Factorial 2026: Barcelona-Based HR Software, Spanish SL, and What EU-Native Status Means for GDPR Compliance
Post #956 in the sota.io EU Cyber Compliance Series | EU-HR-TOOLS-SERIE Post #5
This series has now examined five HR platforms across different jurisdictions: Workday (Delaware, CLOUD Act territory), BambooHR (Utah, CLOUD Act territory), HiBob (Tel Aviv, Israel — EU adequacy but Israeli surveillance law risk), and Personio (Munich, Germany — EU-native, LOW risk). Post #5 turns to Factorial HR — a Barcelona-based HR platform that, like Personio, is incorporated entirely within the EU.
The distinction matters because the EU HR software market tends to collapse into two categories: US enterprise vendors with EU data residency options (Workday, SAP SuccessFactors, BambooHR) and genuinely EU-incorporated alternatives. Factorial, alongside Personio, represents the second category — companies where the corporate parent itself is a European legal entity, not a US company with a European subsidiary or data centre.
This post examines what Factorial's Spanish incorporation means in practice: the legal entity structure, the AEPD's role as GDPR supervisory authority, the AWS Ireland infrastructure consideration, how US investors relate (or don't) to CLOUD Act exposure, and where Factorial fits compared to Personio for European SMBs in different geographies.
Corporate Structure: Factorial HR, S.L.
The Legal Entity
Factorial was incorporated in 2016 in Barcelona, Catalonia, Spain. The company is registered as Factorial HR, S.L. — a Sociedad Limitada, Spain's equivalent of a limited liability company (comparable to Germany's GmbH or France's SARL). The registered office is in Barcelona.
As of 2026, Factorial HR, S.L. remains the operating entity for its European business. The company has not created a US parent entity or undergone a corporate inversion — it remains a Spanish-incorporated company under Spanish corporate law, regulated by Spanish commercial authorities, and subject to Spanish data protection oversight.
The company was founded by:
- Jordi Romero — CEO, previously co-founder at Teambox (Barcelona-based project management SaaS)
- Bernat Farrero — CPO, product and growth background
- Cristian Pascual — CTO, engineering
The founding premise was that Spain and Southern Europe's SMB market — companies with 20 to 500 employees — was chronically underserved by enterprise HR platforms. Workday and SuccessFactors targeted large enterprises. BambooHR was US-centric in its payroll and compliance logic. Spanish companies dealing with Convenios Colectivos (collective bargaining agreements), Social Security contributions via the Tesorería General de la Seguridad Social (TGSS), and Spain's complex payroll framework (nómina) had no adequate SaaS option.
Funding and Investors
Factorial has raised approximately $150 million across multiple rounds. Key investors:
- K Fund — Madrid (Spanish VC, earliest institutional backer)
- Creandum — Stockholm (Nordic VC, Series A lead)
- Point Nine Capital — Berlin (European SaaS-focused VC)
- Atomico — London (European tech VC, Niklas Zennström's fund)
- Tiger Global Management — New York (US hedge fund / growth equity, participated in Series C 2021)
- CRV — Menlo Park, California (US VC)
- General Atlantic — New York (US growth equity, later rounds)
The 2021 Series C raised $80 million, led by Tiger Global, valuing Factorial at approximately $530 million. A subsequent Series D round in 2022 brought total funding to over $150 million.
Like Personio's Meritech Capital and Lightspeed participation, Factorial's Tiger Global and CRV involvement is a standard Southern European scale-up trajectory: EU-headquartered companies raising US growth capital to fund expansion.
CLOUD Act Analysis: Spanish Incorporation as Jurisdictional Baseline
The Legal Framework
The Clarifying Lawful Overseas Use of Data Act (18 U.S.C. §2713) compels electronic communications service providers and remote computing service providers that are domestic US persons to produce subscriber data and content — regardless of where that data is located. The statute's extraterritorial reach is broad, but its subject scope is clear: it reaches US persons and US-controlled entities.
