SOC Announcement
About Papaya

Papaya Global Completes SOC1 Type II Audit Report

Table of contents

When it comes to integrating a new workforce or payroll vendor with your organization, ensuring that their security measures, financial controls, and safeguards meet your business requirements is imperative.

Papaya Global is entrusted with payroll data for tens of thousands of employees and over 800 organizations around the globe. To earn that trust, Papaya Global places top priority on building systems to ensure the safety and privacy of sensitive data, along with implementing controls and safeguards on all its financial operations.

As such, the Papaya Platform:

  • Adheres to all standards set by GDPR
  • Is ISO 27001 certified
  • Holds a SOC2 Type II audit report

Now, we’re proud to announce that in addition to all of our existing safeguards, Papaya Global has officially received its SOC 1 Type II Audit Report, carried out by the Ernst and Young accounting firm.

The SOC 1 Type II report recognizes that Papaya Global operates with proper and effective control in all areas that can impact the financial statements of its clients.

The final report was submitted to Papaya Global with no comments or deviations, indicating that all audited controls were deemed effective by  Ernst and Young – a rare accomplishment.

How SOC 1 Type II Demonstrates Effective Controls

The SOC 1 audit covers a wide breadth of operations, including controls on our change management process, the way we approve access to our platform, reports, and customer data, along with how we manage our in-country partners around the world, and the services we provide through our platform.

To understand how the SOC 1 Type II audit report sheds light on Papaya Global’s regulations and controls, take a look at one the ways Papaya ensures data security and privacy through a process known as Role-Based Access Control (RBAC).

In order for the Papaya Platform to run multiple systems concurrently (for example processing payroll while our BI feature collects data and develops reports), the platform differentiates between users, roles, and permissions to ensure privacy and security aren’t compromised from one system to the next.

The SOC 1 report outlines the rules in place and verifies that access to system resources is restricted to properly authorized personnel. Controls for this type of rule may be as follows: “Role-based access is utilized to allow appropriate users to see but not edit data” and “Access control privileges are reviewed periodically.”

The entire RBAC process along with all others are outlined in detail, allowing clients or prospective clients to examine Papaya Global’s operations clearly and methodically

The Difference Between SOC 1 Type 1 and SOC 1 Type II Audit Reports

The differences between the SOC 1Type 1 and SOC 1 Type II are significant.

SOC 1 Type 1:

  • The Type 1 audit looks at the policies and procedures that companies put in place but does not audit the effectiveness of these controls.
  • A Type 1 report attests that a company has controls at a particular time, but not over a period of time.
  • The Type 1 audit does not include collecting evidence because it is not concerned about evaluating effectiveness.

SOC 1 Type II:

  • A Type 2 audit attests to the fact that a company has implemented controls and that they have proven to be effective.
  • Type 2 audit considers how the controls function over a period of six months.
  • Type 2 auditors collect evidence from all different time periods to ensure controls were in place.

The Type II audit requires significantly more time and effort, but it provides deeper assurance to our clients that our systems and controls are proven reliable, trusted, and secure.

Customer Safety is Our Top Priority

The Papaya Platform is a cloud-based, SaaS solution accessible to authorized and authenticated users anywhere in the world. The Papaya Platform complies with the highest levels of GDPR regulations, ensuring data privacy for all of its clients through a combination of expert inspection and automated features on the platform itself.

The real key to Papaya’s security and privacy, however, is the implementation of numerous policies and procedures that ensure data is encrypted in transit, at rest, and throughout all of the processing that is necessary for managing people, payroll, and payments.

The details of the measures we take to ensure information integrity and the financial controls we implement financial integrity are now available through the SOC 1Type 2 and SOC 2 Type II audit reports.

Learn more about Papaya’s security and privacy policies and total global workforce management solution.