top of page

Last Updated: January 1, 2026

Escochex Payroll is committed to protecting the confidentiality, integrity, and availability of client and employee data. We employ industry-standard administrative, technical, and physical safeguards designed to protect sensitive payroll, tax, and personal information against unauthorized access, disclosure, alteration, or destruction.

1. INTRODUCTION AND COMMITMENT

Escochecks Inc. (“Escochecks,” “we,” “us,” or “our”) is committed to protecting the confidentiality, integrity, and availability of the data entrusted to us by our clients, their employees, contractors, and other authorized users in connection with the Escochex Payroll service and related products (collectively, the “Services”).

This Data Security Policy describes the administrative, technical, and physical safeguards that Escochecks maintains to protect payroll, tax, financial, and other sensitive information against unauthorized access, use, disclosure, alteration, or destruction. It complements the Escochex Payroll Privacy Policy, which describes how we collect, use, and disclose personal information.

2. SCOPE

This policy applies to Escochex Payroll and to all systems, networks, applications, and personnel that store, process, or transmit client data on behalf of Escochecks, including our websites (www.escochex.com and www.escochecks.com), the Escochex Payroll Platform, our mobile and desktop applications, and the production environments operated by Escochecks and its approved sub-processors.

This policy applies to all Escochecks employees, contractors, and authorized third parties with access to Escochex Payroll systems or client data.

3. INFORMATION SECURITY PROGRAM

Escochecks maintains a written, risk-based information-security program that is reviewed at least annually and updated to address changes in technology, the threat landscape, regulatory requirements, and our business. The program is structured around the following core principles:

  • Defense-in-depth security architecture with overlapping, complementary controls;

  • Least-privilege access and role-based controls;

  • Continuous monitoring, logging, and risk assessment;

  • Secure software-development and deployment practices;

  • Documented incident detection, response, and recovery planning;

  • Ongoing personnel training and accountability;

  • Periodic independent assessment and continuous improvement.

Overall responsibility for the program is assigned to designated security personnel under the oversight of Escochecks executive management.

4. CONTROL DOMAINS AT A GLANCE

Escochecks maintains a written, risk-based information-security program that is reviewed at least annually and updated to address changes in technology, the threat landscape, regulatory requirements, and our business. The program is structured around the following core principles:

Control Domain
What This Covers
Compliance
Alignment with applicable federal and state laws, payroll-industry rules, and recognized security frameworks (see Section 18).
Third-Party Risk
Security due-diligence of vendors and sub-processors, contractual data-protection requirements, and ongoing vendor monitoring.
Personnel Security
Background screening (where permitted by law), confidentiality agreements, mandatory security and privacy training, and structured onboarding and offboarding.
Business Continuity
Encrypted, geographically diverse backups; defined recovery time and recovery point objectives (RTO/RPO); failover capabilities; and periodic tabletop and recovery testing.
Threat Detection & Response
Centralized logging, security information and event management (SIEM), anomaly and threat detection, and a documented incident-response program.
Vulnerability Management
Routine vulnerability scanning, patch management, and periodic third-party penetration testing of internet-facing systems and critical applications.
Application Security
Secure software-development lifecycle (SDLC), peer code review, static and dynamic application security testing, and dependency-vulnerability management.
Network & Infrastructure
Cloud hosting in hardened, segmented environments; firewalls; intrusion detection and prevention; DDoS protection; and continuous monitoring.
Identity & Access
Role-based access control, least-privilege provisioning, multi-factor authentication, privileged access management, and periodic access reviews.
Data Protection
Data classification, encryption in transit and at rest, key management, data minimization, and secure data disposal.
Governance & Risk
Written information-security policies, executive oversight, periodic risk assessments, documented roles and responsibilities, and continuous program improvement.

5. GOVERNANCE AND RISK MANAGEMENT

Security governance is owned by designated security personnel and reviewed by Escochecks executive management. Our risk-management process includes:

  • Annual enterprise risk assessments covering threats to the confidentiality, integrity, and availability of client data;

  • Risk-based prioritization of remediation activities;

  • Documented information-security policies and standards reviewed at least annually;

  • Defined roles and responsibilities for security across the organization; and

  • Performance metrics that track the maturity and effectiveness of the program.

6. DATA CLASSIFICATION AND HANDLING

Escochecks classifies data based on sensitivity and regulatory requirements. Higher classifications receive stronger controls. Our classification scheme generally includes:

  • Public — information intended for public release (e.g., marketing content).

  • Internal — information used in day-to-day operations that is not for public release.

  • Confidential — client and employee information, including personally identifiable information (PII), tax information, and benefits data. Access is restricted on a need-to-know basis.