Factorial HR, S.L. is a Spanish legal entity. It is not incorporated under US law. It has no parent company that is a US person. It does not operate as a "domestic US person" as that term is used in the Electronic Communications Privacy Act (ECPA) and the CLOUD Act. A US Department of Justice subpoena or National Security Letter directed at Factorial HR, S.L. on the basis of Factorial's own legal identity would have no statutory authority under the CLOUD Act.
This distinguishes Factorial cleanly from:
- Workday, Inc. — Delaware C-Corporation, NASDAQ-listed, domestic US person
- BambooHR — Utah-incorporated, operating as a subsidiary of Qualtrics/SAP US entities, domestic US person
- HiBob — Israeli company (not a US person, but subject to Israeli Shin Bet Law intelligence cooperation framework and the EU adequacy decision's national security carve-out)
The US Investor Question
The presence of Tiger Global (New York) and CRV (Menlo Park) as Factorial shareholders raises the same question that Meritech Capital and Lightspeed raised in the Personio analysis: does US investor ownership create CLOUD Act exposure for a European-incorporated company?
The answer is the same: no. The CLOUD Act is a provider-based statute, not an ownership-based statute.
The statute compels providers — companies that provide electronic communications services or remote computing services. Shareholders, even majority shareholders, are not providers. US investor ownership of Factorial HR, S.L. does not:
- Make Factorial HR, S.L. a "domestic US person" under the CLOUD Act
- Create a statutory basis for compelling Factorial to produce EU customer data
- Establish legal control in the sense required for CLOUD Act compulsion
- Transfer to Tiger Global or CRV any right to access Factorial's customer data
The key distinction is between equity ownership (holding shares, receiving dividends, having board seats) and operational control over data (having the technical ability to access or produce data under a government order). US investors in a Spanish company hold the former; the CLOUD Act requires the latter.
This analysis would change if Factorial operated through a US-based entity that provided the actual HR services — for example, if customer data were processed by a US subsidiary. Based on publicly available information as of 2026, Factorial's HR services are provided by the Spanish entity.
GDPR Supervisory Authority: AEPD and Spain's Data Protection Framework
The Agencia Española de Protección de Datos
Under GDPR Article 55, the supervisory authority for a data controller is determined by the controller's establishment. For Factorial HR, S.L., incorporated and headquartered in Barcelona, the competent supervisory authority is the Agencia Española de Protección de Datos (AEPD) — the Spanish Data Protection Agency.
The AEPD is one of the more experienced European DPAs. Spain transposed the GDPR into national law via Ley Orgánica 3/2018 (LOPDGDD — Ley Orgánica de Protección de Datos Personales y garantía de los derechos digitales), which added Spanish-specific provisions including enhanced employee data protections beyond the GDPR minimum.
Key AEPD enforcement characteristics relevant to HR software:
Active enforcement. The AEPD has issued significant fines for HR data violations, including against Spanish employers who conducted unlawful employee monitoring, failed to respond to subject access requests, or processed employee data without adequate legal basis under GDPR Article 9.
Strong employee data framework. LOPDGDD Article 12 provides specific rights for employees regarding use of digital devices at work. LOPDGDD Article 14 addresses video surveillance in the workplace. Spanish employment data law is materially stricter than GDPR's baseline on several dimensions.
Biometric data. The AEPD has specifically addressed biometric timekeeping — Spanish law since 2019 requires companies to record working hours. Factorial processes timekeeping data; the AEPD's guidance on biometric time-tracking under GDPR Article 9(1)(b) is directly relevant to Factorial customers.
For a European company evaluating Factorial as an HR platform, AEPD oversight means:
- The supervisory authority is a known EU DPA with established enforcement practice
- Factorial's compliance obligations are governed by Spanish law and GDPR — no US legal overlay
- DSARs (Data Subject Access Requests) and complaints from employees would go to the AEPD, not a US regulator
Infrastructure: AWS eu-west-1 (Ireland) — The Same Residual Risk as Personio's AWS Frankfurt
AWS as the Infrastructure Layer
Factorial's infrastructure is hosted on Amazon Web Services, primarily in the eu-west-1 region (Dublin, Ireland). This is the same structural consideration that arises with Personio (AWS Frankfurt, eu-central-1) and that was analysed in the Workday and HiBob posts.
