Every Payroll You Run Through Cloud Software Gives a Third Party Your Employees' Salaries.
Every month, you run payroll. Every month, your employees' salaries, bonuses, sick days, and contract terms leave your systems and process on someone else's servers. You've been doing this for years. So have your competitors, in the same software. Somewhere, there is a very detailed picture of your entire industry's compensation structure. You helped build it. You didn't know.
This is not hypothetical. It's in the terms of service you agreed to — the document nobody reads.
What actually leaves your system each payroll run
French payroll is complex by design. A French payslip — the bulletin de paie — has 7 mandatory zones covering over 200 variables: gross salary, net salary, every deduction (mutuelle contributions, prévoyance insurance, tickets restaurant allocations), sick day count, RTT balance (the extra rest days workers earn beyond the 35-hour week), bonus amounts, contract type (CDI, CDD, or interim), and working-time arrangement.
Running payroll through cloud software means all of that transmits to the vendor's servers for processing. For a company with 10 employees, that's 120 detailed payroll records per year sitting in a commercial database — not just filed with URSSAF (the agency that collects social security contributions), also processed and stored on infrastructure the vendor controls.
The DSN — Déclaration Sociale Nominative, the mandatory monthly declaration every employer with staff files to URSSAF — goes to net-entreprises.fr via a free, direct machine-to-machine API. Your cloud payroll software processes your data on its own servers before sending it there. That intermediate stop is where the data exposure happens. Liberté skips the intermediate and files the DSN directly. Your payroll data travels one hop, not two.
What the vendor's terms actually say
Cloud payroll vendors don't advertise this clearly. Find the data processing agreement — the DPA, the legal document governing what they can do with your employees' data — and look for the clause on anonymised aggregate data. It will say something like: data may be used for product improvement, service analytics, and benchmarking purposes.
That clause is the business model. A vendor sitting on payroll data from 10,000 companies in France has one of the most detailed compensation datasets in the country. HR consultants pay €5,000–50,000 per report for industry salary benchmarks. Investors use them to value companies. Recruiting firms use them to structure offers. Your employees' monthly salary information — aggregated, "anonymised," processed — is the raw material for all of it.
You didn't hire a payroll software vendor to be your data partner. And yet, somewhere in the terms of service, that's exactly what happened.
One objection you'll hear: "it's anonymised, so it's fine." Research on de-anonymisation consistently challenges that claim. Payroll data from a specific sector, a specific city, a specific company size is far less anonymous than it sounds. Nobody is claiming vendors sell your individual records — the aggregate product they build is built from your individual records.
The GDPR exposure most business owners miss
Under GDPR — the EU data protection regulation that makes you responsible for your employees' data — you are the data controller. Your cloud payroll software is a data processor. The distinction matters more than most small business owners realise.
When the vendor's servers experience a breach, the obligation to notify CNIL — France's data protection regulator — within 72 hours falls on you, not on the vendor. Your employees can claim compensation directly from you. The vendor's liability is typically capped in their contract. Yours is not.
CNIL issued 42 formal sanctions in 2024, up 60% from 2022. Total GDPR fines across the EU have reached €4.2 billion since 2018, and enforcement against smaller businesses is accelerating. A standard audit question now: "Where is your employees' salary data processed, under what terms, and can you produce the data processing agreement?" Most small businesses in France cannot answer that question cleanly today.
Consider a 12-person consulting firm in Paris using Payfit at €12/employee/month: 144 detailed payroll records per year on Payfit's servers, contributed to benchmarking datasets, the founders having never read the DPA. Or a restaurant in Bordeaux running payroll on Sage: seasonal worker contracts, tip allocations, and hourly rates on servers governed by a UK-listed company's data terms. Neither business made a reckless decision — the software is good, the convenience is real. They simply didn't price in the full cost.
The promise you made without realising it
Picture this: a new employee joins and asks whether their salary is confidential. You say yes. You mean it. Your senior developer doesn't know the junior earns more. Your sales manager doesn't know what the marketing director takes home. That confidentiality is a professional expectation — and you're the one responsible for maintaining it.
Month after month, you've uploaded their salary information to cloud payroll software whose terms allow aggregate use of that data for commercial purposes. The gap between what you promised and what the infrastructure delivers is real. It's not malicious on your part — you were solving a legitimate problem. French payroll is hard, the software makes it manageable, and there was no free alternative that kept the data on your own systems.
Now there is.
What Payfit raised €250M to build — and what Liberté doesn't need
Payfit raised over €250 million from investors including SoftBank Vision Fund. At €12/employee/month for payroll software, the math on that valuation requires either massive scale or a data product commanding premium prices from HR consultants, investors, and market research firms. Your payroll subscription is the acquisition cost for the dataset. You are a contributing data source — and you pay them for the software.
Sage is a UK-listed company with 300,000+ customers in France and estimated 80%+ gross margins on SME subscriptions. Their software made payroll management accessible. It also made your employees' salary data part of their commercial infrastructure.
Liberté handles French payroll with all 200+ variables, all 7 mandatory payslip zones — compliant, complete, directly connected to URSSAF via net-entreprises.fr's M2M API. Data processes on EU-native infrastructure. It never enters a third-party commercial database. And the platform costs nothing.
Before your next payroll run
Find your current payroll software's data processing agreement. Search for the clause on anonymised aggregate data. Read it carefully. If you can't find it, or can't understand what it permits, you have a GDPR compliance gap — one that CNIL is increasingly likely to ask about.
Employees who trusted you with their salary information assumed you had thought through where it goes. Now you have. The next payroll run can be different.
Join the waitlist at liberte.free — launching Q2 2026, France first. Close the gap between the confidentiality you promised and the infrastructure your payroll actually runs on.