We're Committed to Accuracy, Trust & Security

GoCo’s Commitment to Accuracy, Trust & Security

Prior to starting GoCo, GoCo’s founders were early adopters of a different all-in-one HR platform. The technology was sleek and modern, but mistakes with benefits and payroll were common.

GoCo’s HR data security & protection software was built to be different. It was built to strive for 100% accuracy, trust and security.


GoCo runs on Heroku, a modern infrastructure for cloud-based applications. Heroku is specifically designed to protect customers from data security threats by applying security controls at every layer.

SOC 2 Certification – Type 1 & 2

GoCo is Type 1 SOC 2 certified by the American Institute of CPAs (AICPA). The Type 1 SOC 2 is a third-party audit that provides assurance to customers of service organizations that business practices meet Trust Principles and Criteria (TSP) standards: security, processing integrity, availability, confidentiality and privacy.

Whereas the Type 1 certification is evaluated at a specific point in time, GoCo is also SOC 2 Type 2 certified, which requires a 6 month audit completed by the third-party. The audit requires concrete evidence that the data security processes are being strictly followed.

SOC 2 Type 2 compliance is designed to help GoCo and its customers take only the best measures and safety procedures to ensure the security of HR data and other confidential information.

Two-Factor Authentication

GoCo provides the ability for all users to secure their account with Two-Factor Authentication. Two-Factor helps secure GoCo accounts by requiring a user to enter a 6 digit code when logging in, along with their account password. This helps verify the user’s identity in the event that the user’s password or login has become compromised. Learn more about Two-Factor Authentication →

Data Centers

Heroku utilizes ISO 27001 and FISMA certified data centers managed by Amazon. Amazon is an industry leader in designing, constructing, and operating large-scale data centers.

AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Only employees with a legitimate business need have access to the data center. The authorized staff must pass two-factor authentication no fewer than three times to access data center floors.

Amazon’s data center operations have been accredited under:

  • ISO 27001

  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)

  • PCI Level 1

  • FISMA Moderate

  • Sarbanes-Oxley (SOX)

  • Application Security

Heroku undergoes penetration tests, vulnerability assessments, and source code reviews to assess the security of their application, architecture, and implementation. Issues found in Heroku applications are risk ranked, prioritized, assigned to the responsible team for remediation.

Data is transmitted to and from Heroku using bank-level 256-bit SSL encryption. In addition, GoCo:

  • Encrypts sensitive data at rest using BCrypt

  • Links to documents are protected with signed URLs that expire

  • User sessions are secured with an expiring access token

  • Audit trails are available for all user behavior

HIPAA Compliance

HIPAA (Health Insurance Portability and Accountability Act of 1996) sets procedures and guidelines for maintaining the privacy and security of personally identifiable health information.

In order for your benefit broker to manage your insurance (health, dental, vision, etc.) and process enrollments, terminations, changes, audits, billing inquiries, etc. they occasionally need access to some PHI (personally identifiable information relating to health care or payments).

As a Business Associate, GoCo protects PHI in accordance with the Health Insurance Portability and Accountability Act (HIPAA). We aim to avoid disclosing any more information than the minimum required to process your enrollments, insurance payments, etc. and strictly control who has access to that information as outlined in the “Employee Access” section.

In 45 CFR 160.103, a “Business Associate” is defined as a person that creates, receives, maintains, or transmits protected health information [… for the purposes of …] claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing.

Data Ownership

In order for us to provide some of our services, we may need access to your company’s payroll account, insurance accounts, and accounts from other third-party institutions.

However, you can stop using GoCo at any time for any reason. Upon written request, we will permanently delete all your company data, all of your third-party account info, and all employee data from our records within 30 days (but typically sooner). Should you need it, your data will be available for export to an authorized representative of your company prior to deletion.


All access and changes to your company and employee information is logged to assist with troubleshooting and investigations. The audit trail is readily accessible to all customers directly from the interface.

Employee Access

GoCo’s HR data security software limits access to your nonpublic personal information to employees that have a business reason to know such information. We implement security practices and procedures designed to protect the confidentiality and security of such information and prohibits unlawful disclosure of such information.

Further, the GoCo employees directly responsible for managing customer accounts have all passed a pre-employment background check.

Licenses, Inc. is a licensed agency in several states. The license number in our domestic state (Texas) is 2002715.

Additional Information, Inc. is located at:
16825 Northchase Dr, Ste 1310
Houston, TX 77060

You can review more information about GoCo’s founders and team on our about us page.