The residual risk profile is identical to Personio:
- AWS is a US company. Amazon Web Services, Inc. is incorporated in Delaware, headquartered in Seattle (Washington State). AWS is a domestic US person under the CLOUD Act.
- AWS customer data is not automatically CLOUD Act territory. AWS's Shared Responsibility Model makes clear that AWS customers control their data; AWS does not typically have access to customer application-layer data stored in encrypted form.
- CLOUD Act compulsion of AWS would target Amazon's own systems and the data Amazon has access to — not the encrypted application data of AWS customers unless Amazon has the decryption keys.
- Factorial's customer data, when processed by Factorial's application, is under Factorial's operational control, not AWS's. A CLOUD Act order to AWS would not necessarily reach Factorial's HR data.
This means the residual risk is: one infrastructure layer down from Factorial itself, the provider (AWS) is a US person. This is the same residual risk that exists for Personio, for Kenjo (AWS), and for virtually every European SaaS that does not run on EU-owned infrastructure (Hetzner, OVHcloud, Scaleway, etc.).
The practical conclusion for most European data protection professionals: Factorial running on AWS Ireland is materially different from Workday being a US company. Factorial's own corporate CLOUD Act susceptibility is zero; AWS's theoretical susceptibility is acknowledged by the European Cloud Computing industry as a residual risk that DPAs have not, in practice, treated as a disqualifying factor for EU-incorporated software companies using AWS.
What GDPR Article 9 Means for Factorial Customers
Special Category Employee Data in HR Platforms
HR software is, by design, a processor of special category personal data under GDPR Article 9(1). Employee HR data routinely includes:
- Health data — sick leave records, disability accommodations, medical certificates, occupational health records
- Trade union membership — relevant where Spanish collective bargaining agreements apply
- Biometric data — timekeeping via fingerprint readers, face recognition
- Religious or philosophical beliefs — religious absence requests, dietary requirements for work travel
For Factorial customers, GDPR Article 9 compliance requires:
Appropriate legal basis. Processing Article 9 data in an employment context typically relies on GDPR Article 9(2)(b): "processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law."
Data Processing Agreement (DPA). GDPR Article 28 requires a written DPA between Factorial (as processor) and the customer (as controller). Factorial provides a standard DPA under its enterprise terms.
Data Retention and Deletion. Spanish labour law (Estatuto de los Trabajadores) sets minimum retention periods for employment records. Factorial's GDPR configuration must align with Spanish legal retention requirements — which LOPDGDD generally does.
Third-Party Sub-Processors. Factorial discloses its sub-processor list. The key sub-processors to evaluate are AWS (Ireland), Stripe for payment processing, and analytics tools. Each sub-processor's jurisdiction matters for data transfer compliance.
Factorial vs. Personio: EU-Native vs. EU-Native
The Southern Europe / DACH Split
Both Factorial and Personio are EU-native HR platforms with similar CLOUD Act profiles (neither is subject to CLOUD Act as a corporate entity; both use AWS infrastructure). The meaningful differences are functional and geographic:
| Dimension | Factorial | Personio |
|---|---|---|
| HQ | Barcelona, Spain | Munich, Germany |
| Corporate Form | S.L. (Sociedad Limitada) | SE & Co. KG (German/European) |
| GDPR Authority | AEPD (Spain) | BayLDA (Bavaria) |
| Cloud Infrastructure | AWS eu-west-1 (Ireland) | AWS eu-central-1 (Frankfurt) |
| Payroll Strength | Spain, France, Portugal, Italy, Mexico | Germany, Austria, Switzerland |
| Target Market | Southern Europe + LATAM expansion | DACH primarily |
| CLOUD Act Risk | NONE | NONE |
| Overall GDPR Risk | LOW | LOW |
For DACH-focused companies — German, Austrian, Swiss operations, need for Betriebsrat integration, German social insurance (Deutsche Rentenversicherung, Krankenkassen), Entgeltfortzahlung rules — Personio is the stronger fit. Personio's DACH payroll depth reflects 10 years of German market development.
For Southern European operations — Spanish nómina, French payslip complexity (cotisations sociales, mutuelle), Italian busta paga, Portuguese Segurança Social contributions, LATAM expansion — Factorial is the stronger native fit. Factorial built its payroll engine on the Spanish compliance framework and has since expanded to France, Portugal, Italy, Mexico, and Colombia.
