When your shortlist is down to two or three EOR providers, the next call should not be a sales conversation. It should be a document check.
This EOR provider checklist Vietnam gives you the exact questions to ask before signing. Use it during a provider call, in a written questionnaire, or when reviewing a proposal. An employer of record in Vietnam is the legal employer on local records; your company directs the work, while the EOR handles employment contracts, payroll, SHUI registration, PIT withholding, and local employment administration.
If you are new to the model, start with this guide to an employer of record in Vietnam to understand how responsibilities are divided between your company and the EOR provider.
Before comparing vendors, it also helps to review an EOR provider scoring guide so you can evaluate providers using consistent criteria rather than sales claims alone.
TL;DR
- Use this checklist to test six areas: compliance scope, data security, service level agreements, account management, track record, and service scope.
- Score each answer as satisfactory, unsatisfactory, or not answered. Do not accept verbal reassurance where the item should be written into the agreement.
- Treat Q3, Q4, Q5, and Q6 as knockout questions. If a provider cannot answer these with documentation, remove them from your shortlist.
How to use this EOR provider checklist Vietnam
Ask each question exactly as written. Then mark the answer in one of three ways: satisfactory, unsatisfactory, or not answered.
The purpose is not to ask more questions. It is to make vague answers visible quickly. A good EOR provider should be able to show documents, timelines, certificates, service commitments, and fee scope before you sign.
| Score | What it means | What to do next |
|---|---|---|
| Satisfactory | The provider gives a clear answer and can support it with a document, certificate, SLA, contract clause, or reference. | Keep evaluating. |
| Unsatisfactory | The provider answers, but the answer is vague, verbal only, or not written into the agreement. | Ask once for written proof. |
| Not answered | The provider avoids the question, delays the document, or says it is only available after signing. | Treat as a red flag. |
The 12 questions to ask your EOR provider in Vietnam
Category A: Compliance and contracts
Q1. Can you show us a sample bilingual employment contract (Vietnamese and English) for a knowledge worker role?
A satisfactory answer means the provider can share a sample within 24 hours. The contract should include the required Vietnam Labor Code Article 21 contents, both Vietnamese and English versions, and the EOR named clearly as the legal employer.
A red flag is: “We can provide that after you sign with us.” Another red flag is a generic template with no Vietnam-specific employment content.
For a deeper look at local employment obligations, contract requirements, and statutory responsibilities, see our guide to EOR compliance Vietnam.
Q2. Which government authorities do you register employees with, and what is your SHUI registration timeline from the contract signing date?
A satisfactory answer names Vietnam Social Security (VSS) and the relevant labor authority by location. The provider should commit to SHUI registration within 30 days of the hire start date as a contractual commitment, not a loose target. They should also be able to show an example VSS registration confirmation.
A red flag is: “We register with the relevant Vietnamese authorities.” That answer does not tell you who, when, or what proof you receive.
Category B: Data security
Q3. Can you provide your current ISO 27001 certificate, including certificate number, scope, and expiry date?
A satisfactory answer means the certificate is provided on request before signing. The scope should cover data processing operations relevant to payroll and HR. The certificate number and expiry date should be verifiable through the certification body.
A red flag is: “We follow ISO 27001 best practices” or “we are working toward certification.” A roadmap is not a certificate. An expired certificate, or a certificate that covers only IT infrastructure rather than HR and payroll data processing, is also a red flag.
Q4. Do you sign a GDPR Article 28 Data Processing Agreement as standard, and does it cover cross-border processing from Vietnam to the EU?
A satisfactory answer is yes. The DPA should be standard, available before signing, and signed before personal data processing begins. It should also address EU-Vietnam data transfer mechanisms such as Standard Contractual Clauses or an equivalent lawful basis.
A red flag is: “We handle data securely, so you have nothing to worry about.” Another red flag is willingness to sign a DPA only after the engagement starts.
Category C: Service level agreements
Q5. What is your written payroll SLA — the specific calendar date each month by which net salary is in the employee’s bank account — and what is your remedy if that date is missed?
A satisfactory answer gives a named calendar date in the service agreement, such as the 25th of each month. It should also state the remedy if that date is missed: credit, penalty, escalation process, or another written remedy.
If you are comparing providers, review this detailed breakdown of an EOR service level agreement Vietnam to understand which commitments should be documented before signing.
A red flag is: “We always pay on time.” Another red flag is “payroll by end of month” with no calendar date and no remedy.
Q6. What is your contractual onboarding timeline from signed service agreement to first payroll run for a Vietnamese national — and is this commitment written into the agreement?
A satisfactory answer is a written 2 to 4 week timeline from signed agreement to first payroll run, assuming no work permit is required. The agreement should state the conditions and the escalation path if the timeline is missed.
A red flag is: “Typically a couple of weeks.” If the timeline is not in the agreement, it is not an SLA.
Q7. What is your written offboarding SLA — specifically, how quickly do you deregister the employee from SHUI and what is your data deletion timeline after the employment end date?
A satisfactory answer states SHUI deregistration within 24 hours of employment end date in writing. It should also explain final payslip handling, PIT settlement documents, and the data retention or deletion timeline after exit.
Many providers overlook offboarding commitments, which is why an EOR service level agreement Vietnam should cover both onboarding and employee exits.
A red flag is: “We process offboarding quickly.” That does not tell your HR team when the employee is removed from SHUI or when personal data is deleted.
Category D: Account management
Q8. Who is our named account manager and do they have Dutch language capability or direct experience with Dutch business law and employment norms?
