This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

HRIS and directory sync

What HRIS and payroll integrations are available to connect through Finch in Secureframe?

• Secureframe supports more than 150+ HRIS and payroll integrations via Finch. Below is the full list of available Finch integrations:
  AAP iSolved, ADP Next Gen, ADP RUN, ADP TotalSource, ADP Workforce Now, APS Payroll, Abacus HCM iSolved, Absolute Payroll iSolved, AccountantsWorld, Accupay iSolved, Ace Workforce Technologies iSolved, Adams Keegan, Advantage Payroll Services, Affiliated HR Payroll Services Evolution, Affiliated HR Payroll Services iSolved, Ahola, AlphaStaff, Amplify HR, Asset HR, Asure Software, BASIC, BBCS Payroll, BBSI, BCN Services, Balance Point, Baron Payroll iSolved, Bene-Care, ACME, Inc., Bizchecks Payroll, CPM Employer Services iSolved, Ceridian Dayforce, Ceridian Powerpay, CharlieHR, CoAdvantage, Coastal Payroll, CognosHR, Collage, Commonwealth Payroll & HR, ConnectPay, Crescent Payroll Solutions, DM Payroll Solutions, Deluxe, Dominion Payroll, Doyle, Eddy, EmPower HR, Emplicity, Employdrive, Employer Flexible, ACME, Inc., Engage PEO, Everee, Evolution Payroll Services, Excel Resources, Flock, FullStack PEO, G&A Partners, GTM Payroll Services Evolution, GTM Payroll Services iSolved, Goco, HRO, HROne, Heartland, Hibob, Highflyer HR, Hubstaff, Humaans, Humi, INFINITI HR, Infor, Insperity, Iris HR, Justworks, Kenjo, Keystone Payroll iSolved, MPAY, Namely, NaturalHR, Netchex, Newtek, Nextep, Oasis, OnPay, OneSource Payroll, Opolis, Oracle PeopleSoft, PCS HCM, Panther, Paragon Payroll iSolved, Patriot, PayFit, PayNorthwest, PayPro HCS iSolved, PayUSA, Paychex, Paycom, Paycor, Payday Workforce Solutions, Paylocity, Payroll Network, Payroll Office of America, Payroll Plus HCM Evolution, Payroll Plus HCM iSolved, Payroll Solutions, People Lease, PeopleForce, PeopleHum, Platinum Group, PrestigePEO, PrimePay, PrismHR, Proliant, PropelHR, Proxus HR iSolved, QuickBooks, RMI PEO, Remote, SAP SuccessFactors, Sage 50 Quantum Accounting, Sage 50 US Edition Accounting, Sage Payroll, Sapling, Savant HCM Evolution, Sequoia One, Sheakley, Simploy, Skuad, SourceOne, Square Payroll, Strategic Payroll Solutions iSolved, SuitePeople (Oracle NetSuite), SurePayroll, SyncHR, ACME, Inc., Thread HCM, Toast Payroll, Trakstar, UKG Pro, UKG Ready, Velocity Global, VensureHR, Vfficient, Viewpoint HR Management Spectrum, Viewpoint HR Management Vista, Wagepoint, Wave Payroll, WebHR, Workday, Workforce Junction, Worklio, Workzoom, Wurk, Xenium HR, Xero, Zoho Payroll, greytHR, iSolved, mp, whirks
  AAP iSolved, ADP Next Gen, ADP RUN, ADP TotalSource, ADP Workforce Now, APS Payroll, Abacus HCM iSolved, Absolute Payroll iSolved, AccountantsWorld, Accupay iSolved, Ace Workforce Technologies iSolved, Adams Keegan, Advantage Payroll Services, Affiliated HR Payroll Services Evolution, Affiliated HR Payroll Services iSolved, Ahola, AlphaStaff, Amplify HR, Asset HR, Asure Software, BASIC, BBCS Payroll, BBSI, BCN Services, Balance Point, Baron Payroll iSolved, Bene-Care, ACME, Inc., Bizchecks Payroll, CPM Employer Services iSolved, Ceridian Dayforce, Ceridian Powerpay, CharlieHR, CoAdvantage, Coastal Payroll, CognosHR, Collage, Commonwealth Payroll & HR, ConnectPay, Crescent Payroll Solutions, DM Payroll Solutions, Deluxe, Dominion Payroll, Doyle, Eddy, EmPower HR, Emplicity, Employdrive, Employer Flexible, ACME, Inc., Engage PEO, Everee, Evolution Payroll Services, Excel Resources, Flock, FullStack PEO, G&A Partners, GTM Payroll Services Evolution, GTM Payroll Services iSolved, Goco, HRO, HROne, Heartland, Hibob, Highflyer HR, Hubstaff, Humaans, Humi, INFINITI HR, Infor, Insperity, Iris HR, Justworks, Kenjo, Keystone Payroll iSolved, MPAY, Namely, NaturalHR, Netchex, Newtek, Nextep, Oasis, OnPay, OneSource Payroll, Opolis, Oracle PeopleSoft, PCS HCM, Panther, Paragon Payroll iSolved, Patriot, PayFit, PayNorthwest, PayPro HCS iSolved, PayUSA, Paychex, Paycom, Paycor, Payday Workforce Solutions, Paylocity, Payroll Network, Payroll Office of America, Payroll Plus HCM Evolution, Payroll Plus HCM iSolved, Payroll Solutions, People Lease, PeopleForce, PeopleHum, Platinum Group, PrestigePEO, PrimePay, PrismHR, Proliant, PropelHR, Proxus HR iSolved, QuickBooks, RMI PEO, Remote, SAP SuccessFactors, Sage 50 Quantum Accounting, Sage 50 US Edition Accounting, Sage Payroll, Sapling, Savant HCM Evolution, Sequoia One, Sheakley, Simploy, Skuad, SourceOne, Square Payroll, Strategic Payroll Solutions iSolved, SuitePeople (Oracle NetSuite), SurePayroll, SyncHR, ACME, Inc., Thread HCM, Toast Payroll, Trakstar, UKG Pro, UKG Ready, Velocity Global, VensureHR, Vfficient, Viewpoint HR Management Spectrum, Viewpoint HR Management Vista, Wagepoint, Wave Payroll, WebHR, Workday, Workforce Junction, Worklio, Workzoom, Wurk, Xenium HR, Xero, Zoho Payroll, greytHR, iSolved, mp, whirks

