HR & people
HR and people platforms manage employee records, payroll, onboarding, and performance — processing some of the most sensitive personal data an organisation holds. For EU buyers, CLOUD Act exposure and EU data-residency commitments are the key criteria. Top-rated EU options on EU Vetted include Lucca (France, 5/5) and Sage HR (UK, 4/5).
HR and people platforms centralise employee records, payroll runs, absence and leave management, onboarding workflows, and performance reviews. They are the operational backbone for organisations of any size, and they process some of the most sensitive personal data a business holds: employment contracts, salary history, health-related leave, and in some cases biometric data for time-tracking. The category spans lean HR core tools aimed at SMBs through to comprehensive HCM suites that add talent acquisition, learning management, and people analytics.
For EU buyers, the data-sensitivity of HR records makes the operator's jurisdictional exposure a primary concern, not a secondary one. An HR platform holds information that GDPR classifies as both standard personal data and, in some modules, special-category data under Article 9 — including health information and trade-union membership. If the platform is operated or ultimately owned by a US-incorporated company, the US CLOUD Act can in principle reach that data regardless of where it is physically hosted. On EU Vetted's editorial compliance score, Lucca (France, 5/5) is the only strictly EU-owned option currently in the catalogue. Personio (Germany, 3/5) and Factorial (Spain, 3/5) are European-headquartered but backed by US venture capital, which affects their corporate-structure assessment; HiBob (UK, 2/5) carries higher exposure.
The listings below show each product's country of incorporation, ownership signal, and editorial compliance score on a 1–5 scale — sourced from published DPAs and sub-processor lists. Use the ownership filter if your procurement rules require strictly EU-owned operators, or the compliance-score filter to shortlist products that meet your minimum threshold. The feature filter lets you separate HR core tools from full HCM platforms with payroll, analytics, or talent-management modules.
-
LuccaVERIFIED SIGNALSJurisdiction
- EU / adequacy operator
- EU / adequacy hosting
- No US CLOUD Act exposure
Transparency- Third-party certification
- Open-source clients
- Public DPA
- Sub-processors disclosed
French sovereign-cloud HR platform (Nantes / Paris, est. 2002); SecNumCloud + ISO 27001; 1M+ users incl. AXA, Deezer.
OWNERSHIPWhere ultimate control over the operating company sits.
-
EU-owned This listing EU-incorporated and EU-controlled; no significant US ownership.
-
EU HQ, US-funded EU-headquartered but US venture- or PE-controlled.
-
US-owned US-headquartered, or has a US parent company.
-
Other Swiss, UK or another non-EU jurisdiction.
CLOUD ACT EXPOSUREHow exposed customer data is to US authorities under the CLOUD Act.
-
None This listing EU operator, no US parent, no US sub-processors of note.
-
Minor A transient US sub-processor (CDN, maps); data at rest stays in the EU.
-
Material US parent, or a core sub-processor is a US-owned hyperscaler.
-
Direct The operator itself is US-incorporated.
FR · 0 sub-procs Open ↗ -
Sage HRVERIFIED SIGNALSJurisdiction
- EU / adequacy operator
- EU / adequacy hosting
- No US CLOUD Act exposure
Transparency- Third-party certification
- Open-source clients
- Public DPA
- Sub-processors disclosed
Sage Group plc's HR cloud product (formerly CakeHR from Riga, acquired 2019); UK-public parent, modular SMB HR.
OWNERSHIPWhere ultimate control over the operating company sits.
-
EU-owned EU-incorporated and EU-controlled; no significant US ownership.
-
EU HQ, US-funded EU-headquartered but US venture- or PE-controlled.
-
US-owned US-headquartered, or has a US parent company.
-
Other This listing Swiss, UK or another non-EU jurisdiction.
CLOUD ACT EXPOSUREHow exposed customer data is to US authorities under the CLOUD Act.
-
None EU operator, no US parent, no US sub-processors of note.
-
Minor This listing A transient US sub-processor (CDN, maps); data at rest stays in the EU.
-
Material US parent, or a core sub-processor is a US-owned hyperscaler.
-
Direct The operator itself is US-incorporated.
0 sub-procs Open ↗ -
FactorialVERIFIED SIGNALSJurisdiction
- EU / adequacy operator
- EU / adequacy hosting
- No US CLOUD Act exposure
Transparency- Third-party certification
- Open-source clients
- Public DPA
- Sub-processors disclosed
Spanish HR + payroll + finance SaaS (Barcelona, est. 2016); 16K+ customers, ISO 27001 + SOC 2 + AWS EU, US-VC-funded.
OWNERSHIPWhere ultimate control over the operating company sits.
-
EU-owned EU-incorporated and EU-controlled; no significant US ownership.
-
EU HQ, US-funded This listing EU-headquartered but US venture- or PE-controlled.
-
US-owned US-headquartered, or has a US parent company.
-
Other Swiss, UK or another non-EU jurisdiction.
CLOUD ACT EXPOSUREHow exposed customer data is to US authorities under the CLOUD Act.
-
None EU operator, no US parent, no US sub-processors of note.
-
Minor A transient US sub-processor (CDN, maps); data at rest stays in the EU.
