Skip to content
Independently verified · Quarterly re-audit
EU VETTED

HiBob

VERIFIED
HR & people · United Kingdom
Founded 2015 · hibob.com ↗

Israeli-founded modern HRIS for mid-market (Tel Aviv + London); 5,000+ customers, heavy US VC, mostly listed for completeness.

In short

HiBob, in the HR & people category, offers EU hosting with United Kingdom as its hosting location, but a US parent or sub-processor leaves material CLOUD Act exposure.

Assessment notes

HiBob is Israeli-headquartered (Tel Aviv) with London as a major secondary office and offices in NYC, Amsterdam, Berlin, Lisbon, Sydney, Zagreb. country_iso set to GB reflects EU-buyer-facing brand but ownership_signal is eu_hq_us_funded due to Israeli HQ + heavy US VC funding (General Atlantic, Bain Capital Ventures, Insight Partners, Battery Ventures); CLOUD Act exposure material; non-EU HQ, US-VC-controlled, and no public DPA or sub-processor disclosure identified, the weakest sovereignty profile in the HR set.

CLOUD ACT
OWNERSHIP
SUB-PROCS
not disclosed
Verified signals
Jurisdiction
  • EU / adequacy hosting
  • EU / adequacy operator
  • No US CLOUD Act exposure
Transparency
  • Public DPA
  • Sub-processors disclosed
  • Open-source clients
  • Third-party certification
JUMP TO
OVERVIEW

About HiBob

HiBob (the "bob" platform) was founded in Tel Aviv in 2015 and operates a significant London office, with additional presence in New York, Amsterdam, Berlin, Lisbon, Sydney, and Zagreb. Targets mid-market (50-2,000 employees) with a modern HRIS UX. Compliance: ISO 27001 + SOC 2 certified. But the sovereignty / procurement story is weak: Israeli HQ + heavy US VC funding (General Atlantic, Bain Capital Ventures, Insight Partners, Battery Ventures) means HiBob is the least "European" entry in this HR set. Listed for completeness and to flag the misperception that "London office" implies "European company". For compliance-driven EU procurement HiBob fits the alternative-to-BambooHR slot but with material caveats.

SUB-PROCESSORS

Sub-processor map · not disclosed

Vendor does not publish a sub-processors list. Schrems II compliance and CLOUD Act exposure cannot be independently verified without it.
CERTIFICATIONS

Frameworks & certifications

ISO/IEC 27001
ACTIVE
SOC 2
ACTIVE
Informational · US framework
FEATURES

Capability matrix

Payroll Yes
Time tracking Yes
Employee records Yes
Time-off / leave Yes
Recruiting (ATS) Yes
Onboarding Yes
Performance reviews Yes
Org chart Yes
INTEGRATION & ACCESS
REST API Yes
SSO (SAML / OIDC) Yes
COMPLIANCE & GOVERNANCE
Audit log Yes
Self-host / on-prem option No
PRICING

Pricing & tiers

PAID
Custom pricing

Contact vendor for tier or volume pricing.

View pricing page ↗
PUBLIC DOCUMENTS

Public documents

Vendor does not publish a public DPA. Without a publicly accessible Data Processing Addendum, small EU customers cannot self-serve the processor agreement. This is recorded as no public DPA (see How we assess).
  • Data Processing Addendum (DPA)
    — missing
    missing
  • Sub-processors list
    www.hibob.com/privacy…
    Open ↗
ALTERNATIVES

Alternatives in this category

Factorial
Spain · Founded 2016
EU-HOSTED

Spanish HR + payroll + finance SaaS (Barcelona, est. 2016); 16K+ customers, ISO 27001 + SOC 2 + AWS EU, US-VC-funded.

Public DPA Sub-processors Open source
FROM
€7/mo
CLOUD ACT
MATERIAL
Lucca
France · Founded 2002
EU-SOVEREIGN

French sovereign-cloud HR platform (Nantes / Paris, est. 2002); SecNumCloud + ISO 27001; 1M+ users incl. AXA, Deezer.

Public DPA Sub-processors Open source
FROM
CLOUD ACT
NONE
Personio
Germany · Founded 2015
EU-HOSTED

Munich-based HR flagship for European SMBs (founded 2015); ISO 27001 + SOC 2 + TISAX; ~$770M US-VC-funded.

Public DPA Sub-processors Open source
FROM
CLOUD ACT
MATERIAL