Merging and duplicates

If you accidentally merge personnel with the wrong person, or if you pick the wrong primary email, how can we fix?

• You can create a support ticket and our team will assist. Support@secureframe.com

Onboarding and offboarding

Can a customer modify which policies need to be accepted within the employee onboarding?

• Yes, you can use groups in personnel settings to apply appropriate groups to the policies page. If the IT policy is only associated with the IT group, only that group will need to acknowledge it.

Do all policies need to have users accept them? Or can they disable employee acceptance for policies not relevant to employee onboarding?

• All framework-specific policies need employee acceptance.

Does Secureframe offer accessibility functions for employee onboarding for those who may be imparied?

• Yes, Secureframe follows accessibility standard to ensure those in need can still comply with onboarding and compliance related tasks such as policy acceptance and training.

Does Secureframe Support employee onboarding in other languages?

• Yes. Employee onboarding is available in French, German, and Spanish. Users can update their language preference at any time using the language selector in the top right corner of the platform, allowing them to complete onboarding tasks and review required materials in their preferred language.

We are operationalizing our employee offboarding process including steps we take to ensure vendor access is appropriately removed. Can you give us any insight into the level of auditability we need for offboarding?

• Tickets and documentation (emails, checklists) of offboarding/termination for anyone losing system access (including vendors) is a best practice. Auditors will pick termination samples from a tracking spreadsheet and want to see termination tickets or evidence showing the person was removed from the system.

What does "reference name" mean in the employee onboarding process in Secureframe?

• The Reference Name typically refers to the professional or personal contact who can verify your employment history or experience. We recommend reaching out to your Manager or Secureframe Admin for additional details on what to enter here.

What kind of evidence is recommended/needed for offboarding?

• Screenshot of access being disabled, an exit checklist, or email.

What should I do if a Jira offboarding ticket fails only because it was closed late?

• You have two options:

  Ignore the failing result – If there is valid context (such as holidays), you can document the reason and choose to ignore the failure.

