Security at Oyster

At Oyster, data security and privacy processes are top priority. Learn more about our processes, policies, and standards below.

As experts, we take this stuff seriously

This isn’t our first startup. Our team not only knows how to secure data, but why it’s so important. Our standards are high and we’re committed to continuously improve our people, processes, and product so you feel confident working with us.


Demonstrating our leadership in compliance is key for building your trust. We engage outside auditors for verification of our compliance against global standards and industry best practices.

  • Oyster achieved a clean SOC 2 Type II report in 2022

  • Penetration testing is conducted on a regular basis


Oyster is compliant with various data protection laws, including the General Data Protection Regulation (GDPR). Our Data Processing Addendum is automatically incorporated into our Terms and it applies GDPR standards to all the personal data we process—regardless of where the data subject is located. We also employ privacy-by-design principles throughout our software development lifecycle in accordance with GDPR standards.

Incident Reporting

We have a publicly-facing security incident reporting helpline here to ensure our customers can access fast support. All incidents are routed to designated teams, investigated according to our Incident Response Policy, and addressed in accordance with applicable law.

Business Continuity and Reliability

We understand that our customers need readily available access to the Oyster platform. Hosted by AWS, the Oyster platform relies on the Amazon S3 Service Level Agreement. Oyster platform data is backed up on a regular basis in case of a system failure. We target full system recovery in less than five hours with a recovery point objective of two minutes or less.

Access Controls

By default, Oyster uses 2FA and single sign-on (SSO). If you use another SSO provider, we’ll gladly integrate it to ensure user-friendly and secure access to our platform.

Continuous Monitoring

Drata is a security and compliance automation platform that continuously monitors Oyster’s policies, procedures, and IT infrastructure to ensure the company adheres to industry standards.

Breachlock is a Penetration Testing as a Service (PtaaS) platform that continuously monitors the Oyster platform for vulnerabilities and threats.


Oyster’s operations are guided by a comprehensive package of security policies. We review our policies on a regular basis and conduct training to ensure customer, Team Member, and staff data is always handled diligently.

Take it for a spin

See how the Oyster platform can transform your business.

Security by Design

This isn’t our first startup. Our team of developers have been around the block and understand not only how to secure data, but why it matters. Oyster’s success as a global employment service provider relies on earning and keeping our Customers’ and Colleagues’ trust.  We take security seriously and built Oyster with security in mind. 


  • ISO  27001
  • GDPR

We are pursuing these certifications and building to their specifications.  By starting with clear principles and frameworks, our policies and processes reflect a thoughtful approach to security and our everyday work.    


  • SSL Encryption is used throughout our application
  • All data is encrypted in transit 
  • All databases and database backups are encrypted at rest
  • We apply a second layer of encryption to sensitive data such as bank accounts and NI numbers

Working with up-to-date framework releases, we use tried and tested modules, and apply fundamental security considerations to every aspect of our software design. 

Secure Servers

  • SOC 1,2,3
  • ISO 27001/27017/27018 

Your data is securely backed up on a regular basis.   And we never move user data out of the secured environment for testing or any other reason.  

Oyster Team Access

  • Unique logins required for all business critical systems
  • Defined access to different parts of our system
  • Customer and personal data access is limited by roles
  • Role-based access is regularly audited and updated

We limit access to our systems and our data to only those who need it, operating on the principle of least privilege.  


  • Continuous resource and infrastructure access monitoring
  • Third party web property scanning
  • Security testing as an essential part of our release process 
  • Annual employee privacy and data security training 

Building a secure Site and Platform are only the beginning.  We monitor our systems to keep them secure and to continuously improve our people, processes and our product.

Take it for a spin

See how the Oyster platform can transform your business
Get Started