The legal stuff

Terms of Service
Privacy Policy
Security
Check Payroll User Service Terms
Employer Debit Authorization
Check Banking Services Addendum
Licenses
Complaints Policy and Procedures
Check Sandbox User Agreement

Compliance

SOC 2 Type II Certified. Check is SOC 2 Type II compliant, which is the most widely-recognized standard for data security. This means we regularly undergo rigorous third-party audits to ensure our internal controls, security protocols, and data handling processes meet the highest industry standards. These audits evaluate our ability to safeguard customer data, ensure system availability, and maintain data integrity. Compliance involves regular testing, continuous monitoring, and proactive risk assessments to ensure our systems remain secure and trustworthy.

MTL Licensed. As an authorized money transmitter in 50 U.S. states and DC, Check adheres to stringent regulatory requirements designed to protect the funds and sensitive information of our partners and their customers. Our money transmitter licenses are maintained through compliance with state-specific reporting, audit requirements, and strict operational controls, ensuring transparency and security in our money movement activities.

Data Processing Agreement (DPA). We ensure our partners who are subject to global data protection laws are fully compliant through our Data Processing Agreement (DPA). This agreement outlines how we process personal data on behalf of our customers, ensuring that data privacy, security, and rights are protected in line with global standards.

Modern Governance, Risk, and Compliance (GRC). Check uses a state-of-the-art automated security compliance platform that continuously monitors our people, systems, and tools. This ensures that we stay ahead of emerging threats and maintain a proactive security posture. By automating compliance checks and incorporating industry best practices, we can focus on safeguarding the data and systems that power our partners’ payroll operations.

Product Security

API Key Hardening. Unused keys automatically expire, reducing the risk of unauthorized access. We also track the usage of each key, logging and displaying the last activity, allowing our partners to easily monitor for unusual patterns. Additionally, partners can limit access to specific IP ranges, adding an extra layer of protection in the event of a key compromise.

Detailed API Logs. Check provides comprehensive API logs to partners, helping them during development and incident response. These logs give partners visibility into API usage, helping them troubleshoot issues and conduct forensic analysis if necessary.

Role-based Access Control (RBAC). Role-based access control ensures that users only have access to the resources necessary for their role, and we provide that capability to our partners. The Partner Console employs RBAC to enforce the principle of least privilege, enabling administrators to easily limit their staffs’ access to sensitive areas.

Required Multi-factor Authentication (MFA). By requiring multiple forms of verification, MFA reduces the risk of unauthorized access, even if login credentials are compromised. For added protection, Check requires MFA for all users of the Partner Console, safeguarding sensitive payroll data and operations.

Layered Data Segmentation. Check has implemented both logical and physical segmentation to protect data across the platform. Customer data is classified with metadata that defines its ownership, and this ownership is checked and verified at multiple locations to enforce proper access control.

Strong Encryption. Check ensures that all data is encrypted both in transit and at rest. Data in transit is encrypted using Transport Layer Security (TLS) 1.2 or higher, while sensitive data at rest is encrypted with AES 256-GCM. This robust encryption protects data from unauthorized access, even if the physical infrastructure is compromised.

Signed Webhooks. Webhook requests sent from Check include a Check-Signature header, allowing partners to verify the authenticity of each request. Verifying webhook signatures is a security best practice that prevents fraudulent or malicious requests from affecting partner systems.

Application Security

Rate Limit Protections. To maintain high performance and prevent abuse, Check enforces rate limits on API requests. This ensures fair usage across the platform, protecting our systems from denial-of-service attacks or traffic spikes while preserving availability and performance for all partners.

Web Application Firewall (WAF). Check has deployed an industry-standard web application firewall (WAF) that monitors and filters HTTP traffic to our web applications. This firewall protects against common web-based attacks, such as cross-site scripting and SQL injection, ensuring that malicious traffic is blocked before it can impact our systems.

Secured Development Lifecycle (SDLC). Security is integrated into every step of Check’s software development process. We follow a Secure Development Lifecycle (SDLC) that includes security-by-design, static application security testing (SAST), regular software updates, and comprehensive security tests to identify and mitigate threats before changes go live.

Rigorous Change Management. At Check, all production code changes undergo rigorous peer review to ensure security best practices are followed. Our CI/CD pipeline is secured and automated, minimizing human error and ensuring that frequent, reliable deployments occur. Each change is thoroughly tested in a secure environment, ensuring that our systems remain robust and tamper-proof.

