Offshore Compliance

Offshore Compliance for US Businesses

The things that quietly break offshore hires: classification, statutory obligations, IP, data, cyber. Here's what we hold, what stays yours, and how we guide you on both.

  • Worker classification risk held on our PH entity
  • Philippines statutory obligations handled locally
  • Standard NDAs and IP assignment
  • Cyber baseline via NordLayer and managed devices

The industry loves to sell compliance as a checkbox. It isn't. Some of it we can genuinely hold on our Philippines entity. Some of it stays with you no matter who you hire through. We're straight about which is which, and we guide you on the parts you own.

Worker classification (W-2 vs 1099, and the ABC test)

The biggest sleeper risk in offshore hiring for US businesses. Engage a Philippines contractor like an employee (fixed schedule, your tools, your direction, ongoing) and states with an ABC test, like California under AB 5, can reclassify them, with back wages, benefits and penalties attached. Our Philippines entity employs the person there, so you're contracting with our entity for services rather than paying an individual as a 1099 contractor with employee-like control. That structure keeps the classification exposure off your books.

Philippines statutory obligations

Payroll, SSS, PhilHealth, Pag-IBIG, 13th month pay, tax withholding and end-of-year filings. On EOR, our entity manages these under Philippines law. On COR, we structure the arrangement so it stays genuinely independent and the obligations sit where they should. You don't need a US employer of record for staff based in the Philippines, and you don't need to figure out cross-border payroll yourself.

IP, NDAs and data (CCPA, HIPAA, PCI in scope)

Standard NDAs and IP assignment clauses on every engagement, so work product ownership isn't ambiguous under US law. Data is more nuanced. If you handle California consumer data (CCPA/CPRA), health data (HIPAA), or card data (PCI), your obligations follow the data wherever it goes. We can set up managed devices, enforce access controls and sign a data-processing addendum where it fits. What data you allow into which systems, and how you meet your own regulatory obligations, stays your call. We guide you on the sensible defaults.

Cyber baseline

NordLayer for network access, managed devices where the role or client requires it, MFA on the accounts we can enforce it on, and documented offboarding so access is actually removed. Not a silver bullet. A baseline that raises the floor for most US SMBs above where they'd be hiring a direct 1099 contractor working from a personal laptop.

What stays yours

Your own data governance. Your own customer contracts, privacy notices and regulatory obligations. How you treat the person day to day. Decisions about what work you route offshore. We won't claim to carry these, because we can't. We'll help you think about them properly.

Frequently asked questions

How do we avoid misclassification issues with offshore contractors?

By not paying the individual as your 1099 contractor. You contract with our Philippines entity for services and we employ the person there. The ABC test and similar state tests target the direct relationship between your business and the worker. Removing that direct relationship, and keeping the arrangement genuine, is what neutralises the exposure.

What about CCPA, HIPAA or PCI if the person handles our customer data?

Your regulatory obligations stay yours. We help you set access, controls, contracts and processes so working with offshore staff doesn't quietly breach them. Where a data-processing addendum or BAA-style commitment is appropriate we'll work through it with you.

Can offshore staff access US customer data?

Yes, when the role requires it, with the same controls you'd apply to any staff member: least-privilege access, MFA, managed devices where warranted, documented offboarding. Sensitive regulated data (PHI, cardholder data) needs to be scoped deliberately.

Get the compliance side right the first time

Book a call and we'll walk through classification, Philippines statutory, IP, data and cyber for your specific US setup.

Book a compliance call