Protecting our Customers’, Employees’, and Partners’ Data
One of our most fundamental responsibilities is to keep Paychex employees, assets, information, and client data safe. It’s how we deliver on our promise of doing business the right way.
Network Security
Paychex utilizes multiple approaches to test the security of our networks including:
Vulnerability Scanning
Ongoing network vulnerability and configuration baseline scans as well as source code scans are performed. The results are shared with the appropriate IT teams inside Paychex to identify the best mitigation strategy.
Penetration Testing
Ongoing internal and external penetration testing is performed against our infrastructure and our applications. After management reviews these reports, remediation is performed if necessary.
Bug Bounty
Certain Paychex applications are part of a private, invitation-only bug bounty program that rewards security researchers for the identification of complex and critical vulnerabilities within our web applications.
Cybersecurity
Through the Paychex Information Protection Program, we apply best practices in information security, proven technology, and effective policies and procedures, and maintain a comprehensive program to monitor and safeguard information from unauthorized access or destruction. The Paychex Enterprise Security Program is aligned with the National Institute of Standards and Technology (NIST) Version 2.0 Cybersecurity Framework. The NIST Cybersecurity Framework leverages NIST 800-53 Revision 5, Security and Privacy Controls for Federal Information Systems and Organizations.
Our security policy and standards, which have been ratified and enforced by executive management, are built upon the five NIST Framework Functions.
Click here to review our Paychex Security Whitepaper.
Security Statement
Paychex is committed to protecting the confidentiality, integrity, and availability of client information. Specifically, we:
- Maintain policies and procedures covering the physical security of our workplaces, systems, and records.
- Apply physical, electronic, and procedural safeguards built on industry-recognized best practices.
- Use technology such as backup files, virus detection and prevention, firewalls, and other computer hardware and software to protect against unauthorized access to or alteration of client data.
- Encrypt sensitive information transmitted over the internet.
- Use access controls and internal auditing to limit employee access to client information to those who have a business reason to know.
- Require employees to take information security awareness training at hire and annually, and apply this training to their jobs every day.
- Use advanced technologies for the backup and recovery of client information.
- Monitor compliance with established policies through ongoing security risk assessments and internal audits.
- Perform regular penetration testing and vulnerability scans across infrastructure and network to identify and reduce risk.
- Assess and manage risk associated with third-party relationships that include nondisclosure agreements, a security risk evaluation of the third-party information security program, and a written contract that stipulates how information must be protected.
Client Services Security
Security policies and procedures for Paychex client-facing services and applications are specifically designed to protect the confidentiality of the sensitive information in clients’ electronic communications and transactions. Paychex stands behind its commitment to keep client data protected through the following best practices and technologies:
- Multilayered firewall technologies
- Real-time monitoring for suspicious or unusual activity
- Secured transmission of communications using transport layer security (TLS) encryption
- Comprehensive access controls
- Logical patch management procedures and processes
- Regular vulnerability assessments
- Multifactor authentication requirements for client-facing services
24/7/365 Security Support
Our Security Fusion Center has a 24/7/365 Security Incident Response function to collect and analyze information about potential system security violations and anomalous activity. The Fusion Center team works closely with human resources, corporate counsel, internal audit, risk management, external authorities, and other groups to record, report, and mitigate computer related incidents.
Retention and Destruction of Hard Copy and Electronic Information
The Paychex Records Management Program (RMP) is an organized program to provide effective management of the company’s business records. The RMP provides effective life-cycle management of all Paychex records from their generation or receipt to their final disposition. Adherence to the policies of the RMP ensures that Paychex:
(i) complies with government regulations and legal requirements,
(ii) protects the records necessary to Paychex operations,
(iii) reduces the cost of maintaining and storing records, and
(iv) supports good business practices.
All third-party disposition and destruction services are National Association for Information Destruction (NAID) certified and under contract to protect company business records prior to destruction.
Client Privacy
The privacy of our clients and their information provided is important to us. We use reasonable care to protect data provided to us by or on behalf of our clients or prospective clients and their workers from loss, misuse, unauthorized access, disclosure, alteration, and untimely destruction. Paychex outlines policies related to the collection, usage, and retention of personal information is addressed in our general Privacy Policy, California Privacy Policy, Code of Business Ethics and Conduct, and Third-Party Code of Conduct.
Additionally, Paychex considers the policies and practices it has instituted to address the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system a fundamental responsibility.
Paychex maintains Service Organization Controls (SOC 1 and SOC 2) audit reports over various products and services. These audits are conducted annually, and clients are provided the ability to request copies. We do not grant access to personal information except as set forth in our Privacy Policy and Client Services Agreement.
Paychex protects against unauthorized access and alteration to customer data through the use of malware detection and prevention, firewalls, and other industry-standard technologies. Paychex encrypts sensitive information transmitted online and uses advanced technologies for information backup and recovery. Paychex uses reasonable care to protect customer data from loss, misuse, unauthorized access, disclosure, alteration, and untimely destruction. We do not grant access to the personal information of customers except as otherwise set forth in our privacy policy and Client Services Agreement.
Paychex has processes in place to comply with local, state, and federal requirements regarding the security of client data. These processes include comprehensive security procedures that are regularly reviewed and revised as appropriate to reflect regulatory changes.
Paychex addresses customer privacy in our Privacy Policy, Code of Business Ethics and Conduct, and our Client Services Agreement.
Paychex is committed to compliance with all local, state, and federal privacy regulations related to customer data.
The regulatory environment related to privacy is in constant flux with new regulations being implemented on a regular basis at the local, state, and federal levels. Our goals are to remain up to date and in compliance with all associated changes.
