Encryption and Data Security


We take security seriously. Our measures align with what banks use to protect sensitive financial data. We regularly test and update our security to stay ahead of any threats. Plus, we’re checked daily by McAfee for extra reassurance against hackers. You can verify our security strength below or on the McAfee SECURE site.

Discover how Expensify safeguards your information below!

The Gold Standard of Security

Expensify follows the highest standard of security, known as the Payment Card Industry Data Security Standard. This standard is used by major companies like PayPal, Visa, and banks to protect online credit card information. It covers many aspects of how systems work together securely. You can learn more about it on the PCI-DSS website. And, Expensify is also compliant with SSAE 16!

Data and Password Encryption

When you press ‘enter,’ your data transforms into a secret code, making it super secure. This happens whether it’s moving between your browser and our servers or within our server network. In tech talk, we use HTTPS+TLS for all web connections, ensuring your information is encrypted at every stage of the journey. This means your data is always protected!

Account Safety

Protecting your data on our servers is our top priority. We’ve taken strong measures to ensure your data is safe when it travels between you and us and when it’s stored on our servers. In our first year, we focused on creating a super-reliable, geographically redundant, and PCI compliant data center. This means your data stays safe, and our systems stay up and running. We use a dual-control key, which only our servers know about. This key is split into two parts and stored in separate secure places, managed by different Expensify employees. With this setup, sensitive data stays secure and can’t be accessed outside our secure servers.

Our Commitment to GDPR

The General Data Protection Regulation (GDPR), introduced by the European Commission, is a set of rules to strengthen and unify data protection for individuals in the European Union (EU). It also addresses the transfer of personal data outside the EU. This regulation applies not only to EU-based organizations but also to those outside the EU that handle the data of EU citizens. The compliance deadline for GDPR was May 25, 2018.

Our commitment to protecting the privacy of our customer’s data includes:

  • Being active participants in the EU-US Privacy Shield and Swiss-US Privacy Shield Frameworks.
  • Undergoing annual SSAE-18 SOC 1 Type 2 audit by qualified, independent third-party auditors.
  • Maintaining PCI-DSS compliance.
  • Leveraging third-party experts to conduct yearly penetration tests.
  • All employees and contractors are subject to background checks (refreshed. annually), sign non-disclosure agreements, and are subject to ongoing security and privacy training.

We have worked diligently to ensure we comply with GDPR. Here are some key changes we made:

  • Enhanced Security and Data Privacy: We’ve strengthened our security measures and carefully reviewed our privacy policies to align with GDPR requirements.
  • Dedicated Data Protection Officer: We’ve appointed a dedicated Data Protection Officer who can be reached at privacy@expensify.com for any privacy-related inquiries.
  • Vendor Agreements: We’ve signed Data Processing Addendums (DPAs) with all our vendors to ensure your data is handled safely during onward transfers.
  • Transparency: You can find details about the sub-processors we use on our website.
  • Privacy Shield Certification: We maintain certifications for the E.U.-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield, which help secure international data transfers.
  • GDPR Compliance: We have a Data Processing Addendum that outlines the terms to meet GDPR requirements. You can request a copy by contacting concierge@expensify.com.
  • User Control: Our product tools allow users to export data, manage preferences, and close accounts anytime.

Disclaimer: Please note that the information on this page is for informational purposes only and is not intended as legal advice. It’s essential to consult with legal and professional counsel to understand how GDPR may apply to your specific situation.

Didn't find what you were looking for?

Concierge is here to answer all your questions.