Your shortlist is ready and your internal team is set to sign, but Finance or Legal asks the harder question first: who actually owns Social Insurance, Personal Income Tax (PIT), payroll errors, the data processing agreement, and offboarding once the first employee starts. This EOR due diligence checklist gives your team a structured way to ask for proof, not promises, before a contract is signed in 2026. Use it to score each provider on evidence and decide whether to proceed, pause, or reject.
TL;DR
An EOR due diligence checklist is a 20-point evidence review that confirms a provider can own the legal employer, payroll, contract, data, and exit layers in Vietnam before you sign. Read the EOR in Vietnam complete guide if you are still mapping the model.
- Best fit when your team has shortlisted providers and needs evidence, not sales claims, to make the call.
- Score each item 0, 1, or 2. Proceed only when critical items, the data processing agreement and payroll, score 2 with contract-backed evidence.
- Watch out for any provider that offers the Social Insurance proof or the Article 28 DPA only after signing. Download the employer’s record checklist and take it into internal review.
What an EOR due diligence checklist should prove
“EOR due diligence is the review of verifiable evidence that a provider can own the employment layer in Vietnam: registration, contracts, a data processing agreement, payroll process, service levels, and exit ownership. It separates written proof from sales claims.”
An employer of record assessment is not a feature comparison. It asks one question of every promise: can the provider show it in a document you could rely on later. Some teams call this an EOR vetting checklist; the aim is the same, evidence over claims. A clear checklist makes that test repeatable across your shortlist, so you can sense-check it against an EOR provider comparing Vietnam rather than a sales deck.
| Sales claim | Proof to request instead |
|---|---|
| We handle full compliance | A written scope covering contracts, Social Insurance, PIT, and records |
| Payroll always runs on time | A payroll SLA with a calendar date and a remedy clause |
| Your data is safe with us | A signed Article 28 DPA and an ISO 27001 certificate |
| We make offboarding easy | A 24h offboarding initiation SLA and final settlement ownership |
Before you compare EOR pricing, check whether the provider can prove the employment layer. Download the EOR due diligence checklist to review legal employer status, Social Insurance, PIT, the GDPR DPA, the payroll SLA, and offboarding responsibilities before you sign.
The 20-point EOR due diligence checklist
The EOR due diligence checklist below groups 20 questions into six areas: legal employer, payroll and tax, contracts and work permits, data and security, service levels and offboarding, and contract terms. Each item names the evidence to request and the risk if it is missing. For the underlying rules on Social Insurance, PIT, contracts, work permits, and termination, see the EOR compliance requirements in Vietnam.
Legal employer and employment model evidence
Confirm who the legal employer is, who signs the contract, and on what basis the provider delivers EOR. Items 1 to 5 establish whether the employment is genuinely contract-backed rather than assumed.
Payroll, Social Insurance and PIT evidence
Ask for the payroll cycle, statutory contribution proof, and the PIT withholding owner. Items 6 to 8 are where most hidden liability sits, so request a sample monthly confirmation, not a description. Employer Social Insurance runs at 17.5% of capped salary, per PwC Worldwide Tax Summaries, so the figures must be auditable.
Contracts, work permits and employee records
Check bilingual contracts, leave and benefits, and work permit support. Items 9 and 10 matter most where a foreign hire needs a permit under Decree 219/2025/ND-CP, effective August 7, 2025, which issues permits within 10 working days of a complete application.
Data protection and security evidence
Require a signed GDPR Article 28 DPA, a Vietnam data handling process, and security evidence. Items 11 to 14 align with the Personal Data Protection Law (Law No. 91/2025/QH15) and Decree 356/2025/ND-CP, both effective January 1, 2026, a framework law firm analysis describes as GDPR-inspired (Baker McKenzie).
Service level, continuity and offboarding evidence
Confirm onboarding and payroll service levels, a named owner, monthly compliance evidence, and offboarding within 24 hours. Items 15 to 20 decide how the relationship behaves once the first hire is live and when someone leaves.
The 20-point checklist, available as a scored worksheet to take into internal review.
| Due diligence question | Evidence to request | Risk if missing | |
|---|---|---|---|
| 1 | Can the provider prove local legal employer status in Vietnam? | Business registration, tax code, contract-signing entity. | Unclear employer identity and weak accountability. |
| 2 | Who signs the Vietnamese employment contract? | Sample contract and contracting party details. | You may assume obligations the contract does not back. |
| 3 | What is the provider’s legal basis for EOR delivery? | Operating basis note; verify with the service owner. | Model risk if the structure cannot be explained. |
| 4 | Does the provider issue bilingual employment contracts? | Vietnamese and English template, required fields. | Employee terms may be unclear or hard to enforce. |
| 5 | Are probation, notice, and leave terms mapped to Vietnamese law? | Policy extract and contract clause examples. | Local terms may conflict with the contract. |
| 6 | Can the provider show Social Insurance registration proof? | Registration workflow, sample monthly confirmation. | Back-contributions, disputes, or inspection issues. |
| 7 | Who withholds and remits Personal Income Tax (PIT)? | Payroll calendar, PIT filing owner, payslip sample. | Withholding errors and year-end correction burden. |
| 8 | What controls prevent late or incorrect salary payment? | Cut-off dates, approval workflow, payslip QA process. | Employee trust issue and Finance escalation. |
| 9 | Can the provider support work permits when needed? | Eligibility checklist, document list, timeline. | An unrealistic start date or employment term. |
| 10 | How are statutory benefits and leave handled? | Leave policy, holiday calendar, benefits process. | Mismatch between offer terms and statutory rights. |
| 11 | Is an Article 28 DPA signed before data is shared? | DPA template, controller and processor roles, sub-processor list. | EU data exposure and a weak audit trail. |
| 12 | How does the provider meet Vietnam data protection rules? | Data map, cross-border transfer basis, retention process. | Data processing may lack local compliance evidence. |
| 13 | What security evidence can the provider show? | ISO 27001 certificate or equivalent, access control policy. | Payroll and identity data may be exposed. |
| 14 | What happens if there is a payroll or data incident? | Escalation matrix, notification timeline, named owner. | No clear response path when something goes wrong. |
| 15 | What is the onboarding service level? | Written SLA, typical timeline, document dependency list. | A sales start date that operations cannot meet. |
| 16 | Is payroll guaranteed to run on the contracted date? | Payroll SLA and exception handling clause. | Late payroll becomes an employee-relations problem. |
| 17 | Who is the named service owner after go-live? | Account owner, escalation path, response-time commitment. | No accountable person when issues appear. |
| 18 | Does the provider send monthly compliance evidence? | Monthly pack: payroll, Social Insurance, PIT, leave, changes. | Finance and HR cannot prove compliance internally. |
| 19 | How does offboarding start and who owns the final settlement? | Offboarding checklist, 24h initiation SLA, final pay process. | Exit risk, delayed closure, dispute exposure. |
| 20 | What liability, indemnity, and exit rights are in the contract? | Clauses for liability cap, termination, data return, transfer. | You may be locked in without a safe exit. |
How to score each EOR provider after due diligence
Score each item on a 0 to 2 scale, then apply a clear threshold. This turns the checklist from a list into a decision tool your evaluation team can defend internally.