  Adjust your Jira SLA – If this occurs frequently, consider setting a higher SLA in Jira to account for delays in closing tickets, ensuring more accurate compliance tracking.

Why is my Jira offboarding test failing even though the user was offboarded?

• The test checks both that the user was offboarded and that the associated Jira ticket was closed within the SLA. If the Jira ticket stayed open beyond the SLA (e.g., due to holidays), the test will still show as failing, even if the user was offboarded on time.

Personnel program

A third-party connector was enabled in HubSpot and is now showing up as multiple personnel accounts in the platform. These accounts reappear after every HubSpot sync, so deleting them isn't a viable option. Are these accounts expected, and how should they be handled?

• Yes, this is expected behavior when a connector is enabled in HubSpot — it will generate service accounts that sync into the platform. Since deletion isn't persistent across syncs, the recommended solution is to set these accounts to "Non-personnel" in Secureframe. That user type is specifically intended for non-human accounts like app connectors and service accounts, so they won't count against personnel scope or trigger compliance tasks.

Are there summaries available for the different app access options in the Personnel settings?

• Here are the current tabs and summaries for the Personnel Page.

  Active: Lists all current employees and contractors; show onboarding status, training/policy progress, and device agent install state.

  Inactive: Contains former employees who’ve been offboarded; access revoked but retained for audit trace.

  Non‑personnel (aka Unlinked): Displays service accounts, auditors, or system emails—not actual personnel—used for scoped access and audit purposes.

  Onboarding (settings gear): Used to configure required steps—like Secureframe Agent install or Connected Training Tools—for new joins

Do we need to enable physical security controls for a company whose personnel are fully remote but have local Synology servers and CCTV cameras installed in customer classrooms?

• No. Physical security controls (CC6.4) apply to the entity's own facilities and the information assets under their direct physical control. Since this company is fully remote with no office or company-managed facilities, physical controls are out of scope. The fact that local servers exist at customer sites does not bring physical controls into scope for the company's SOC 2 audit. If scoping questions become complex during implementation, it's recommended to loop in the assigned auditor early to help formally declare scope.

Does meeting Requirement 5.4.1 also meet the requirement for providing personnel with security awareness training, and vice versa?

• Meeting this requirement for technical and automated controls to detect and protect personnel against phishing is not the same as Requirement 12.6.3.1 for security awareness training. Meeting this requirement does not also meet the requirement for providing personnel with security awareness training, and vice versa.

Generally speaking, should interns be added as personnel?

• If the interns have access to customer data, they should be in scope. In scope personnel are those with access to customer data or those who can impact production systems.

How can I open multiple tabs of policies or personnel records simultaneously?

• While you cannot "right click, open in new tab" most areas of the platform, you can open as many individual tabs of Secureframe and have multiple pages open at a time.

How can the goal of separating roles and functions be achieved in environments with limited personnel?

• With additional procedural controls that provide accountability.

How does Secureframe help with personnel compliance?

• It tracks training completion, documentation acknowledgments, background checks, and scoping of personnel to ensure only relevant employees are included in compliance efforts.

How does Secureframe improve efficiency in personnel compliance?

• It centralizes all compliance-related tracking, ensuring personnel activities are recorded, monitored, and maintained in a single platform.

How does Secureframe manage personnel compliance?

• It tracks training, policy acknowledgment, background checks, and scopes personnel based on compliance needs.

How is physical access to sensitive areas within the CDE for personnel controlled?

• Access is authorized and based on individual job function, access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled upon termination.

How often should personnel receive security awareness training?

• Personnel should receive security awareness training upon hire and at least once every 12 months.

How often should personnel responsible for responding to security incidents be trained?

• Personnel responsible for responding to suspected and confirmed security incidents are appropriately and periodically trained on their incident response responsibilities.

How often should reviews be performed to confirm that personnel are performing their tasks in accordance with security policies and operational procedures?

• Reviews should be performed at least once every three months.

How often should software development personnel working on bespoke and custom software be trained?

• Software development personnel working on bespoke and custom software are trained at least once every 12 months.

How often should up-to-date PCI DSS and/or information security training be provided to personnel with PCI DSS compliance responsibilities?