  • Restricted — the most sensitive data, including Social Security Numbers, bank-account and routing numbers, authentication credentials, and encryption keys. Access is strictly limited, logged, and monitored.

Data is handled, stored, transmitted, and disposed of in accordance with its classification level.

7. ENCRYPTION AND CRYPTOGRAPHIC CONTROLS

Escochecks uses industry-standard cryptography to protect client data throughout its lifecycle:

  • Encryption in transit. All client data transmitted across public and private networks is protected with Transport Layer Security (TLS) 1.2 or higher using strong cipher suites. Internal service-to-service traffic is similarly encrypted.

  • Encryption at rest. Sensitive client data stored within Escochex Payroll systems is encrypted at rest using AES-256 or an equivalent industry-standard algorithm.

  • Key management. Encryption keys are managed through dedicated key-management services, segregated from the data they protect, rotated on a defined schedule, and accessible only to a limited set of authorized personnel and systems.

  • Application-level protection. Particularly sensitive fields (such as Social Security Numbers and bank-account numbers) receive additional application-level protections including tokenization, masking, and access logging.

8. IDENTITY AND ACCESS MANAGEMENT

Access to Escochex Payroll systems and client data is granted on a least-privilege, need-to-know basis. Our identity and access-management controls include:

  • Role-Based Access Control (RBAC) that restricts system access according to job function;

  • Multi-Factor Authentication (MFA) for administrative, privileged, and remote access to production systems;

  • Strong password and credential-management requirements, including length, complexity, history, and rotation rules;

  • Single Sign-On (SSO) support for clients where available;

  • Session timeouts, automatic lockouts, and brute-force protections;

  • Just-in-time and time-bound elevation for privileged tasks where supported;

  • Periodic access reviews and prompt deprovisioning upon role changes or termination; and

  • Centralized logging of authentication and authorization events.

9. NETWORK AND INFRASTRUCTURE SECURITY

Escochex Payroll operates on secure, cloud-based infrastructure provided by leading cloud-service providers that maintain widely recognized security and availability certifications. Our infrastructure controls include:

  • Hardened server configurations and operating-system baselines;

  • Network segmentation that isolates production, corporate, and development environments;

  • Firewalls, security groups, and access-control lists at multiple network layers;

  • Intrusion-detection and intrusion-prevention systems (IDS/IPS);

  • Web application firewalls (WAF) protecting public-facing applications;

  • Distributed denial-of-service (DDoS) mitigation;

  • Continuous monitoring for unauthorized configuration changes; and

  • Logical separation (multi-tenant isolation) of client data within shared infrastructure.

Physical access to underlying hosting facilities is restricted, monitored, and audited by our cloud-infrastructure providers in accordance with their published security standards.

10. ENDPOINT AND MOBILE DEVICE SECURITY

Endpoints used by Escochecks personnel to access production systems or client data are subject to standard hardening controls, including full-disk encryption, endpoint detection and response (EDR) software, automatic patching, screen-lock policies, and management through centralized device-management tools. Lost or stolen devices are remotely wiped where possible.

11. SECURE SOFTWARE DEVELOPMENT AND CHANGE MANAGEMENT

Escochex Payroll follows a documented secure software-development lifecycle (SDLC). Our practices include:

  • Separation of development, testing, and production environments;

  • Peer code review prior to merging code into production branches;

  • Static application security testing (SAST) and software-composition analysis to identify vulnerable dependencies;

  • Dynamic application security testing (DAST) of critical interfaces where appropriate;

  • Documented change-management procedures with approvals, testing, and rollback plans;

  • Secret-management practices that prevent credentials and keys from being committed to source code; and

  • Security training for developers and engineers on common application-security risks (such as the OWASP Top 10).

11. SECURE SOFTWARE DEVELOPMENT AND CHANGE MANAGEMENT

Escochex Payroll follows a documented secure software-development lifecycle (SDLC). Our practices include:

  • Separation of development, testing, and production environments;

  • Peer code review prior to merging code into production branches;

  • Static application security testing (SAST) and software-composition analysis to identify vulnerable dependencies;

  • Dynamic application security testing (DAST) of critical interfaces where appropriate;

  • Documented change-management procedures with approvals, testing, and rollback plans;

  • Secret-management practices that prevent credentials and keys from being committed to source code; and

  • Security training for developers and engineers on common application-security risks (such as the OWASP Top 10).