Multi-national European companies covering both DACH and Southern Europe face a genuine trade-off: Personio has more DACH depth, Factorial has more Southern European breadth. Neither covers both with equal native depth.
EU-HR-TOOLS-SERIE: Where Each Platform Stands
This is Post #5 in a six-post series examining the CLOUD Act and GDPR risk of the major HR platforms used by European companies. The full risk table as of this post:
| Platform | HQ | CLOUD Act Subject? | GDPR Authority | Risk Level |
|---|---|---|---|---|
| Workday | Pleasanton, Delaware C-Corp | YES — domestic US person | Multiple EDPB DPAs | HIGH |
| BambooHR | Lindon, Utah (SAP subsidiary) | YES — domestic US person | Multiple EDPB DPAs | HIGH |
| HiBob | Tel Aviv, Israel | NO — not a US person | Israeli DPA + EDPB (adequacy) | MEDIUM |
| Personio | Munich, Germany (SE & Co. KG) | NO — German legal entity | BayLDA (Bavaria) | LOW |
| Factorial | Barcelona, Spain (S.L.) | NO — Spanish legal entity | AEPD (Spain) | LOW |
| Sage HR | (covered in Post #6) | (UK post-Brexit analysis) | (ICO — UK GDPR) | (TBD) |
Practical Evaluation Criteria for European HR Buyers
What to Ask Any HR Vendor
When evaluating Factorial (or any HR platform) for GDPR Article 9 compliance, the questions that matter:
1. What is the legal entity providing the service? For Factorial: Factorial HR, S.L. — a Spanish company. The answer is verifiable via Spain's Registro Mercantil (commercial register).
2. Is that legal entity subject to the CLOUD Act? For Factorial: No. Spanish companies are not domestic US persons under 18 U.S.C. §2713.
3. Who is the GDPR supervisory authority? For Factorial: AEPD (Spain). Complaints go to a known EU DPA, not a US regulator.
4. Where is customer data processed? For Factorial: Primarily AWS eu-west-1 (Dublin). EU territory, US-owned infrastructure (acknowledged residual risk).
5. Is there a current Data Processing Agreement? For Factorial: Yes, available on request as part of enterprise terms. Verify it covers GDPR Article 28 requirements and lists sub-processors.
6. Who are the sub-processors and what is their jurisdiction? For Factorial: AWS Ireland, Stripe, and analytics tools. Each sub-processor chain should be evaluated for transfer risks.
The Key Conclusion
For European SMBs that have been defaulting to BambooHR or Workday without analysing jurisdictional risk, both Factorial and Personio represent a genuinely different risk profile: EU-incorporated, no CLOUD Act susceptibility at the corporate level, EU DPA supervision, and payroll logic built for European compliance requirements from the ground up.
The choice between them is primarily geographic and functional — Factorial for Southern European operations and LATAM expansion, Personio for DACH. The CLOUD Act and GDPR supervisory authority comparison between the two is essentially equivalent: both are LOW risk by the same structural logic.
Post #6 Preview: Sage HR — UK Jurisdiction, Post-Brexit Adequacy, and the IPA 2016
The final post in this series examines Sage HR (part of Sage Group PLC, Newcastle upon Tyne, UK-listed company). The UK's post-Brexit data protection framework — UK GDPR and the Data Protection Act 2018 — is governed by the Information Commissioner's Office (ICO), not an EU DPA. The EU-UK adequacy decision under GDPR Article 45 (adopted June 2021) is subject to review, and the UK's Investigatory Powers Act 2016 (IPA 2016, successor to RIPA) creates surveillance law considerations that are analytically similar to Israel's situation — a post-Brexit adequacy jurisdiction with its own intelligence framework.
Post #6 will complete the risk table and provide a six-platform verdict for European HR buyers.
This article is part of the sota.io EU Cyber Compliance Series — 956 posts examining GDPR, CLOUD Act, NIS2, EU AI Act, and EU sovereignty topics for European software buyers and developers. See the full series.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.