Infrastructure Security

Continuous Backups. Check performs regular, automated backups of all critical data, ensuring redundancy and rapid recovery in case of an incident. We also regularly test our backup and restore processes, ensuring data integrity and availability in the event of a failure or disaster.

Autoscaling. Check’s infrastructure is designed to dynamically scale based on traffic demand. Autoscaling allows us to handle sudden spikes in traffic without performance degradation, ensuring that our services remain available and responsive under varying loads common in payroll.

Predictable Static IPs. Check uses static IPs for ingress and egress, providing partners with a reliable way to manage authorized access. By using static IPv4 addresses, partners can predictably whitelist Check’s IPs, ensuring smooth and secure communication between systems.

Intrusion Detection System (IDS). We employ an Intrusion Detection System (IDS) that continuously monitors network traffic for suspicious activities. The IDS enables us to quickly detect and respond to potential threats, protecting our infrastructure and data.

DDoS Protection. Check’s infrastructure is protected against Distributed Denial-of-Service (DDoS) attacks, which aim to overwhelm systems with traffic. Our DDoS protection ensures that our services remain available and secure, even during high-volume attacks.

Continual Infrastructure Scanning. Check continuously monitors its infrastructure for vulnerabilities through automated scanning. Regular patching ensures that our systems are updated with the latest security fixes, helping to mitigate emerging threats.

Least Privileged Access. We enforce the principle of least privilege across our infrastructure, granting the minimum access necessary for each task. This minimizes the risk of accidental or malicious actions, limiting the potential impact on our systems.

Audited Changes. All changes to our infrastructure are logged and stored in an immutable audit trail, providing transparency and accountability. This allows us to trace and review any modifications made to our systems, ensuring that all changes are authorized and secure.

Infrastructure as Code (IaC). Check uses Infrastructure as Code (IaC) to manage and provision its infrastructure. This approach enhances security by ensuring that infrastructure configurations are consistent, version-controlled, and auditable. Changes to production infrastructure are peer-reviewed, reducing the risk of errors and improving security.

Email Security. Email is a common attack vector for phishing and other malicious activities. Check has implemented SPF, DKIM, and DMARC protocols to protect against email spoofing, ensuring the authenticity and integrity of emails sent from our domain.

Threat Intelligence. Check leverages advanced threat intelligence to maintain real-time visibility into potential threats across its systems. This allows us to quickly detect, investigate, and respond to security incidents, ensuring a proactive approach to defense.

Organizational Security

Background Checks. Check thoroughly vets all new employees with a robust hiring process. This includes criminal background checks, reference checks, and identity verification through E-Verify. These steps ensure that we hire trustworthy individuals who are qualified to handle sensitive information.

Multi-factor Authentication and Role-Based Access Control (RBAC). We enforce multi-factor authentication (MFA) and role-based access control (RBAC) across all systems that handle customer data. This ensures that only authorized personnel have access to critical systems and sensitive data.

Device Hardening via Mobile Device Management (MDM). Check uses Mobile Device Management (MDM) to secure employee devices. Our devices are hardened according to strict security policies, which enforce encryption, automatic updates, and other security measures to protect against threats.

Regular Tabletop Exercises. Check conducts regular tabletop exercises to improve our response to cybersecurity incidents. These simulations involve cross-functional teams and simulate real-world scenarios, allowing us to refine our processes and strengthen our security readiness.

Partner Security Advisement. At Check, we work closely with our partners to enhance their security posture. Beyond formal contractual security provisions, we provide ongoing security advisement, offering insights and recommendations to help partners navigate potential threats such as account takeovers and other cyber risks.

Penetration Testing

Penetration testing is an essential component of our security program. It involves simulating real-world attacks on our systems to identify and fix potential vulnerabilities before they can be exploited. Check partners with leading cybersecurity firms to regularly conduct thorough penetration tests. These external experts rigorously assess our applications and infrastructure, providing us with detailed reports that help us strengthen our defenses. By actively seeking out and addressing weaknesses, we maintain a proactive security posture that continuously improves over time.

Bug Bounty

In addition to formal testing, Check operates a bug bounty program through Federacy. This program invites security researchers from around the world to identify vulnerabilities in our systems and report them responsibly. We value the contributions of ethical hackers who help us enhance our security. If you believe you’ve discovered a vulnerability, you can participate in our program by contacting Federacy, where you will receive disclosure guidelines and information about potential awards. Our bug bounty program reflects our commitment to maintaining transparency and ensuring that we proactively address any potential security gaps.