| Score | What it means |
|---|---|
| 0 | Evidence is missing or the answer is vague |
| 1 | Partial evidence, not yet contract-backed |
| 2 | Evidence provided and backed by the contract |
| Result | Threshold | Decision |
|---|---|---|
| Go | Critical items (DPA, payroll) score 2; no item below 1 | Proceed to contract |
| Pause | A critical item scores 1, or several items score 1 | Request the missing evidence, then re-score |
| Reject | A critical item scores 0 | Remove the provider from the shortlist |
Red flags to resolve before you sign
Treat the following as stop-sign issues. Any one of them should pause the decision until the provider closes the gap in writing.
Stop before signing if you see: no signed Article 28 DPA before data is shared; no Social Insurance evidence; an unclear legal employer; payroll liability excluded from the contract; no offboarding clause; no named account owner; or no work permit clarity for a foreign hire.
A provider may still be a strong fit after resolving a red flag, so ask for the evidence rather than assuming the worst. If you are still weighing selection criteria, choosing the right EOR service in Vietnam covers how the criteria connect to a final decision.
What to prepare before you ask an EOR provider for evidence
Gather these inputs before the evidence request so the provider can answer precisely and your cost picture is accurate. It also makes an EOR cost in Vietnam estimate easier to compare across providers.
- Role, salary in EUR, and start date
- Employment duration and reporting line
- Work location and work permit status
- Equipment, systems, and data access the hire needs
- Preferred contract language and any benefits commitments already made
How Sunbytes supports EOR due diligence in Vietnam
If your checklist shows gaps in Social Insurance proof, DPA terms, payroll ownership, or offboarding scope, pause the vendor decision before the first hire starts. Those gaps are exactly what a due diligence review is meant to surface early.
Sunbytes supports Dutch and EU companies hiring in Vietnam through our Employer of Record (EOR) service, with onboarding planned in 2 to 4 weeks when documents are ready, payroll on time, and offboarding actions initiated within 24 hours. Engagements can include a GDPR Article 28 DPA review, local employment contracts, Social Insurance and PIT administration, and a named service owner from day one.
Founded in the Netherlands in 2011, with a delivery hub in Ho Chi Minh City and ISO 27001 controls, Sunbytes gives Dutch and EU buyers contract-backed answers to the same 20 questions your team is scoring. Vietnam continues to draw foreign employers, a trajectory the World Bank links to its goal of high-income status by 2045.
If your team has chosen Vietnam but not the provider, Sunbytes gives you a controlled route to employ correctly before the first payroll run. Utrecht HQ, Dutch-law-governed contracts, ISO 27001, and a GDPR Article 28 DPA, with payroll on time and offboarding actions within 24 hours.
Talk to Sunbytes about your EOR setup →
FAQs
With the checklist ready, most evidence reviews take one to two weeks, mostly waiting on the provider to return documents. The slow steps are usually the signed data processing agreement and the Social Insurance confirmation, so request those first. A provider that returns evidence quickly is itself a positive signal.
Ask for a sample bilingual contract, a written compliance scope, a payroll calendar with a remedy clause, a signed Article 28 DPA, an ISO 27001 certificate or equivalent, and a named account owner. Each should be contract-backed, not a verbal assurance. This is the core of an employer of record assessment.
Yes. A GDPR Article 28 data processing agreement should be signed before any employee data moves to a provider in Vietnam. The provider should also meet the Personal Data Protection Law (Law No. 91/2025/QH15) and Decree 356/2025/ND-CP, both effective January 1, 2026.
Use a 0 to 2 scale: 0 for missing or vague, 1 for partial evidence, 2 for contract-backed evidence. Proceed only when the critical items, the data processing agreement and payroll, score 2. A 0 on either is a reject, not a negotiation.
Only if the evidence is in place. A fast, low-cost provider that cannot show a signed DPA or Social Insurance proof carries more risk than the saving justifies. Score the eor selection criteria checklist first, then compare prices among the providers that pass.
Pause when any critical item scores below 2, when a red flag appears, or when proof is promised only after signing. Resolving the gap in writing is faster and cheaper than fixing a compliance problem after the first payroll run.
Let’s start with Sunbytes
Let us know your requirements for the team and we will contact you right away.
