GM, Kimberly
I think it boils down to service, data and delivery (e.g., on prem, externally hosted, CSP, use of subcontractors...), regardless of vendor category (HR, IT, etc)
Many vendors outside of HR vendors may collect PII or PHI, and payment data such as gyms.
Data needs to be protected (e.g., PII, PHI, GDPR...) using controls aligned to the inherent risk, so these types of services require a deep dive. Certainly, you should consider reviewing SOC reports as well as other key assessments such as pentests...
happy to chat, if you want
cheers, enjoy the weekend