• Up-to-date PCI DSS and/or information security training is provided at least once every 12 months to personnel with PCI DSS compliance responsibilities (as identified in A3.1.3).

How should the frequency of periodic training for incident response personnel be determined?

• The frequency of periodic training for incident response personnel is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.

I'm getting a “Something went wrong” error when trying to classify an account as non-personnel. What should I do?

• This error can sometimes occur when classifying unlinked or placeholder accounts, but the action may still go through.

  Here’s what to try:

  Try again or refresh the page:
  If you see the “Something went wrong” message, refresh the page—often the account has already been moved correctly despite the error.

  Use the 3-dot menu:
  From the Personnel or Unlinked tab, click the 3-dot menu next to the account and select “Mark as non-personnel.” This is the correct method for reclassifying the account.

  Use consistent placeholder emails:
  You can reuse a fictitious or placeholder email for multiple non-personnel accounts unless you need each one to be distinct. Use “Link to existing” if you want to consolidate them under one entry.

  Still not working?:
  If refreshing doesn’t resolve it or the account doesn’t move, contact Support. We can assist directly and escalate to Engineering if needed.

Is it normal for a merging personnel action to still be ongoing after starting it the previous day?

• No, that is not normal.

  Merging Users should be almost immediate.

  If you are still having issues, send us an email at support@secureframe.com with the user names in question and exactly who you were attempting to merge.

  We can attempt to merge for you and if we encounter the same issues its likely a bug we can report and get fixed.

Multi-factor authentication for business suite providers (Office 365) - why is this test failing for non-personnel?

• MFA should be enabled for all accounts, regardless of whether they belong to personnel or not, unless it’s not a true account.

We have contractors that aren't in our Google Workspace and use their own emails from their contracting company. How do we track these individuals in personnel?

• Use a CSV import to track contractors who are not in your system.

What are the challenges of managing personnel compliance manually?

• Tracking personnel compliance manually using spreadsheets or multiple tools makes it difficult to maintain consistency and organization.

What are the password requirements for human resources providers, and do these requirements apply to third-party HR providers?

• HIPAA does not prescribe specific password requirements like length or complexity, but does require organizations to implement reasonable and appropriate authentication controls under the Security Rule. These expectations also apply to third-party HR providers if they handle health-related data.

What can training personnel to recognize and report phishing emails allow?

• Training personnel to recognize and report phishing emails can allow similar emails to be identified and permit them to be removed before being opened.

What do these policies instruct personnel on?

• These policies instruct personnel on what they can and cannot do with company equipment and instruct personnel on correct and incorrect uses of company Internet and email resources.

What does the test "Password requirements for human resources providers" (AC-03-1) apply to? Does it cover third-party HR platforms, internal HR systems, or both?

• This test applies to both third-party HR providers and internal HR systems -- specifically any platform used to manage HR-related functions such as background checks and other SOC 2 HR scope items. The goal is to confirm that strong password complexity settings are enforced within those systems. To pass this test, provide evidence of the password policy or configuration settings directly from the HR platform(s) in use, showing that complexity requirements are enforced.

What is done to potential personnel who will have access to the CDE?

• Potential personnel who will have access to the CDE are screened, within the constraints of local laws, prior to hire to minimize the risk of attacks from internal sources.

What is personnel scoping?

• It is the process of determining which employees are in scope for compliance based on their roles and access to sensitive data.

What is Personnel, according to the PCI DSS Glossary of Terms?

• Full-time and part-time employees, temporary employees, contractors, and consultants with security responsibilities for protecting account data or that can impact the security of cardholder data and/or sensitive authentication data.

What mechanisms are required to be in place to protect personnel against phishing attacks?

• Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks.

What must personnel be aware of and acknowledge?

• ll personnel must be aware of and acknowledge their information security responsibilities.

What procedures are implemented for authorizing and managing physical access of personnel to the CDE?

• Identifying personnel, managing changes to an individual’s physical access requirements, revoking or terminating personnel identification, and limiting access to the identification process or system to authorized personnel.

What should a change- and tamper-detection mechanism alert personnel to?

• change- and tamper-detection mechanism should alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the security- impacting HTTP headers and the script contents of payment pages as received by the consumer browser.

What should a change-detection mechanism alert personnel to?

• change-detection mechanism should alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files.

