Navigation

Security

We use bank-level security to keep your sensitive financial data safe. We’re tested regularly to ensure our security measures are up to date, and even subscribe to daily probing by McAfee to make sure that we can defend against the latest hacker tactics. Our ability to defend against these attacks is proudly displayed below and can be checked directly on the McAfee SECURE site. Keep reading to find out the steps we take to keep your information protected.


The Gold Standard of Security

We take your security seriously and comply with the Payment Card Industry Data Security Standard. This comprehensive analysis that spans many aspects of how systems interact is the gold standard of security measures for anyone taking credit card information online. The same rigorous standard is used by PayPal, Visa and YOUR bank. For more information on its requirements, check out the PCI-DSS website.


Data and Password Encryption

Your data is encrypted the moment you press enter. This holds true for all communication between your internet browser and our servers, our servers and our partners, and all communications our servers do between themselves. If you want to get technical, we use HTTPS+TLS for all web connections and we use DSA/Blowfish for inter-datacenter communications.


Account Safety

Even more important than encrypting what is sent between you and our servers, however, is encrypting what is written to disk. For this, we spent the entire first year building a geo-redundant, PCI compliant datacenter that achieves amazingly high uptime.

In our case, we use a special type of encryption key called a split knowledge, dual-control key that is known by our servers and nobody else. This special key is split into two components, each of which is stored in a different secured location and managed by a different Expensify employee. The two parts are securely combined by our servers in memory when they’re booted up, and never written to disk. If a server is restarted or loses power, the key is wiped from memory and must be manually re-entered by both employees — much like on a nuclear launch panel.

With this setup our most sensitive data cannot be decrypted by anybody, not even ourselves, except within the very secure confines of our very hardened servers. Even in the worst case scenario of an elite squad of armed mercenaries physically stealing our servers, your information would be useless because it could not be decrypted by anyone.


Our Partners

We work with some of the most trusted and respected names in the financial industry. On top of our own protection, each partner put us through their own intensive security reviews. Only after passing each battery of tests and reviews were we able to get their support. Our partners shown below help us expand our service, and also stand as a testament to our commitment to keeping your data safe.