You do not need another list of EOR providers in Vietnam. If your team is already shortlisting vendors, the harder question is whether each provider can prove what they promise.
An Employer of Record is the legal employer in the hiring country. In Vietnam, that usually means the provider handles employment contracts, SHUI registration, payroll, PIT withholding, and statutory employment administration while your company directs the employee’s day-to-day work.
The risk is that many EOR providers sound similar during sales calls. They may all say they handle payroll, contracts, and compliance. What separates a reliable provider from a risky one is written evidence: a clear compliance scope, a GDPR Article 28 DPA, ISO 27001 certification details, payroll SLA, onboarding timeline, offboarding process, and a contact who understands Dutch or EU operating expectations.
This guide provides a 7-criteria scorecard to compare EOR providers in Vietnam before you sign.
If you need a refresher on how the model works before comparing vendors, start with our guide to employer of record in Vietnam.
TL;DR
Most EOR providers in Vietnam can discuss payroll, SHUI registration, and employment contracts. The safer comparison is evidence-based: ask for compliance scope, ISO 27001 certificate details, a signed GDPR Article 28 DPA, written payroll SLA, onboarding timeline, offboarding SLA, and Dutch/EU-facing account support.
- If you are still researching options, use the 7 criteria below to structure your shortlist.
- If you already have two or three providers in review, jump to the scorecard and request written evidence.
- If a provider scores below 3 on GDPR DPA or payroll SLA, remove it from the shortlist even if the total price looks attractive.
Why comparing EOR providers in Vietnam requires more than a price check
In Vietnam, your EOR provider is handling employment activity that affects tax, payroll, social insurance, contracts, and employee records. If the provider misses one of those steps, the problem may not appear in the first payroll month. It may appear later, during a labor inspection, employee dispute, client due diligence review, or offboarding.
Three areas deserve attention before you compare monthly fees.
First, SHUI is not only a payroll line item. The provider needs to register the employee correctly, calculate mandatory contributions, and keep records that can be explained later. Your contract should state which SHUI obligations the EOR owns and which items stay with your company.
Second, an EU company using an EOR in Vietnam is sending employee personal data to a processor. Payslips, contracts, identity documents, tax records, and SHUI numbers are not admin noise. They are personal data. A GDPR Article 28 DPA should be signed before processing starts.
Third, your own clients may check your vendors. If your procurement questionnaires ask for ISO 27001 certification, DPAs, access control, and vendor evidence, your EOR provider can become part of your sales risk. A weak provider does not only slow HR. It can slow procurement, security review, and client onboarding.
The 7 criteria for scoring EOR providers in Vietnam
A reliable comparison needs written proof. Use each criterion below during vendor calls, RFP review, and contract negotiation.
1. Compliance scope: SHUI, PIT, contracts, and work permits
Start with one simple question: what exactly does your provider own?
A good EOR provider should explain its scope in plain terms. For Vietnam, that usually includes SHUI registration, PIT withholding and remittance, payroll processing, bilingual employment contracts, employee record handling, and work permit support when a foreign national is involved.
Ask two direct questions:
“Can you provide a sample bilingual employment contract?”
“Which government authorities do you register employees with, and which obligations remain with us?”
A weak answer sounds broad but gives no detail. A strong answer names the authorities, shows the contract format, separates employer obligations from client obligations, and explains what changes when the employee is Vietnamese versus foreign.
Reference from Vietnam Social Insurance Law 2024
2. ISO 27001 certification
Your EOR provider handles identity documents, salary data, tax numbers, contracts, and banking information. That makes information security part of the provider comparison.
ISO 27001 certification is useful because it gives you an evidence point, but only if it is current and within the right scope. Do not accept “we follow ISO standards” as the same thing as certification.
Ask:
“Can you share your current ISO 27001 certificate, including certificate number, expiry date, certification body, and scope?”
A satisfactory answer includes the certificate, current validity, and a scope that covers relevant data processing or HR operations. If the provider refuses to share the certificate or only sends a marketing statement, mark this criterion low.
3. GDPR Article 28 DPA
If your EU company uses an EOR to process employee data, your company is usually the controller and the EOR is usually the processor. That means a GDPR Article 28 DPA should be in place before the provider starts processing data.
The DPA should cover the subject matter, processing duration, type of personal data, categories of data subjects, security measures, subprocessors, assistance with data subject requests, deletion or return of data, and audit support. If employee data is transferred outside the EU/EEA, the transfer mechanism also needs to be addressed.
Ask:
“Do you sign a GDPR Article 28 DPA as standard, and does it cover Vietnam operations and cross-border data transfer?”
A strong provider already has the DPA ready. Your team should not need to explain why it is required.
4. Payroll SLA: written, not verbal
“Payroll on time” is not enough. The payroll SLA needs to be written into the service agreement or SLA annex.