What should be examined to verify that access to time data is restricted to only personnel with a business need?

• Examine system configurations and time- synchronization settings to verify that access to time data is restricted to only personnel with a business need.

What should be examined to verify that technical controls to prevent copy and/or relocation of PAN for all personnel, unless explicitly authorized are implemented?

• Examine configurations for remote-access technologies to verify that technical controls to prevent copy and/or relocation of PAN for all personnel, unless explicitly authorized.

What should be observed to verify that only personnel with documented, explicit authorization and a legitimate, defined business need have permission to copy and/or relocate PAN when using remote-access technologies?

• Observe processes and interview personnel to verify that only personnel with documented, explicit authorization and a legitimate, defined business need have permission to copy and/or relocate PAN when using remote- access technologies.

What should entities consider for key personnel?

• Entities should also consider transition and/or succession plans for these key personnel to avoid potential gaps in critical security activities.

What should personnel be aware of in the event of a failure?

• Personnel should be aware of their responsibilities in the event of a failure.

What should the training for software development personnel include?

• The training should include: On software security relevant to their job function and development languages; Including secure software design and secure coding techniques; and Including, if security testing tools are used, how to use the tools for detecting vulnerabilities in software.

What software engineering techniques or other methods are defined and in use by software development personnel?

• Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software, including but not limited to the following: Injection attacks, including SQL, LDAP, XPath, or other command, parameter, object, fault, or injection-type flaws; Attacks on data and data structures, including attempts to manipulate buffers, pointers, input data, or shared data; Attacks on cryptography usage, including attempts to exploit weak, insecure, or inappropriate cryptographic implementations, algorithms, cipher suites, or modes of operation; Attacks on business logic, including attempts to abuse or bypass application features and functionalities through the manipulation of APIs, communication protocols and channels, client- side functionality, or other system/application functions and resources; Attacks on access control mechanisms, including attempts to bypass or abuse identification, authentication, or authorization mechanisms, or attempts to exploit weaknesses in the implementation of such mechanisms; and Attacks via any “high-risk” vulnerabilities identified in the vulnerability identification process, as defined in Requirement 6.3.1.

What technologies can be deployed for blocking phishing emails and malware before they reach personnel?

• The deployment of technologies for blocking phishing emails and malware before they reach personnel, such as link scrubbers and server-side anti-malware, can reduce incidents and decrease the time required by personnel to check and report phishing attacks.

What training is provided for personnel in POI environments?

• Training is provided for personnel in POI environments to be aware of attempted tampering or replacement of POI devices.

Who does "personnel" refer to for the purposes of Requirement 12?

• For the purposes of Requirement 12, “personnel” refers to full-time and part-time employees, temporary employees, contractors, and consultants with security responsibilities for protecting account data or that can impact the security of cardholder data and/or sensitive authentication data.

Why do personnel responsible for PCI DSS compliance have specific training needs?

• Personnel responsible for PCI DSS compliance have specific training needs exceeding that which is typically provided by general security awareness training to enable them to perform their role.

Why do the Accounts Deprovisioned tests still fail after marking accounts as Non-Personnel?

• Marking accounts as Non-Personnel may not be sufficient on its own if the underlying vendor accounts are still active in the connected integration. The Accounts Deprovisioned test checks whether active vendor accounts are linked to inactive company users — so even if a company user is marked as Non-Personnel/inactive in Secureframe, the test will still fail if the corresponding account is syncing in as active. To resolve, customers can: (1) mark the company users as active Non-Personnel (rather than inactive) while the vendor accounts remain active, (2) unlink the vendor accounts from the Access page, (3) mark the exception with a justification note, or (4) deactivate the accounts directly in the integrated tool so they sync in as inactive.

Why is it important that all personnel involved in incident response are trained and knowledgeable about managing evidence for forensics and investigations?

• Without a trained and readily available incident response team, extended damage to the network could occur, and critical data and systems may become “polluted” by inappropriate handling of the targeted systems. This can hinder the success of a post-incident investigation.

Why is it important to have specific personnel designated to be available on a 24/7 basis to respond to security incidents?

• n incident could occur at any time, therefore if a person who is trained in incident response and familiar with the entity’s plan is available when an incident is detected, the entity’s ability to correctly respond to the incident is increased.

