Before gaining access to Gusto’s production API, all developers are subject to Gusto’s standard security and compliance review. As an official Gusto development partner, Finch will work closely with you to support you through your onboarding journey. Please note, this process can take several weeks once you have confirmed you have the security requirements in place. There is no fast track process for this review. The onboarding process consists of the following steps: Step 1: Inform Finch and vet security requirements Step 2: Create an account in Gusto’s Developer Portal Step 3: Complete the Gusto Onboarding Questionnaire Step 4: Assist Gusto Security Review Step 5: Enable your Gusto Integration Step 6: Connect your Employers! The remainder of this page outlines these steps in greater detail.

Step 1: Inform Finch and Vet Security Requirements

[1-2 Days] For all integrations with Gusto through Finch, Finch will be coordinating the required security review process between your team and Gusto. To initiate this process, contact your Developer Success Engineer. If you do not have an assigned Developer Success Engineer, please send an email to implementation-team@tryfinch.com. The security requirements vary based on the data fields you request so please include those in your communication. Here is a template you can use to reach out to us: 
Hello [Developer Success Engineer Name or Finch Support],
We are reaching out to notify you that we would like to start the Gusto Onboarding process.

We will require access to [XYZ] data fields.

Thank you!
We will share the Gusto Security requirements with you and confirm that you have the requisite controls in place in order to be able to pass Gusto’s Security Review. During this stage of the process we can answer questions about any specific security requirements. If you do not have all of the requirements, we will pause the process. Once you have confirmed you meet all the requirements, you can continue with the following steps.

Step 2: Create an account in Gusto’s Developer Portal

[5 minutes] Gusto requires that all developers be set up in their Developer Portal. Finch offers a managed service by default where we will create and manage your DevPortal “organization” - all you need to do is sign up for a DevPortal account and we’ll take it from there. If you are prompted to create an organization, you can select “I am joining an existing developer organization”. Gusto will check if an organization exists for you in their system and add you to it. If one does not exist, they will create a new one. gusto-create-org-prompt.png Note: Gusto will create your organization and add both your and our user accounts as a part of the onboarding process Please reach out to your Developer Success Representative or implementation-team@tryfinch.com if you have any questions. gusto-signup.gif

Step 3: Complete Gusto’s Onboarding Questionnaire

[30 minutes to 1 hour] Once Finch has confirmed that you have the required security measures in place (Step 1) we will send you a link to the Gusto Onboarding Questionnaire. The questionnaire will ask you about your company, Gusto integration requirements, and your security and control environment (such as whether you have physical security controls, if data is encrypted, etc.). Please ensure to include all supporting documents as they will be necessary for Gusto to complete the review. The requirements for each developer will depend upon the sensitivity of the data access requested. If you have a SOC 2 Type 2 Report, ISO 27001 Certificate, or PCI Certificate, you will be shown a simplified questionnaire and your review process will be expedited. If you do not have one of these reports, and you require data access to sensitive PII (e.g., benefits data), please contact your Developer Success Engineer (or email implementation-team@tryfinch.com) to discuss if you would like to proceed without that data or postpone until you have the required sequirity documentation. We understand that answering the questionnaire can be time-consuming but it is a necessary step in ensuring that your application meets Gusto’s data security requirements. In rare cases, Gusto may not approve an application for production access for a reason other than security concerns, such as for a use case Gusto prohibits on their platform (e.g. mature content, etc.). If you have questions on how to respond to a specific question, please don’t hesitate to reach out to your Developer Success Engineer or implementation-team@tryfinch.com. Guidance for a successful questionnaire submission:
  1. Be thorough: Provide as much detail as possible in your responses. The more information you provide, the easier it will be for Gusto to understand your application and its security controls. Your responses are used to configure the data scopes for your application. If you do not provide sufficient details, your integration may not be set up with the correct data scopes and you will need to fill out an additional form to request a scope increase.
  2. Be honest: If you don’t have a specific security control in place, don’t say you do. Please implement it before you submit your application.
  3. Be responsive: If Gusto requests additional information or clarification, please respond promptly. Delays in responding to Gusto’s requests can impact when production access will be made available to you.
  4. Be patient: The security review process can take time. Gusto will work with you to ensure that your application meets their security requirements. If you have questions about the status of your review, please reach out to your Developer Success Engineer or implementation-team@tryfinch.com.
  5. Be prepared: Ensure that you have all the necessary documentation ready to submit with your questionnaire. This includes any security policies, procedures, and controls that you have in place.

Step 4: Assist Gusto Security Review

[1 to 2 weeks] After you submit the questionnaire, Gusto will conduct a security review via a third party called VISO Trust. The VISO Trust process typically takes one week. In most cases, nothing further will be needed from you; however, we, Gusto or VISO Trust may reach out for additional information or clarification. Please respond to these requests timely, as any delays could impact when production access will be made available to you. Once you have been approved, the Gusto team will enable production access and issue production credentials within their Developer Portal. Gusto will then apply the appropriate data scopes that were requested as part of the security questionnaire to your configuration, thereby adhering to the security principle of least privilege. Finch will be notified by Gusto as soon as your account credentials are ready for use. If you are not approved for production access for security reasons, Gusto will work with us and you to resolve those issues within a reasonable timeframe.

Step 5: Enable your Gusto Integration

[1 Day] Once you pass Gusto’s security review, Gusto and Finch will work together behind the scenes to finish configuring on your behalf. Once configured, Finch will notify you that your Gusto integration can be enabled in the developer dashboard using the following directions. Navigate to the Integrations tab of your developer dashboard. Search for Gusto and click Edit. developer-dashboard-gusto.png Toggle Integration Status to Enabled and click Done. enable-gusto.png Your Gusto integration is now configured and enabled! Your customers will now see Gusto in Finch Connect.

Step 6: Connect your Employers!

Your employers can then go through Finch Connect and connect to their Gusto account to authorize your application for data access!

Additional resources

If you have any questions, please do not hesitate to reach out to your Finch Developer Success Engineer or implementation-team@tryfinch.com. We look forward to working with you to provide a seamless integration with Gusto. We understand that this process can be complex and we are here to help you every step of the way.