Step 1: Inform Finch and Vet Security Requirements
[1-2 Days] All Gusto integrations through Finch require a one-time security review. Finch coordinates this process between your team and Gusto. To get started, submit a Gusto Security Review Request. The form will prompt you to specify which data fields you’re requesting, as requirements vary based on your data access needs. We’ll review your submission, confirm your security controls meet Gusto’s requirements, and answer any questions. Once all requirements are confirmed, we’ll send you a link to the Gusto Onboarding Questionnaire (Step 3). Note that our response may take longer than 1–2 days depending on your responses and any follow-up required. In the meantime, you can proceed to Step 2.Step 2: Create an account in Gusto’s Developer Portal
[5 minutes] Gusto requires that all developers be set up in their Developer Portal. Finch offers a managed service by default where we will create and manage your DevPortal “organization” - all you need to do is sign up for a DevPortal account and we’ll take it from there. If you are prompted to create an organization, you can select “I am joining an existing developer organization”. Gusto will check if an organization exists for you in their system and add you to it. If one does not exist, they will create a new one.
Step 3: Complete Gusto’s Onboarding Questionnaire
[30 minutes to 1 hour] Once Finch has confirmed that you have the required security measures in place (Step 1) we will send you a link to the Gusto Onboarding Questionnaire. The questionnaire will ask you about your company, Gusto integration requirements, and your security and control environment (such as whether you have physical security controls, if data is encrypted, etc.). Please ensure to include all supporting documents as they will be necessary for Gusto to complete the review. The requirements for each developer will depend upon the sensitivity of the data access requested. If you have a SOC 2 Type 2 Report, ISO 27001 Certificate, or PCI Certificate, you will be shown a simplified questionnaire and your review process will be expedited. If you do not have one of these reports, and you require data access to sensitive PII (e.g., benefits data), please contact your Developer Success Engineer (or email implementation-team@tryfinch.com) to discuss if you would like to proceed without that data or postpone until you have the required sequirity documentation. We understand that answering the questionnaire can be time-consuming but it is a necessary step in ensuring that your application meets Gusto’s data security requirements. In rare cases, Gusto may not approve an application for production access for a reason other than security concerns, such as for a use case Gusto prohibits on their platform (e.g. mature content, etc.). If you have questions on how to respond to a specific question, please don’t hesitate to reach out to your Developer Success Engineer or implementation-team@tryfinch.com. Guidance for a successful questionnaire submission:- Be prepared: Have all supporting documentation ready before you begin — this includes security policies, procedures, and controls. Incomplete submissions will slow down your review.
- Be honest: Only attest to security controls you have fully implemented. If a control is not yet in place, implement it before submitting.
- Be thorough: Provide as much detail as possible. Your responses are used to configure your data scopes — insufficient detail may result in incorrect scope configuration and require a separate form to request an increase.
- Be responsive: If Gusto requests additional information, respond to them directly and promptly. Delays can impact when production access is granted.
- Be patient: The review process can take time — Gusto typically takes at least 2 weeks to respond. If you have questions about the status of your review, reply on the issue thread from Step 1.
Step 4: Assist Gusto Security Review
[2 to 4 weeks] After you submit the questionnaire, Gusto will conduct a security review via a third party called VISO Trust. The VISO Trust process typically takes one week. In most cases, nothing further will be needed from you; however, we, Gusto or VISO Trust may reach out for additional information or clarification. Please respond to these requests timely, as any delays could impact when production access will be made available to you. Once you have been approved, the Gusto team will enable production access and issue production credentials within their Developer Portal. Gusto will then apply the appropriate data scopes that were requested as part of the security questionnaire to your configuration, thereby adhering to the security principle of least privilege. Finch will be notified by Gusto as soon as your account credentials are ready for use. If you are not approved for production access for security reasons, Gusto will work with us and you to resolve those issues within a reasonable timeframe.Step 5: Enable your Gusto Integration
[1 Day] Once you pass Gusto’s security review, Gusto and Finch will work together behind the scenes to finish configuring on your behalf. Once configured, Finch will notify you that your Gusto integration can be enabled in the developer dashboard using the following directions. Navigate to the Integrations tab of your developer dashboard. Search for Gusto and click Edit.
Step 6: Connect your Employers!
Your employers can then go through Finch Connect and connect to their Gusto account to authorize your application for data access!If you have any questions, please do not hesitate to reach out to your Finch Developer Success Engineer or implementation-team@tryfinch.com. We look forward to working with you to provide a seamless integration with Gusto. We understand that this process can be complex and we are here to help you every step of the way.