← All integrations
Live integration

HRIS (BambooHR, Rippling, Workday, …)

HR · merge_link · Daily

Unified HRIS integration via Merge.dev. One connector reaches 50+ HR platforms; customers pick their provider during setup. Pulls active employee count, recent terminations, and onboarding-task completion rate for SOC 2 CC1.4 + CC6.3 personnel-control evidence.

Authentication
merge_link
Sync cadence
Daily
Stale threshold
Every 2 days
Category
HR

Evidence this connector produces

Every sync writes typed evidence rows linked to the controls below. Evidence is immutable once attached to an approved assessment, fingerprinted for de-dup, and surfaced in the control coverage calculation on your dashboard.

SOC 2 CC1.4CC6.3

How to connect

Click Connect to launch the Merge Magic Link flow. You'll pick your HRIS, sign in to that provider, and authorize read-only access. No credentials are pasted into ThirdSentry — Merge holds the tokens and we only see normalized data.

  1. 1
    Pick your HRIS provider in Merge Link

    Merge's hosted picker lists every HRIS they support: BambooHR, Rippling, Workday, Gusto, Justworks, ADP, Paychex, HiBob, Personio, Sage HR, and 40+ more. Pick yours.

  2. 2
    Authorize read-only access

    Merge handles your provider's OAuth (or API-key) flow. We never receive the underlying credentials — they live in Merge and rotate automatically.

  3. 3
    Sync starts immediately

    First pull collects active-employee snapshot, recent terminations (30d window), and onboarding-task completion. Daily syncs thereafter; manual sync is available from the connection detail page.

Security model

Every connector ships behind the same auditor-grade primitives — not just RBAC config, but architectural enforcement.

Credentials KMS-encrypted at rest

Tokens, client secrets, and service-account keys are encrypted under a per-tenant AWS KMS data key. The plaintext is never persisted, never logged, and never leaves the FastAPI process boundary.

Tenant-isolated by architecture

Every Connection, ConnectorRun, and emitted Evidence row carries an organization ObjectId. The scheduler never iterates without an org-scoped filter; cross-tenant evidence bleed is impossible at the data layer.

Audit log on every action

Connect, sync, sync-failure, re-auth, and revoke each write a row to the immutable AuditLog. The full lifecycle is reconstructable for any examiner.

Soft-delete on revoke

Revoking a connection sets deletedAt and clears the encrypted credential blob, but the historical evidence + sync log stays queryable for the retention window. Auditors can still trace what was attested when.

Stale-evidence degradation

If this connector hasn't synced in Every 2 days, control coverage degrades automatically and an alert fires. Auditors don't trust stale evidence — neither do we.

Least-privilege scopes only

We request the minimum read-only scopes needed for the listed evidence. No write scopes, no admin scopes, no scopes outside the documented set.

Ready to connect HRIS (BambooHR, Rippling, Workday, …)?

Connect from Settings → Integrations — typically under 5 minutes. Or talk to us first.

Request a demoSign in to connect