-
Material This listing US parent, or a core sub-processor is a US-owned hyperscaler.
-
Direct The operator itself is US-incorporated.
0 sub-procs Open ↗ -
PersonioVERIFIED SIGNALSJurisdiction
- EU / adequacy operator
- EU / adequacy hosting
- No US CLOUD Act exposure
Transparency- Third-party certification
- Open-source clients
- Public DPA
- Sub-processors disclosed
Munich-based HR flagship for European SMBs (founded 2015); ISO 27001 + SOC 2 + TISAX; ~$770M US-VC-funded.
OWNERSHIPWhere ultimate control over the operating company sits.
-
EU-owned EU-incorporated and EU-controlled; no significant US ownership.
-
EU HQ, US-funded This listing EU-headquartered but US venture- or PE-controlled.
-
US-owned US-headquartered, or has a US parent company.
-
Other Swiss, UK or another non-EU jurisdiction.
CLOUD ACT EXPOSUREHow exposed customer data is to US authorities under the CLOUD Act.
-
None EU operator, no US parent, no US sub-processors of note.
-
Minor A transient US sub-processor (CDN, maps); data at rest stays in the EU.
-
Material This listing US parent, or a core sub-processor is a US-owned hyperscaler.
-
Direct The operator itself is US-incorporated.
DE · 0 sub-procs Open ↗ -
HiBobVERIFIED SIGNALSJurisdiction
- EU / adequacy operator
- EU / adequacy hosting
- No US CLOUD Act exposure
Transparency- Third-party certification
- Open-source clients
- Public DPA
- Sub-processors disclosed
Israeli-founded modern HRIS for mid-market (Tel Aviv + London); 5,000+ customers, heavy US VC, mostly listed for completeness.
OWNERSHIPWhere ultimate control over the operating company sits.
-
EU-owned EU-incorporated and EU-controlled; no significant US ownership.
-
EU HQ, US-funded This listing EU-headquartered but US venture- or PE-controlled.
-
US-owned US-headquartered, or has a US parent company.
-
Other Swiss, UK or another non-EU jurisdiction.
CLOUD ACT EXPOSUREHow exposed customer data is to US authorities under the CLOUD Act.
-
None EU operator, no US parent, no US sub-processors of note.
-
Minor A transient US sub-processor (CDN, maps); data at rest stays in the EU.
-
Material This listing US parent, or a core sub-processor is a US-owned hyperscaler.
-
Direct The operator itself is US-incorporated.
0 sub-procs Open ↗
| Compare | Owner | CLOUD Act | Cert. | Sub-procs | ||||
|---|---|---|---|---|---|---|---|---|
|
Lucca
French sovereign-cloud HR platform (Nantes / Paris, est. 2002); SecNumCloud + ISO 27001; 1M+ users incl. AXA, Deezer.
|
FR
France
|
OWNERSHIP
Where ultimate control over the operating company sits.
|
CLOUD ACT EXPOSURE
How exposed customer data is to US authorities under the CLOUD Act.
|
ISO/IEC 27001
SecNumCloud
|
0 |
VERIFIED SIGNALS
Jurisdiction
Transparency
|
Open ↗ | |
|
Sage HR
Sage Group plc's HR cloud product (formerly CakeHR from Riga, acquired 2019); UK-public parent, modular SMB HR.
|
—
United Kingdom
|
OWNERSHIP
Where ultimate control over the operating company sits.
|
CLOUD ACT EXPOSURE
How exposed customer data is to US authorities under the CLOUD Act.
|
ISO/IEC 27001
|
0 |
VERIFIED SIGNALS
Jurisdiction
Transparency
|
Open ↗ | |
|
Factorial
Spanish HR + payroll + finance SaaS (Barcelona, est. 2016); 16K+ customers, ISO 27001 + SOC 2 + AWS EU, US-VC-funded.
|
—
Spain
|
OWNERSHIP
Where ultimate control over the operating company sits.
|
CLOUD ACT EXPOSURE
How exposed customer data is to US authorities under the CLOUD Act.
|
ISO/IEC 27001
SOC 2
|
0 |
VERIFIED SIGNALS
Jurisdiction
Transparency
|
Open ↗ | |
|
Personio
Munich-based HR flagship for European SMBs (founded 2015); ISO 27001 + SOC 2 + TISAX; ~$770M US-VC-funded.
|
FRANKFURT · DE
Germany
|
OWNERSHIP
Where ultimate control over the operating company sits.
|
CLOUD ACT EXPOSURE
How exposed customer data is to US authorities under the CLOUD Act.
|
ISO/IEC 27001
SOC 2
|
0 |
VERIFIED SIGNALS
Jurisdiction
Transparency
|
Open ↗ | |
|
HiBob
Israeli-founded modern HRIS for mid-market (Tel Aviv + London); 5,000+ customers, heavy US VC, mostly listed for completeness.
|
—
United Kingdom
|
OWNERSHIP
Where ultimate control over the operating company sits.
|
CLOUD ACT EXPOSURE
How exposed customer data is to US authorities under the CLOUD Act.
|
ISO/IEC 27001
SOC 2
|
0 |
VERIFIED SIGNALS
Jurisdiction
Transparency
|
Open ↗ |