⚠️ Select your experience
Learn how Drata uses HRIS data. Select a link below to jump to the instructions for your interface version.
Customers who joined Drata on or after Feb 24, 2026 are automatically on the New Experience.
Instructions for the New Experience ⬇️
Connecting an HRIS to Drata allows Drata to accurately determine which employees are in scope for compliance by tracking employment status, start dates, and separation dates.
Drata uses this information to support compliance workflows such as onboarding, offboarding, access reviews, and audit readiness. HRIS data is read-only and is never modified by Drata.
How Drata Communicates With HRIS Systems
The initial HRIS connection in Drata establishes secure authentication.
Once connected, Drata makes a limited number of API requests every 24 hours using a standardized data model that is intentionally limited to a small set of employee data points.
The HRIS system returns the requested data to Drata.
Data Points Drata Access
Drata is granted read-only access to HRIS data. The exact fields available depend on the HRIS provider, but may include:
First and last name
Work email
Personal email
Employment status
Start date / hire date
Separation or termination date
Job title
Manager
Team or group information
Employee identifier (such as employee number)
Provider-specific note: ADP Workforce
The ADP Workforce integration requires elevated API permissions (Practitioner Role) to generate reports. While this increases the scope of accessible data at the API level, the data Drata actually uses remains the same as with other HRIS integrations.
Data Drata does not access
Drata never requests, receives, or stores the following data:
Social Security numbers
Date of birth
Gender or ethnicity
Home address or location
Marital status
Phone number
Pay group or compensation data
Work location
How Drata stores HRIS data
Drata uses a single-tenant database architecture, meaning each customer’s data is stored in a fully isolated environment.
Only the minimum required employee attributes are stored, such as:
Name
Work email
Personal email (when applicable)
Employment start and end dates
Job title
Employment status
HRIS and identity provider (IdP) record mapping
When both an HRIS and an identity provider (IdP) are connected, Drata maps records between the two systems.
Mapping is performed automatically using:
Matching email addresses, or
Matching first and last names when email matching is not possible
If Drata cannot confidently match a record, the personnel entry is marked with an employment status of Unknown on the Personnel page.
Why HRIS data matters for compliance
HRIS data serves as the source of truth for:
Employment status (current vs. former)
Hire dates
Separation or termination dates
These fields are critical for audit readiness and personnel compliance. For example:
Hire and termination dates determine who is in scope during an audit period
Employment status determines onboarding and offboarding requirements
Former employees are evaluated to confirm access removal and offboarding completion
Any updates to these values should originate in the HRIS whenever possible.
What happens if no HRIS is connected
If no HRIS integration is connected, Drata relies on identity provider (IdP) data to infer employment status:
Account activation date → hire date
Account deactivation date → separation date
If these dates do not align with official HR records, manual adjustments may be required.
Note: Contractor status is not inferred automatically and must be managed manually.
Options for managing employee data without HRIS
If an HRIS is not connected, you can manage employee data using one of the following approaches.
Option 1: Manual updates in Drata
Update employment status, start date, or separation date directly on the Personnel page.
Manual updates usually stop syncing with the IdP.
A Drata admin can restore syncing if needed.
To restore syncing:
Select the checkmark next to the user.
Select More > Re-enable IdP/HRIS sync.
Sync status is visible on the Personnel page
Option 2: Bulk import
Upload a spreadsheet containing employee details such as name, email, start date, separation date, and employment status. Important considerations:
This is a manual, ongoing process
Uploads may take time to process
Manual updates stop IdP syncing unless reverted
Option 3: Custom automation using the API
Build an internal automation that updates personnel records using the Drata API. Important considerations:
Requires development resources
API-driven updates are treated as manual updates
IdP syncing is paused for affected records
Learn more in the Drata API documentation.
Option 4: Okta custom attributes (Okta only)
If Okta is your IdP, HR teams can manage employment data using custom attributes:
drataStartDate(string): employee start datedrataContractor(boolean): contractor vs employee
Drata automatically ingests these attributes without breaking Okta syncing.
Limitation: Separation date is not supported in this configuration. Separation is inferred from Okta account deactivation.
Instructions for the Classic Experience ⬇️
This article explains how Drata connects to HRIS systems, what employee data is accessed, how that data is stored and used, and what options are available if no HRIS integration is in place.
How Drata Communicates With HRIS Systems
The initial HRIS connection in Drata establishes secure authentication.
