OUR SECURITY STANDARDS

Paycom employs comprehensive, in-depth and industry-proven standards and technologies to protect and defend customer data in our environment. As one of the few payroll processors to be ISO 27001, ISO 9001, ISO 22301 and SOC 2-certified, Paycom’s information security management and quality management systems are formally audited and certified.

Our Commitment

• 256-bit encryption technology to protect all information, at rest and in transit over the internet • intrusion-detection systems to monitor attempts of unauthorized access • least-privilege principles in provisioning access • next-generation firewalls to protect our systems and networks • redundant infrastructure for high performance and fail-over capabilities • diverse load-balanced internet lines serviced by multiple network providers • data loss prevention and traffic monitoring • multi-factor authentication • ongoing website-penetration audit testing for vulnerabilities • real-time backups to off-site locations • secured, monitored and redundant data centers with full battery and generator power • employee accountability for complying with our Information Security Policy and Procedures, including pre-hire background checks • formal risk-management program, including vendor management and security awareness training and exercises • 24/7 security

Security Features Include

IP Filtering for Time Clocks: This optional feature only allows a user to clock in to the system from a computer whose IP address has been registered with Paycom. This prevents users from clocking in from home, smartphones or other unauthorized locations.

IP Filtering for Direct Deposit Changes: Direct deposit routing and account numbers can be changed only from a computer whose IP address has been registered with Paycom.

Security Questions: When logging onto the system for the first time, a user must answer five security questions. Subsequently, if the user attempts to log on from another computer, the user must answer two of the five security questions.

Customizable Access Profiles: Custom access profiles can be assigned to administrators or personnel who have the need to access sensitive fields, such as Social Security numbers and direct-deposit account numbers. Paycom, by default, does not allow users to view sensitive fields, but any of our customers’ User Administrators can enable it for any of their users.

Authorized Administrators: Users who can discuss sensitive information including Social Security numbers, direct-deposit numbers, pay rates, etc. must have three personal answers registered with Paycom. Your payroll specialist will verify this information every time they receive a call or email from that user pertaining to sensitive information.

Changes to Direct Deposits: After a direct-deposit routing number or account number is changed, the next payroll will include a screen detailing which direct-deposit changes have been modified since the last payroll.

Payroll Confirmation Email: After a payroll has been run, an email is sent to all User Administrators, along with anyone else they designate, informing them that a payroll has processed.

Customer Contributions

Paycom is committed to protecting the security and privacy of all customer information. Customers are responsible for adopting their own effective internal controls regarding access to Paycom’s payroll system and their sensitive information.

Paycom recommends the following to help you protect your information when accessing our services:

• Protect your ID (username) and password, by keeping it unique and known only to you • Choose a password that is at least eight characters, alphanumeric, and difficult to guess • Avoid using an easily guessed password, such as birthdates or a child’s name • Change your password at least every 90 days • Avoid writing your password down and keeping it in places where others can find it • Always use the “LOGOUT” button to log out of Paycom’s online system, and close the browser • Do not allow your browser to save usernames and/or passwords • Utilize all of Paycom’s enhanced security features, including security questions and IP filtering • Install antivirus software and keep system security patches up-to-date

Paycom will NEVER

• ask you to submit or change your account information through email • ask for your online password • ask you to log onto our site through email • email you about a digital certificate to access the system If you ever receive an email from Paycom which appears to be suspect, please notify your dedicated Paycom specialist.

YOUR EMPLOYEES’ DATA AND OUR MOBILE APP

Paycom holds all confidential information in the strictest of confidence. We take the same degree of care and caution to prevent its unauthorized disclosure as we do with our own, including measures required by applicable privacy law. To ensure security of your employees’ nonpublic personal information, data is encrypted while in transport over the internet and while in storage. Additionally, data entered through our application is not used for any purpose other than to provide our services. We do not share nonpublic personal data with any third parties unless it is necessary to provide services on behalf of our clients. Examples of these third parties include the IRS, state unemployment agencies, state income agencies, workers’ compensation auditors, 401(k) administrators and entities that participate in the Nacha program for funds transfer purposes.

