Skip to main content

Navigation

Catalogue

Security Awareness Privacy & Compliance AI & LLM Security Real-World Incidents
Application Security Soon
API Security Soon
Cloud Security Soon

Features

Human Risk Management Interactive 3D Training SCORM Cloud LMS Human Risk Score Risk-Based Automation Integrations All features

Simulations

Phishing Simulations Smishing Simulations
Vishing Simulations Soon

Company

Partners About Us Blog Data Sheet PDF

Legal

Security & Compliance Privacy Policy Terms of Service
English Українська
Book a Demo
Built on Merge

Connect any HRIS to RansomLeak

Let the people changes you already record in any HR system drive security training. New hires get onboarding, role changes reassign the curriculum, and departures deactivate access. One connection, no manual rosters.

Last updated June 2026

Overview

RansomLeak's HRIS integration is a read-only sync, built on the Merge Unified API. You connect your HR system once, and RansomLeak turns the joins, role changes, and departures you already record into security training that assigns and retires itself.

These are the moments it acts on, as they happen in your HR system:

  • New hires get onboarding training
  • Role changes reassign curricula
  • Departures deactivate access
  • Rehires are reactivated

HR systems Merge covers

Whatever your HR stack is, one Merge connection reaches it. Here are some of the most common systems, with more than 80 supported in total.

  • Workday
  • ADP
  • Rippling
  • BambooHR
  • Gusto
  • UKG
  • Personio
  • SAP SuccessFactors
  • Paychex
  • 80+ more

On HiBob? RansomLeak connects to it natively over HiBob's own OAuth, off the Merge connection. The full flow is in the HiBob setup guide.

Connect your HRIS

You connect from RansomLeak as an admin. Authorizing grants read access to your employee directory and nothing more.

  1. In RansomLeak, go to Admin → Integrations → HRIS and select Connect another HRIS.

  2. The Merge connection widget opens. Pick your HR system and sign in as an HR admin to authorize read access to your employee directory.

  3. You return to RansomLeak with the connection established. An initial sync runs on its own and provisions your current workforce.

Lifecycle updates arrive automatically. Merge sends change events, so a new hire or a departure is reflected within about a minute. An hourly sync is the safety net if an event is ever missed, and a daily full sync catches removals.

How the lifecycle works

On every sync, RansomLeak reconciles your directory and acts on what changed. People are matched by work email, so your HR system and RansomLeak always point at the same person.

In your HR system In RansomLeak
A new employee joins An account is created, licensed, placed on their department team, and enrolled in the onboarding curriculum.
Job title or department changes The user is enrolled in the curriculum mapped to their new role or department.
An employee is terminated or deactivated Their account is disabled. Their training history is preserved.
A former employee is rehired Their account is reactivated and re-licensed.
Manager relationships Mirrored to RansomLeak so manager dashboards and alerts work.

The initial sync is a baseline, not a flood. The first full sync provisions your existing workforce and records them as already onboarded. Only genuinely new hires after that baseline receive onboarding training.

Permissions and data handling

RansomLeak asks Merge for read access to your employee directory and uses it to read the fields that drive training. Each field maps to one job.

What RansomLeak reads Why
Name and work emailCreate the account and match the person.
Job title and department Assign role-based curricula and the department team.
ManagerBuild the reporting line for manager dashboards.
Employment status and dates Detect joins, departures, and rehires.
  • Directory fields only, never pay or national IDs
  • Stored credentials encrypted at rest
  • US or EU data region
  • Mirror cleared on disconnect

The connection is read-only and one-directional. RansomLeak never writes back to your HR system. For how RansomLeak handles data, see the privacy policy and the security and compliance page.

Using HRIS alongside SCIM

If you also provision from your identity provider over SCIM, the two sources are reconciled by work email so they do not work against each other.

  • HRIS owns directory and org fields
  • SCIM owns identity and access

Your HR system stays authoritative for names, job title, department, and manager. Your identity provider stays authoritative for login identity and role membership, and HRIS never overwrites those. SSO and SCIM setup lives with the Cloud LMS.

Built on Merge

RansomLeak's HRIS integration runs on Merge, a unified API that normalizes more than 80 HR systems behind one connection. Rather than build and certify a separate integration for Workday, ADP, Rippling, BambooHR, and every other system, we built once on Merge and inherit the whole catalog.

Merge holds SOC 2 Type II and ISO 27001 and offers EU data residency, so the layer that moves your employee data meets the same bar you hold the rest of your stack to.

  • SOC 2 Type II
  • ISO 27001
  • EU data residency

Frequently asked questions

Can I sync employees from Workday to security training?

Yes. RansomLeak connects to Workday, ADP, BambooHR, Rippling, Gusto, UKG, Personio, and more than 80 other HR systems through a single Merge connection. New hires are enrolled in onboarding automatically, role changes reassign the matching curriculum, and departures deactivate access. On HiBob, RansomLeak connects natively instead of through Merge.

Does RansomLeak store my employees' HR data?

RansomLeak reads directory fields only: name, work email, job title, department, manager, and employment status. It never reads compensation, national IDs such as a Social Security number, or date of birth. The connection is read-only, stored credentials are encrypted, and disconnecting clears the mirrored directory. RansomLeak never writes back to your HR system.

What is Merge, and why does RansomLeak use it?

Merge is a unified API that normalizes more than 80 HR systems behind one integration. RansomLeak uses Merge so a single connection reaches Workday, ADP, Rippling, BambooHR, and the rest, instead of building and certifying each one separately. Merge holds SOC 2 Type II and ISO 27001 and offers EU data residency.

How quickly are new hires enrolled in training?

A new hire is provisioned and enrolled in onboarding within about a minute of being added to your HR system, using change events from Merge. An hourly sync reconciles in case an event is ever missed, and a daily full sync catches removals.

Do I need my own Merge account to use this?

No. You connect your HR system from RansomLeak at Admin, Integrations, HRIS, and authorize it in the Merge widget. You do not need a separate Merge account or contract. For most systems the connection runs through Merge, and HiBob connects natively.

How is HRIS provisioning different from SCIM?

SCIM provisions accounts from your identity provider such as Okta or Entra. HRIS provisioning syncs from your HR system of record and drives the training lifecycle: onboarding, role-based reassignment, and offboarding. RansomLeak reconciles the two by work email, so HRIS and SCIM stay in step rather than fighting over the same person.

Next guide Connect HiBob natively On HiBob? Skip Merge and connect it over HiBob's own OAuth, with the same training lifecycle.

Need a hand?

Email support@ransomleak.com and we will help you connect Merge to your tenant.

See RansomLeak in Action

Try the free exercises or book a demo to see analytics, SCORM export, SSO, and custom content in your environment.

Request Demo Try Free Exercises