Scenario

CloudPayroll — Series C fintech expanding to APAC

CloudPayroll is a 120-person Series C fintech based in San Francisco. They provide a cloud-based payroll and benefits platform for small and mid-size businesses. They currently serve 2,000 US customers and are preparing to expand to Australia and Singapore in Q2. The company processes employee PII including Social Security numbers, bank account numbers, and salary data for all of their customers' employees.

• SOC 2 Type II certified, considering ISO 27001 for APAC market credibility

• All infrastructure runs on GCP (single region us-central1)

• 8 engineers on platform team, 35 total in engineering

• Recently acquired a small EU-based benefits startup (5 employees, separate AWS infrastructure not yet integrated)

• Uses a third-party payroll tax calculation API (US-based vendor, no formal vendor risk assessment completed)

• No formal third-party risk management program

• Security team: 1 security engineer, 1 GRC analyst (you)

• Employee laptops are MDM-enrolled via Jamf, but no conditional access policies enforced

• Production database backups are daily, stored in the same GCP region

• No documented business continuity or disaster recovery plan