A satisfactory answer gives a named person before signing. For Dutch companies, Dutch language capability or direct Dutch-market experience reduces friction because HR questions often involve both Vietnam execution and Netherlands-side expectations.
A red flag is: “You will be assigned to our client services team.” That answer gives you no named owner and no proof of Dutch-market familiarity.
Q9. What is your response SLA for urgent compliance queries raised during Amsterdam business hours, and what is your escalation path for after-hours emergencies?
A satisfactory answer commits to a response within 4 hours for urgent queries raised during Amsterdam business hours, usually 09:00 to 18:00 CET. It should also name the escalation path for after-hours emergencies, such as a labor inspection notice or payroll error.
A red flag is a single 24 to 48 hour response time for every request. Urgent compliance queries need a different response path from routine admin questions.
Category E: Track record
Q10. Can you provide references from at least two European companies you currently serve via EOR in Vietnam — references we can contact directly?
A satisfactory answer provides at least two active European client references and allows direct contact. Written testimonials or website logos are not the same as a reference call.
A red flag is: “Our clients are confidential” with no alternative verification path. References from US-only clients are also less useful if your team operates from the Netherlands or the EU.
Q11. How many employees are currently under active EOR arrangement with your company in Vietnam, and in which industries?
A satisfactory answer gives a concrete active headcount and relevant industry spread. For a knowledge worker role, experience with tech, SaaS, or professional services is more useful than only manufacturing or hospitality coverage.
A red flag is “a significant number” or “growing quickly” without specifics. Very low active headcount may mean the provider is still learning Vietnam EOR operations.
Category F: Service scope and costs
Q12. Is the monthly management fee all-inclusive for standard employment, or are there add-on charges for work permits, compliance queries, background checks, or expedited requests?
A satisfactory answer gives a written fee schedule. It should state what is included, what is billed separately, and how scope changes are priced if a work permit or expedited request becomes necessary.
A red flag is: “We handle any additional requests” without pricing. Another red flag is a scope statement that covers only basic payroll while every compliance activity becomes an extra charge.
Before signing, review what to check in your EOR contract so you can verify that pricing, responsibilities, and service commitments are documented correctly.
Four knockout questions that narrow your shortlist quickly
A provider that does not answer Q3, Q4, Q5, or Q6 satisfactorily should be removed from your shortlist, regardless of price or brand recognition.
These four questions test whether the provider can document the operating model before you sign. ISO/IEC 27001 certification, a GDPR Article 28 DPA, a written payroll SLA, and a written onboarding SLA are not items to confirm after the first employee starts. They are the line between reassurance and proof.
If a provider passes these checks, the next step is reviewing what to check in your EOR contract before moving to legal approval.
You can use this checklist directly with Sunbytes.
Sunbytes answers the 12 questions with written documentation: ISO/IEC 27001 certified, GDPR Article 28 DPA before engagement, written payroll SLA, onboarding SLA of 2 to 4 weeks for Vietnamese nationals, and SHUI deregistration within 24 hours after employment end date .
Utrecht HQ. Dutch-speaking account management with 4 to 5 hour NL-VN working overlap.
Ask Sunbytes the 12 questions →
How Sunbytes answers before engagement starts
The four knockout questions in this checklist are the ones that usually separate a prepared EOR provider from a provider that relies on verbal assurance.
Sunbytes EOR services sit inside Accelerate Workforce Solutions: compliant contracts, payroll on time, SHUI registration, documented onboarding, and controlled offboarding. For companies hiring tech or knowledge-worker roles in Vietnam, that employment layer is supported by Secure practices for employee-data protection and by Transform delivery discipline when the employee is joining a technical team with a defined scope.
Before engagement starts, Sunbytes can confirm the documents, SLAs, data processing terms, and account ownership your HR team needs to sign with confidence.
Talk to Sunbytes – we answer all 12 →
FAQs
Use it during a vendor call or send it as a written questionnaire to shortlisted providers. Ask all 12 questions and mark each answer as satisfactory, unsatisfactory, or not answered. Remove any provider that cannot answer Q3, Q4, Q5, or Q6 with documentation.
An EOR processes sensitive employee data, including payroll records, SHUI information, PIT data, passport copies, and employment documents. ISO/IEC 27001 certification gives you verifiable evidence that the provider has an audited information security management system. A claim or plan to certify is not enough.
For EU companies, the EOR processes personal data on your behalf. That makes the EOR a data processor and your company the controller. GDPR Article 28 requires processing by a processor to be governed by a contract or other legal act. The DPA should be signed before processing starts.
For an initial EOR vendor evaluation, these 12 questions are enough. They cover compliance scope, data security, SLAs, account management, track record, and service scope. If a provider passes all 12, move to contract review. If they fail a knockout question, end the evaluation.
Yes. This checklist includes Dutch-specific evaluation points such as Dutch-speaking account management, Amsterdam-hours response SLA, GDPR Article 28 DPA, and EU client references. For a Dutch HR or operations team, those items matter as much as Vietnam payroll execution.
Ask for the draft service agreement and compare it against the provider’s answers. The SLA dates, DPA terms, fee schedule, onboarding timeline, and offboarding process should match what the provider said during evaluation. Any mismatch between the sales answer and contract wording is a red flag.
For a final review step, use this checklist on what to check in your EOR contract before approving the agreement for signature.
Let’s start with Sunbytes
Let us know your requirements for the team and we will contact you right away.