12. VULNERABILITY AND PATCH MANAGEMENT

Escochecks operates a continuous vulnerability-management program that includes:

  • Routine vulnerability scanning of internet-facing and internal systems;

  • Periodic third-party penetration testing of the Escochex Payroll Platform and supporting infrastructure;

  • Risk-based remediation timelines, with critical vulnerabilities prioritized for expedited resolution;

  • Patch management for operating systems, libraries, and dependencies; and

  • Documented coordinated-disclosure procedures for security researchers (see Section 23).

13. LOGGING, MONITORING, AND THREAT DETECTION

Escochex Payroll maintains centralized logging and monitoring of security-relevant events across applications, infrastructure, and administrative activity. Logs are protected against unauthorized access or modification and retained for a period appropriate to support investigations and applicable legal and regulatory requirements. Security events are aggregated and analyzed through security information and event management (SIEM) tooling, supported by automated alerting and human review for indicators of compromise, suspicious authentication activity, and anomalous behavior.

14. INCIDENT RESPONSE AND BREACH NOTIFICATION

Escochecks maintains a documented incident-response plan that defines roles, escalation paths, communication procedures, and post-incident activities. Our response process includes:

  • Identification — detecting and classifying potential security incidents through monitoring, alerting, and reporting channels.

  • Containment — limiting the scope and impact of confirmed incidents through isolation and other defensive measures.

  • Investigation — determining root cause, scope, and affected data through forensic analysis.

  • Eradication and Recovery — removing the cause of the incident and restoring affected systems to normal operations.

  • Notification — notifying affected clients, individuals, and regulators in accordance with applicable contractual obligations and federal and state data-breach notification laws, without undue delay following discovery of a confirmed breach involving covered data.

  • Post-Incident Review — conducting a lessons-learned review and implementing corrective actions to reduce the likelihood and impact of similar future incidents.

The incident-response plan is reviewed at least annually and exercised through tabletop or simulation drills.

15. BUSINESS CONTINUITY AND DISASTER RECOVERY

Escochecks maintains business-continuity and disaster-recovery plans designed to support the availability of the Services and the resilience of client data. Our practices include:

  • Frequent, encrypted backups of production data, with backup integrity testing;

  • Geographically diverse storage of backup copies to support recovery in the event of a regional outage;

  • Defined recovery time objectives (RTO) and recovery point objectives (RPO) appropriate to the Services;

  • Redundancy, failover, and high-availability configurations for critical systems where applicable; and

  • Periodic testing of recovery procedures, with results documented and used to refine the plans.

16. PERSONNEL SECURITY

Personnel are a critical line of defense. Escochecks applies the following safeguards to its workforce:

  • Background screening (where permitted by law) for personnel with access to production systems or sensitive client data;

  • Written confidentiality and non-disclosure agreements covering client data;

  • Mandatory security and privacy awareness training at onboarding and at least annually thereafter, with role-based training for personnel in sensitive functions;

  • Acceptable-use, mobile-device, and remote-work policies; and

  • Structured offboarding procedures that promptly revoke access and retrieve company assets.

Sanctions, up to and including termination, may be imposed for violations of Escochecks security policies.

17. VENDOR AND THIRD-PARTY RISK MANAGEMENT

Escochecks engages third-party service providers and sub-processors to support the Services (for example, cloud-hosting providers, payment-processing partners, identity-verification vendors, communications providers, and benefits and tax integrations). We manage third-party risk through:

  • Risk-based security due-diligence prior to engagement, including review of independent assessments (such as SOC 2 reports) where available;

  • Written contracts that include data-protection, confidentiality, security, and breach-notification obligations;

  • Restricting vendor access to the minimum data necessary to perform the engaged services;

  • Periodic reassessment of material vendors; and

  • Monitoring of vendor-related security events that could affect Escochecks or our clients.

18. REGULATORY AND FRAMEWORK ALIGNMENT

Escochex Payroll’s security program is designed to align with widely recognized security frameworks and to comply with applicable laws and industry rules, including those summarized below.

Framework/Regulation
How It Applies to Escochex Payroll
State Breach-Notification Laws
We notify affected parties of security incidents in accordance with applicable federal, state, and contractual breach-notification requirements.
California CCPA/CPRA & other state laws
We maintain reasonable security procedures and practices in accordance with applicable state privacy and data-security laws.
HIPAA (limited applicability)
Where benefits-administration features cause us to process protected health information, we enter into Business Associate Agreements and apply HIPAA-aligned safeguards.
PCI DSS (where applicable)
To the extent payment-card data is processed in connection with the Services, we use PCI-compliant payment processors and apply PCI-aligned controls.
NACHA Operating Rules
ACH origination is performed in accordance with NACHA Operating Rules, including security requirements for protecting sensitive bank-account information.
IRS Publications 1075 & 4557
As a payroll-and-tax service provider, we apply safeguards consistent with IRS guidance for protecting federal tax information and taxpayer data.
Gramm-Leach-Bliley Act (GLBA) Safeguards Rule
As a service provider that handles nonpublic personal financial information, we maintain administrative, technical, and physical safeguards consistent with the FTC Safeguards Rule.
AICPA Trust Services Criteria (SOC 2)
Our controls are designed in alignment with the SOC 2 Trust Services Criteria for Security, Availability, and Confidentiality.
NIST Cybersecurity Framework (CSF)
Our security program is structured around the NIST CSF functions — Identify, Protect, Detect, Respond, and Recover.