It is our responsibility to understand and comply with applicable laws and regulations related to customer privacy. Paychex has established policies and procedures to comply in a timely fashion with applicable federal and state legal requirements related to privacy, data security, and incident notification.
We provide contact information to report any instance in which a customer believes an unauthorized party has accessed their account or information.
Paychex encourages researchers to share with our team the details of any suspected vulnerability information via an online form which is administered by a third party.
Business Continuity and Disaster Recovery
Paychex has adopted a business continuity strategy designed to help ensure the continuation of business-critical functions in the event of a significant business disruption at any of our branches or corporate offices, including technical failures affecting our applications, data centers, networks, and the buildings we occupy. Paychex’ business continuity plan also includes measures designed to deal with severe weather, localized and regional disasters, and workforce-impacting events such as pandemics. The documented and tested recovery strategies are designed to mitigate the impact to our clients from any business disruption.
Acute Risks
Individual events including extreme weather may affect the availability of Paychex client facing services and could lead to financial impact to clients, missed deadlines which carry penalties and eventual financial impacts to Paychex, and the overall Paychex brand reputation. Acute physical risk factors are assessed by business units, real estate, and IT and prioritized for business continuity, disaster recovery, and business resumption planning. The threat from individual events to data center operations is minimal as Paychex has 200% redundancy to protect customer-facing applications across Paychex processing centers. The threat to the Paychex service locations could be more substantial; however, redundancy across the services locations should lead to minimal impact to clients. Examples include, but are not limited to, severe winter weather, hurricanes, tornadoes, wildfires, floods, and power outages.
Chronic Risks
Sustained events associated with climate change could cause long-term outages leading to financial impact to clients, Paychex revenue, and overall brand reputation as some of our data centers and service locations may be susceptible to increased energy consumption, accessibility to staff, and critical suppliers for our fulfillment centers. Redundant locations that protect against individual events (acute) may also be impacted equally by sustained events and require alternate solutions. Examples include, but are not limited to, rising temperatures, electrical blackouts, and rising sea levels.
Managing Risks of Service Disruptions
Paychex supports approximately 740,000 clients using multiple Paychex services and products. While rare, there have been occasions when we have experienced limited, unplanned outages or downtime. We work quickly to restore service and minimize client impact when these events occur. Further, we back up client data in data centers spread out across the U.S., and if there are regional disruptions or outages, client data can be accessed from unaffected locations.
Physical Security
In 2019, Paychex launched Active Threat Preparedness Training to help our employees understand what they can do to prepare for, and minimize the impact, should the unthinkable happen.
We partnered with the Monroe County Sheriff’s Office in Rochester, New York to underwrite a comprehensive training video that includes information, statistics, and a re-enactment of an active shooter situation. It was filmed at Paychex locations in Rochester and features our own employees and local law enforcement, who volunteered to be actors and extras in the powerful re-enactment.
All new employees take this important training. Existing employees receive refresher training on a yearly basis to reinforce concepts and principles learned in their initial Active Threat training. Paychex and the Monroe County Sheriff’s Office have made this training available to businesses and individuals through the Monroe County Sheriff’s Office website. The goal, prepare people to take appropriate action and minimize loss of life.
Additional Security Measures
Employee Photo Identification
Employee Photo Identification is required to be worn and visible at all times while on Paychex property.
Building Access
Physical access to all buildings and data centers is restricted to employees and those with a justified business need. All access is monitored via an access control system, video surveillance and in some locations, security guards. All data centers have enhanced security systems and protocols.
Visitor Management
All persons visiting any Paychex location must have a business justification to do so. Visitors to all Paychex locations are required to sign in and are issued a numbered visitor’s badge. Visitors must be accompanied at all times by a Paychex employee.
Security and Internal Controls Training
The annual training on Security and Internal Controls is a scenario-based eLearning that puts the learner in the driver’s seat to identify and troubleshoot realistic scenarios that are customized based on sales or non-sales, and manager or individual contributor job roles. The training is completed by all employees including full-time, part-time and contract employees. Throughout the training program, the learner is provided with information on company policies: both within the training content itself, as well as in a downloadable PDF, with links to the site where all policies are located. The learner is recommended to reference the links to obtain the most current policy information. The training also calls out the relevant Paychex values.
Learners dive deep into data security issues, including identifying and reporting security incidents, as well as the dangers of phishing emails and business email compromise (BEC). There are also specialized security modules assigned to employees with specific functions, such as privileged user access, the handling of PHI, and even executive-level security training that are assigned in addition to the general security topics that address areas of security risk to the company. In addition, employees recognize the importance of identifying protected information including:
- HIPAA (Health Insurance Portability and Accountability Act)
- HITECH (Health Information Technology for Economic and Clinical Health Act)
- PHI (Protected Health Information)
- NACHA (National Automated Clearing House Association)
- PII (Personally Identifiable Information)
- PCI (Payment Card Information)
The training requires employees to acknowledge that they have received, reviewed, and understand the Paychex Code of Business Ethics and Conduct which includes requirements on handling of confidential information and company assets.
Content from the following policies is referenced in the training:
- Public Security Statement
- Personal Named User Accounts
- Personal Named User Accounts—Passwords
Employee Security Awareness Training
In addition to annual security awareness training provided across the enterprise via our Right Way Training, our employees participate in routine phishing simulations designed to test and educate our employees on how to recognize and report phishing emails. In addition we provide ongoing training to our Software Development teams where they are instructed in secure code development and provided up to date intelligence on different attack techniques. Last but not least, we provide security alerts and education to our employees through our internal employee communication networks to keep them up to date on the best security hygiene practices and advisories that may impact them. This includes weekly communications during October as we leverage National Cyber Security Awareness Month to reinforce security concepts and practices.