Once connected, Drata makes a limited number of API requests every 24 hours using a standardized data model that is intentionally limited to a small set of employee data points.
The HRIS system returns the requested data to Drata.
Data Points Drata Access
Drata is granted read-only access and cannot modify any employee data in the HRIS system. You can review the data imported by:
Logging into Drata
Navigating to Connections
Filter the connections by HRIS. For the desired HRIS, select Manage Accounts
The following data points may be enabled and accessed, depending on the HRIS provider:
Avatar
Company
Employee number
Employment status
First name
Last name
Groups
Hire date
Start date
Team
Termination date
Work email
Manager
Personal email
Personal email addresses are used only to support identity matching across integrations where personal emails are required (such as background check or version control connections).
Personal email addresses are not displayed in user profiles within Drata.
Note about ADP Workforce: The ADP Workforce integration requires a different set of API permissions in order to generate a report. This requires the Practitioner Role to be enabled which increases the scope of data points accessible by the service account, although the data utilized by Drata remains the same.
Data Points Drata Does Not Access
The following data points are never requested, never received, and never stored by Drata:
Social Security number
Date of birth
Ethnicity
Gender
Home location
Marital status
Phone number
Pay group
Work location
How Drata Stores Customer Data
Drata uses single-tenant database architecture, where each customer has their own private database (tenant) within that server, totally isolated from other customer data. The only data points that Drata stores in its secure, single-tenant databases are work email, personal email, employment start and end dates, first and last name, job title, and employment status. Each customer database is essentially its own universe and will not be mixed with other customer data.
For additional information on Drata’s monitored security practices, visit our Trust Center.
HRIS and Identity Provider (IdP) Record Mapping
Drata maps the personnel records from the identity provider connection to the employee records from the HRIS system. Drata will automatically map HRIS records to IdP records based on matching emails or standalone first and last name. In the event a match cannot be made, Drata will mark these records with an employment status of “Unknown” on the Drata Personnel page.
Importance of HRIS data
The HRIS data is the source of truth for start date, separation date, and employment status. Any changes to these values should originate in the connected HRIS.
Incorporating employee data from the HRIS system adds vital employment details for evaluating the employees’ security and compliance. The HRIS connection establishes who the in-scope personnel are for the purposes of an audit and a potential random sample selection by the auditor.
For example, hire date and termination date are key to identify current vs. terminated employees. Current employment statuses establish who needs to be monitored for onboarding and app access. Former employment statuses enable the system to track those that have left the company and check for completed off-board processes.
What Happens If No HRIS Integration Is Connected
Without an HRIS connection, Drata relies on IdP account activation and deactivation dates as the employee’s start and separation dates. These dates are used to infer employment status as either Current or Former. If IdP activation or deactivation dates differ from official HR records, hire and termination dates may require manual adjustment.
Note: Contractor employment status is not inferred automatically and must be updated manually.
Below you will find four options to update employee details in Drata.
Option 1: Manually Manage Employee Records in the UI
Update employment status, hire date, and separation date directly on the Personnel page for individual users.
In most cases (except the Okta configuration described below), manual updates cause the personnel record to stop syncing with the IdP. A Drata admin can revert the manual changes at any time to restore syncing with the IdP. Track manual updates in the Sync Status column on the Personnel page.
Option 2: Bulk import data
Upload a spreadsheet containing employee name, email, start date, separation date, and employment status.
Important:
This is a manual, ongoing process that may require additional HR resources.
Uploads may take several days to process and will need to be updated on a regular basis.
Manual updates stop IdP syncing unless reverted by a Drata admin.
An admin in Drata can revert the manual updates at any time and resync the personnel record with the IDP connected. This will be considered a manual update in Drata and the personnel record will honor the manual modifications and stop syncing with the IDP.
Option 3: Build a Custom Automation Using the API
Create and manage an automation to update employee records in Drata using the API, update their contract dates post request, update employment status post request. Learn more about Drata's API.
Important:
This approach requires development resources to build and maintain.
API-driven updates are considered manual updates and stop IdP syncing.
Option 4: Use Okta Custom Attributes (Okta Only)
If Okta is your Identity Provider, the HR team can set up two custom attributes in Okta to track employee start date and the employment status.
drataStartDate(string): Employee start datedrataContractor(boolean): Contractor or employee status
Drata automatically ingests these attributes, allowing personnel records to continue syncing with Okta without manual updates.
Important: Separation date is not supported in this configuration. The separation date remains the date the Okta account is deactivated.