Where Escochecks holds independent attestations or certifications, summary information may be made available to clients under appropriate confidentiality protections upon written request.

19. PRIVACY BY DESIGN AND DATA MINIMIZATION

Privacy is integrated into how Escochex Payroll is designed and operated. Our privacy-supporting practices include:

  • Collecting only the personal information needed to provide the Services and to comply with applicable law;

  • Limiting access to personal information to authorized personnel on a need-to-know basis;

  • Retaining personal information only as long as required to provide the Services and to satisfy legal, tax, and regulatory obligations (see the Escochex Payroll Privacy Policy for details); and

  • Securely disposing of, deleting, or de-identifying personal information when it is no longer required.

For full details on how personal information is collected, used, disclosed, and protected, please refer to the Escochex Payroll Privacy Policy.

20. PAYROLL-SPECIFIC SAFEGUARDS

Because Escochex Payroll moves funds, files tax returns, and reports to government agencies on behalf of our clients, we apply additional safeguards tailored to payroll operations:

  • Segregation of duties for payroll funds movement and tax remittance;

  • Multi-step approval controls for high-risk transactions, including changes to direct-deposit information and bank-account details;

  • Account-change verification procedures designed to detect and prevent business-email-compromise and social-engineering attacks targeting payroll;

  • ACH-origination controls consistent with NACHA Operating Rules, including encryption of sensitive bank-account data and rules-based exposure-limit monitoring;

  • Secure transmission and storage of tax returns, tax deposits, and government filings; and

  • Tamper-evident audit trails for pay-run approval, fund movement, and tax-filing activity.

21. SHARED RESPONSIBILITY AND CLIENT OBLIGATIONS

Security in a SaaS environment is a shared responsibility. While Escochecks is responsible for securing the Escochex Payroll Platform and supporting infrastructure, clients and authorized users are responsible for protecting their accounts and the devices they use to access the Services. Escochecks recommends that clients and users:

  • Safeguard log-in credentials and never share them with another person;

  • Enable multi-factor authentication on every account where available;

  • Provision and deprovision user access promptly when roles change or employees leave;

  • Use the lowest-privileged role appropriate for each user;

  • Keep devices, browsers, and operating systems updated and protected by anti-malware tools;

  • Monitor account activity and review user-access reports regularly;

  • Verify any change to direct-deposit, bank-account, or vendor-payment information through an out-of-band method (such as a known phone number) before approving it; and

  • Report suspected unauthorized access, phishing attempts, or other security concerns to Escochecks promptly using the contact information in Section 23.

Important: Escochecks will never request your password, multi-factor authentication code, or other sensitive authentication credentials through an unsolicited email, text message, or phone call. If you receive such a request, do not respond and report it to security@escochex.com immediately.

22. CONTINUOUS IMPROVEMENT

Security is an ongoing program rather than a destination. Escochecks continuously evaluates and enhances its security controls to address evolving threats, regulatory developments, lessons learned from incidents and exercises, client feedback, and advancements in technology. Material changes to this Data Security Policy will be reflected in the “Effective Date” and “Last Updated” at the top of this document.

23. REPORTING SECURITY CONCERNS AND CONTACT INFORMATION

To report a security concern, suspected vulnerability, or potential incident, please contact our security team. We encourage coordinated disclosure of vulnerabilities and will work in good faith with researchers who report issues responsibly.

Escochex Payroll Security Team

Escochecks Inc.

21900 Burbank Blvd, Suite 300

Woodland Hills, CA 91367

Email: security@escochex.com

Customer Care: customercare@escochex.com

Telephone: (818) 436-4688

Web: www.escochex.com

For information about how Escochecks collects, uses, and discloses personal information, please review the Escochex Payroll Privacy Policy. For the terms and conditions that govern use of the Services, please review the Escochex Payroll Terms of Service.

Click here to read about our Terms and Conditions

or our Privacy Policy

bottom of page