Ask for the actual payroll schedule: cut-off date, approval date, payment date, escalation contact, and remedy if payroll is late. This removes the ambiguity that usually appears when payroll ownership is split across finance, HR, and a third-party provider.
Ask:
“What is your payroll SLA, and what is the remedy if payroll is late?”
A provider that says “we aim to pay on time” is asking you to trust intent. A provider that states the payroll date, escalation process, and remedy is giving you a standard your team can enforce.
Your employee should not discover payroll failure before your provider does.
For a detailed breakdown of clauses and service commitments, review what to include in your EOR contract before finalizing any agreement.
5. Onboarding timeline: documented and contractual
For a Vietnamese national, a practical EOR onboarding target is 2 to 4 weeks from signed service agreement to first payroll setup, assuming documents are complete and there is no unusual contract issue.
Foreign nationals need a different timeline because work permit steps can add processing time. Vietnam’s official work permit guidance states that processing usually takes 5 working days from receipt of a complete and valid application, but the full preparation period can be longer because the employer must collect and prepare supporting documents before filing.
Ask:
“What is your contractual onboarding timeline for a Vietnamese national, and what changes if a work permit is required?”
A good provider separates the two scenarios. A weak provider gives one timeline for every hire, then explains the delay only after the employee start date has already moved.
6. Offboarding SLA: exit, access, SHUI, and data
Offboarding is where weak EOR contracts show up.
Your provider should explain what happens on the employee’s last working day: payroll close, final PIT handling, SHUI deregistration, work permit revocation steps if relevant, access removal, equipment return support, and employee data retention or deletion.
Ask:
“What is your offboarding SLA, and how do you handle SHUI deregistration, final PIT settlement, and employee data after exit?”
A practical standard is offboarding within 24 hours for provider-controlled actions such as account actions, internal system updates, and process initiation. For government filings, ask which filings can be completed immediately and which depend on authority processing time.
This is not only an HR detail. If a departing employee still has access to systems after the termination date, your EOR issue becomes a security issue.
7. Timezone and Dutch/EU account management
For Dutch companies, the timezone gap is manageable only if the provider designs support around it.
Vietnam is usually 5 hours ahead of the Netherlands during winter time and 4 hours ahead during summer time. That creates a workable overlap, but only if your provider has a response SLA and an account contact who understands how Dutch and EU companies operate.
Ask:
“Will we have a Dutch-speaking or Dutch-market-familiar account manager? What is the response SLA for urgent payroll or compliance questions during Amsterdam business hours?”
A strong answer names the account owner, states the response SLA, and confirms the escalation route. A weak answer sends all questions into a shared inbox handled only during Vietnam office hours.
For a Dutch HR lead, the difference is visible during the first urgent case. Your team either gets an answer before the day closes in Amsterdam, or the issue waits until tomorrow.
If your organization is specifically hiring from the Netherlands, see our guide to EOR in Vietnam for Dutch companies for additional considerations around communication, compliance, and support expectations.
Sunbytes handles SHUI, PIT, bilingual contracts, payroll, onboarding, and offboarding for Dutch and EU companies hiring in Vietnam, with ISO 27001 certification and compliance with GDPR Article 28 DPA, signed before engagement starts. Onboarding in 2 to 4 weeks for Vietnamese nationals when documents are complete. Offboarding actions are initiated within 24 hours.
See how Sunbytes scores on each criterion
Five red flags in EOR provider pitches
You can learn a lot from how a provider answers evidence questions. These five red flags should slow your decision before the contract is signed.
- “Full service” without named SLA numbers. If the provider cannot state the payroll date, onboarding target, offboarding timeline, and escalation process, those commitments are not ready for your contract.
- Hesitation when asked for a GDPR Article 28 DPA. A provider serving EU clients should expect this question. If the provider needs to “check internally” before confirming whether a DPA exists, treat that as a due diligence issue.
- No ISO 27001 certificate details. “We are ISO compliant” is not the same as a current certificate. Ask for certificate number, certification body, expiry date, and scope.
- No Dutch or EU-facing account contact. If every payroll and compliance issue waits for Vietnam-only office hours, your Amsterdam team will lose same-day control when timing matters.
- “Onboarding in a few weeks” without contract wording. Verbal timelines are easy to sell and hard to enforce. Put onboarding and offboarding timelines into the agreement.
Provider scorecard: how to compare your shortlist
Use this scorecard for each EOR provider on your shortlist. Score each criterion from 1 to 5.
1 means the provider gives no written evidence.
3 means the provider gives a partial answer but leaves gaps.
