Part of our value proposition is that we handle the cross-border compliance. Since clients would ordinarily not have a legal entity in the jurisdiction where they hire through us, clients won’t ordinarily be subject to its applicable law. Even if you consider extraterritorial application of local law to foreign entities, it is extremely rare to see an extraterritorial application of data protection law solely based on hiring someone, with or without an EOR provider.
For example, even the GDPR doesn’t apply to our non-European clients, see e.g. example 15 in EDPB Guidelines on the territorial scope of the GDPR referred to above. If clients are offering their own services in the jurisdictions where they hire without having their own legal entity, clients should consider whether local data protection law applies them, without prejudice to whether or not they use our services.