Paycom.com | 800.580.4505

OUR SECURITY STANDARDS

Paycom employs comprehensive, in-depth and industry-proven standards and technologies to protect and defend customer data in our environment. As one of the few payroll processors to be ISO 27001, ISO 9001, ISO 22301 and SOC 2-certified, Paycom’s information security management and quality management systems are formally audited and certified.

Our Commitment

• 256-bit encryption technology to protect all information, at rest and in transit over the internet • intrusion-detection systems to monitor attempts of unauthorized access • least-privilege principles in provisioning access • next-generation firewalls to protect our systems and networks • redundant infrastructure for high performance and fail-over capabilities • diverse load-balanced internet lines serviced by multiple network providers • data loss prevention and traffic monitoring • multi-factor authentication • ongoing website-penetration audit testing for vulnerabilities • real-time backups to off-site locations • secured, monitored and redundant data centers with full battery and generator power • employee accountability for complying with our Information Security Policy and Procedures, including pre-hire background checks • formal risk-management program, including vendor management and security awareness training and exercises • 24/7 security

Security Features Include

IP Filtering for Time Clocks: This optional feature only allows a user to clock in to the system from a computer whose IP address has been registered with Paycom. This prevents users from clocking in from home, smartphones or other unauthorized locations.

IP Filtering for Direct Deposit Changes: Direct deposit routing and account numbers can be changed only from a computer whose IP address has been registered with Paycom.

Security Questions: When logging onto the system for the first time, a user must answer five security questions. Subsequently, if the user attempts to log on from another computer, the user must answer two of the five security questions.

Customizable Access Profiles: Custom access profiles can be assigned to administrators or personnel who have the need to access sensitive fields, such as Social Security numbers and direct-deposit account numbers. Paycom, by default, does not allow users to view sensitive fields, but any of our customers’ User Administrators can enable it for any of their users.

Authorized Administrators: Users who can discuss sensitive information including Social Security numbers, direct-deposit numbers, pay rates, etc. must have three personal answers registered with Paycom. Your payroll specialist will verify this information every time they receive a call or email from that user pertaining to sensitive information.

Changes to Direct Deposits: After a direct-deposit routing number or account number is changed, the next payroll will include a screen detailing which direct-deposit changes have been modified since the last payroll.

Payroll Confirmation Email: After a payroll has been run, an email is sent to all User Administrators, along with anyone else they designate, informing them that a payroll has processed.

Customer Contributions

Paycom is committed to protecting the security and privacy of all customer information. Customers are responsible for adopting their own effective internal controls regarding access to Paycom’s payroll system and their sensitive information.

Paycom recommends the following to help you protect your information when accessing our services:

• Protect your ID (username) and password, by keeping it unique and known only to you • Choose a password that is at least eight characters, alphanumeric, and difficult to guess • Avoid using an easily guessed password, such as birthdates or a child’s name • Change your password at least every 90 days • Avoid writing your password down and keeping it in places where others can find it • Always use the “LOGOUT” button to log out of Paycom’s online system, and close the browser • Do not allow your browser to save usernames and/or passwords • Utilize all of Paycom’s enhanced security features, including security questions and IP filtering • Install antivirus software and keep system security patches up-to-date

Paycom will NEVER

• ask you to submit or change your account information through email • ask for your online password • ask you to log onto our site through email • email you about a digital certificate to access the system If you ever receive an email from Paycom which appears to be suspect, please notify your dedicated Paycom specialist.

YOUR EMPLOYEES’ DATA AND OUR MOBILE APP

Paycom holds all confidential information in the strictest of confidence. We take the same degree of care and caution to prevent its unauthorized disclosure as we do with our own, including measures required by applicable privacy law. To ensure security of your employees’ nonpublic personal information, data is encrypted while in transport over the internet and while in storage. Additionally, data entered through our application is not used for any purpose other than to provide our services. We do not share nonpublic personal data with any third parties unless it is necessary to provide services on behalf of our clients. Examples of these third parties include the IRS, state unemployment agencies, state income agencies, workers’ compensation auditors, 401(k) administrators and entities that participate in the Nacha program for funds transfer purposes.

Paycom.com | 800.580.4505