Why is personnel compliance important?

• Employees and contractors must complete background checks, security training, and policy acknowledgments to ensure compliance.

Additional customer questions

How do I apply filters on the Personnel page?

• To apply filters on the Personnel page, first click the Filter button to open the side panel. Then, click Add filter and configure your desired filter clause. Once configured, click anywhere off the filter panel to automatically apply the filters and return to the table view.

Where can I find the user management section?

• User Management, also known as Personnel Management is located in the Secureframe left navigation under Personnel.

I don’t see if employees accepted policies. How do I assign policies so employees can accept them?

There are two parts to managing policy acknowledgements in Secureframe:

1. Tracking if employees accepted policies

You can confirm policy acknowledgements in several ways:

Personnel Page – Add the “Accepted Policies” column to see completion status.

Individual Personnel Details – Click a person’s name to view which policies they’ve accepted and the dates.

Tests Section – Each policy has an “Acknowledgement of [policy name]” test that shows who has/hasn’t acknowledged.

Data Room Export – Export a report of policy acceptance data.

If acknowledgements show “none” even though employees accepted, this usually means the “Require employee acceptance” checkbox wasn’t selected when publishing the policy. Once enabled, acknowledgements will backfill correctly.

2. Assigning policies so employees can accept them

To make policies available for employee acknowledgement:

Navigate to the Policies page and select the policy.

In the right-hand panel, use the Policy Groups dropdown to assign the policy to the relevant groups (e.g., Employees, New Hires).

Check the box for those groups.

Enable “Require employee acceptance”.

Save and publish the policy.

Each policy must have at least one group assigned. Only users in those groups will see the policy during onboarding and be able to review and accept it.

[Overview of the Policies Page](https://support.secureframe.com/hc/en-us/articles/38313677781395-Overview-of-the-Policies-Page)

Customer wants to add employee who is from a different domain to Secureframe

You can upload a CSV file to add employees to Secureframe by following the format in the "Add Employees" page.

Do employees need to sign a separate confidentiality agreement, or is including the clause in their employment contract sufficient?

A separate confidentiality agreement is not required if the confidentiality clause is already included in the employment contract that the employee signs. The key requirement is that the confidentiality obligation is clearly documented and acknowledged by the employee through their contract.

If your organization prefers to use a standalone confidentiality agreement (sometimes called an NDA), you may do so, but it is not mandatory as long as the clause is covered in signed contracts. Secureframe does not currently provide a confidentiality agreement template.

How can employees be removed from receiving sales emails?

Yes, of course.

Please email your direct CSM or reach our entire Customer Success Team at success@secureframe.com with the names of the specific users you want removed and we can adjust our mailing list.

We have a few employees on long leave, maternity, and their Policies and Training are not complete. What's the best way to handle those in Secureframe?

You can go into the tests for those employees and ignore the results for now. They will need to review the policies and training when they return from their leave.

What should a relocating employee select as their “Country of Residence” if they’re moving to the U.S. but are currently abroad?

If the employee is relocating to the U.S. and your internal policy requires U.S.-based employees to complete a background check, we recommend the following:

Select "United States" as their country of residence if they will be based in the U.S. long term. This will ensure that the background check is triggered automatically within Secureframe.

If the employee is still temporarily working from another country (e.g., Canada or China) and background checks are not yet required, they can select their current location and your team can initiate the background check separately outside of Secureframe when the relocation is finalized.

Best Practice: If you know the employee will be working in the U.S. long term, it's typically best to select United States to meet compliance requirements and avoid extra manual steps.

Why are my inactive employees showing under Add Employees?

SOC 2 requires maintaining an off-boarded employee list. Secureframe pulls users from connected services. Inactive employees should be marked as inactive in Secureframe once deactivated from the service.

A customer's ADP integration via Finch shows as "pending" in Secureframe even though Finch reports data is returning successfully. What should be done?

First, confirm what HTTP status Finch is returning on /employer/directory for the connection — a 202 status indicates the data is still being processed, while 200 means it's ready. 

If the connection appears stalled in a pending state, retriggering a sync on the Secureframe side will usually resolve it and move the integration out of pending status. Support@secureframe.com can assist with retriggering.