Security & Compliance


GoCo’s Commitment to Accuracy, Trust & Security

Prior to starting GoCo, GoCo’s founders were early adopters of a different all-in-one HR platform. The technology was sleek and modern, but mistakes with benefits and payroll were common.

GoCo was built to be different. It was built to strive for 100% accuracy, trust and security.


GoCo runs on Heroku, a modern infrastructure for cloud-based applications. Heroku is specifically designed to protect customers from threats by applying security controls at every layer.

Data Centers

Heroku utilizes ISO 27001 and FISMA certified data centers managed by Amazon. Amazon is an industry leader in designing, constructing, and operating large-scale data centers.

AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Only employees with a legitimate business need have access to the data center. The authorized staff must pass two-factor authentication no fewer than three times to access data center floors.

Amazon’s data center operations have been accredited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

Application Security

Heroku undergoes penetration tests, vulnerability assessments, and source code reviews to assess the security of their application, architecture, and implementation. Issues found in Heroku applications are risk ranked, prioritized, assigned to the responsible team for remediation.

Data is transmitted to and from Heroku using bank-level 256-bit SSL encryption. In addition, GoCo:

  • Encrypts sensitive data at rest using BCrypt
  • Links to documents are protected with signed URLs that expire
  • User sessions are secured with an expiring access token
  • Audit trails for available for all user behavior

Investments & Partnerships

Benefit enrollments, disenrollments, and changes are processed by Digital Insurance, Inc (DBA OneDigital). They are the industry leader in benefits processing with over 1.4M lives under management and are the largest employee benefits broker for small groups in the United States. In addition, they are a subsidiary of a NYSE:FNF, a publically traded company.

OneDigital is not only GoCo’s partner, but also an investor. They invested $1.625M in GoCo in October 2015.

HIPAA Compliance

HIPAA (Health Insurance Portability and Accountability Act of 1996) sets procedures and guidelines for maintaining the privacy and security of personally identifiable health information.

In order for GoCo and OneDigital to manage your insurance (health, dental, vision, etc.) and process enrollments, terminations, changes, audits, billing inquiries, etc. we occasionally need access to some PHI (personally identifiable information relating to health care or payments).

As a Business Associate, GoCo protects PHI in accordance with the Health Insurance Portability and Accountability Act (HIPAA).  We aim to avoid disclosing any more information than the minimum required to process your enrollments, insurance payments, etc. and strictly control who has access to that information as outlined in the “Employee Access” section.

In 45 CFR 160.103, a “Business Associate” is defined as a person that creates, receives, maintains, or transmits protected health information [… for the purposes of …] claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing.

Data Ownership

In order for us to provide some of our services, we may need access to your company’s payroll account, insurance accounts, and accounts from other third-party institutions.

However, you can stop using GoCo at any time for any reason. Upon written request, we will permanently delete all your company data, all of your third-party account info, and all employee data from our records within 30 days (but typically sooner).  Should you need it, your data will be available for export to an authorized representative of your company prior to deletion.


All access and changes to your company and employee information is logged to assist with troubleshooting and investigations. The audit trail is readily accessible to all customers directly from the interface.

Employee Access

GoCo limits access to your nonpublic personal information to employees that have a business reason to know such information. We implement security practices and procedures designed to protect the confidentiality and security of such information and prohibits unlawful disclosure of such information.

Further, the GoCo employees directly responsible for managing customer accounts have all passed a pre-employment background check and are licensed health insurance agents.

Benefit changes themselves are processed by OneDigital. OneDigital is an industry leader in benefits processing with over 1.4M lives under management. Enrollment, disenrollment, and benefit change tasks are assigned to team members that are responsible for the actual execution of those tasks. Information access for those individuals is limited.


Digital Insurance, Inc. will be your broker on record. You can review applicable state licenses here.

In additional,, Inc. is a licensed agency in several states. The license number in our domestic state (Texas) is 2002715.

Additional Information, Inc. is located at:
16825 Northchase Dr, Ste 100
Houston, TX 77060

You can review more information about GoCo’s founding team and board of directors here.