5 means the provider provides written evidence that can be attached to your internal due diligence file.
| Criterion | Weight | Provider A | Provider B | Provider C |
|---|---|---|---|---|
| Compliance scope: SHUI, PIT, contracts, work permits | 20% | 1-5 | 1-5 | 1-5 |
| ISO 27001 certification: certificate number, expiry date, scope | 15% | 1-5 | 1-5 | 1-5 |
| GDPR Article 28 DPA: signed before processing starts | 20% | 1-5 | 1-5 | 1-5 |
| Payroll SLA: written payroll date, escalation, remedy | 15% | 1-5 | 1-5 | 1-5 |
| Onboarding timeline: written timeline by employee type | 10% | 1-5 | 1-5 | 1-5 |
| Offboarding SLA: SHUI, PIT, access, data exit | 10% | 1-5 | 1-5 | 1-5 |
| Timezone and account management: Dutch/EU support | 10% | 1-5 | 1-5 | 1-5 |
Scoring rule: remove any provider that scores below 3 on GDPR Article 28 DPA or payroll SLA, even if the total score looks acceptable. Those two gaps create too much risk for EU companies hiring in Vietnam.
To make your evaluation process easier, download or adapt our EOR provider checklist Vietnam and use it alongside this scorecard.
What to request before you sign
Before your team signs with an EOR provider in Vietnam, request four documents.
First, ask for the GDPR Article 28 DPA, signed and dated, with Vietnam operations and transfer mechanism covered.
Second, ask for the ISO 27001 certificate, including certificate number, expiry date, certification body, and scope.
Third, ask for a sample bilingual employment contract in Vietnamese and English, with the provider’s SHUI registration steps explained.
Fourth, ask for the written SLA schedule: payroll date, onboarding timeline, offboarding timeline, escalation contact, and remedy for missed commitments.
If the provider cannot provide these before signing, your team is being asked to accept trust instead of evidence.
Before sending the agreement for signature, compare it against our guide on what to include in your EOR contract to make sure key obligations are documented.
How Sunbytes supports Dutch and EU companies comparing EOR providers
Most EOR evaluation processes stall at two requests: the GDPR Article 28 DPA and the ISO certificate number. Those documents should be available before engagement starts, not after payroll is already running.
Sunbytes supports Dutch and EU companies hiring in Vietnam through EOR operations that connect compliance, payroll, onboarding, and secure employee-data handling. The Accelerate Workforce Solutions layer covers the employment setup: contracts, SHUI, PIT, payroll, onboarding, and offboarding. The Cybersecurity Solutions layer supports the evidence behind that setup: ISO 27001, access control, DPA handling, and secure document workflows. The Digital Transform Solutions layer helps when the hired team also needs a clear delivery setup, role scope, and operating rhythm.
That means your new hire is not only contracted. They are onboarded into a controlled employment and delivery process.
Utrecht HQ, Dutch-law-governed contracts, ISO 27001 certification, GDPR Article 28 DPA prior to engagement. Payroll on time, onboarding in 2 to 4 weeks for Vietnamese nationals when documents are complete, offboarding actions initiated within 24 hours, and Dutch/EU-facing account management.
FAQs
An EOR provider becomes the legal employer on paper and handles employment contracts, SHUI registration, payroll, PIT withholding, and statutory employment administration. A staffing agency usually helps source candidates but does not always become the legal employer. The difference matters because sourcing a candidate and employing that person compliantly are separate responsibilities.
For a deeper comparison of responsibilities, costs, and compliance risks, read our guide on EOR vs staffing agency.
Yes, if the EOR processes employee personal data on behalf of an EU company. Payslips, contracts, identity documents, tax data, and SHUI details are personal data. Under GDPR Article 28, controller-processor processing needs a contract or other legal act before processing starts.
ISO 27001 certification means the provider’s information security management system has been independently assessed within a stated scope. For an EOR provider, the scope matters because employee documents, payroll data, and identity records are sensitive. Ask for the certificate number, expiry date, certification body, and scope.
For Vietnamese nationals, a practical written SLA is 2 to 4 weeks from signed service agreement when documents are complete. Foreign nationals usually require more time because work permit preparation and filing may be needed. Your provider should separate these timelines in writing instead of giving one general estimate.
Yes, but switching requires a controlled transition. The current employment arrangement must be ended or transferred correctly, final payroll and PIT steps must be handled, SHUI status must be updated, and employee data must be returned or deleted under the agreed DPA. This is why offboarding SLA and data exit terms should be checked before the first contract is signed.
Dutch companies should ask for a GDPR Article 28 DPA, ISO 27001 certificate, sample bilingual employment contract, written payroll SLA, onboarding timeline, offboarding SLA, and Dutch/EU-facing account contact. The provider should also explain how urgent payroll or compliance questions are handled during Amsterdam business hours.
Let’s start with Sunbytes
Let us know your requirements for the team and we will contact you right away.
