychex. As such, the security of our systems, applications, and data is paramount. If you believe you have discovered a vulnerability, we appreciate your help in disclosing it to our Enterprise Data Security team in accordance with our Responsibility Disclosure Requirements.

    Paychex encourages researchers to share with our team the details of any suspected vulnerability by submitting the form.

  • Prohibited Conduct

    Prohibited Conduct

    While we encourage you to report any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited:

    • Executing, or attempting to execute, a Denial of Service (DoS) attack against any product or website;
    • Posting, transmitting, uploading, linking to, sending, or storing any malicious software or ransomware;
    • Any act of cyber extortion, including threatening the availability of Paychex data or Paychex client data unless a payment is received;
    • Social engineering of any Paychex employee, contractor, client, or prospective client including but not limited to phishing and any testing that would result in unsolicited email, spam, or messages;
    • Unapproved vulnerability or penetration testing;
    • Selling, bartering, or otherwise benefitting from a vulnerability or data that does not belong to you;
    • Downloading, exfiltrating, copying, or otherwise retaining Paychex data or Paychex client data that does not belong to you;
      • Please note that if data that does not belong to you is uncovered as the result of a vulnerability, it must be removed from unapproved systems and further attempts to exploit it must be ceased immediately.
    • Deliberately destroying, corrupting, or modifying, or attempting to destroy, corrupt or modify data or information that does not belong to you;

    Violating any applicable international, federal, state, and/or local laws or any applicable agreements

Report a Security Issue

If you believe an unauthorized party has accessed your account or information, please contact us immediately.

Once you suspect potentially fraudulent activity, you must take action to safeguard your personal and account information. See what steps you can take to address specific examples, and learn some best practices for handling your account information.

Paychex Package

Example: There was a problem with my Paychex package delivery.

Next Steps:

Contact your local Paychex branch.
Payroll support is available 24/7, 365 days per year.

Learn how you can protect your information.

Online Accounts

Example: I am an employee of a Paychex client and I need technical support

Next Steps:

Please log into www.paychexflex.com and click on the ? mark icon on the bottom right side of the page to get support via chat.

Communications

Example: I received a suspicious telephone call, text message, email, or letter from someone who claimed to be from Paychex.

Next Steps:

Contact your local Paychex branch.
Payroll support is available 24/7, 365 days per year.

Computer Viruses

Example: I clicked on a link in a suspicious email. I gave out my online account information. My anti-virus software notified me that I had a virus.

Next Steps:

Have your computer reviewed by an information technology professional at your business.

If you believe the virus affects your Paychex account, please contact your local Paychex branch.
Payroll support is available 24/7, 365 days per year.

Learn how to help reduce future risks to your online information.