expensemanager recognises that the confidentiality, integrity, and reliability of our customers' data are important to their business operations and our own success. We use a multifaceted approach to protect that key information and we are constantly monitoring and improving our applications, systems, and processes.

expensemanagers’ IT infrastructure has been designed and is managed in accordance with industry best practices and the Payment Card Industry Data Security Standards (PCI DSS) requirements.

Industry Standard Security

Data Center Security: Our network and Information Technology resources are outsourced to Amazon Web Services (AWS). Amazon Web Services operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which our IT environment operates.

AWS is a secure, durable technology platform with industry-recognized certifications and audits: PCI DSS Level 1, ISO 27001, FISMA Moderate, HIPAA, and SAS 70 Type II. The data centers have multiple layers of operational and physical security to ensure the integrity and safety of our data.

expensemanagers’ guest operating system, including updates and security patches, server and storage infrastructure, back up and security systems, and other associated application software are designed and managed in accordance with the Payment Card Industry Data Security Standards (PCI DSS) requirements.

Data transfer: Your data is transferred with high-grade TLS and multi-layered encryption at rest with AES-256. Encryption keys are stored separately from the data, and it’s all hosted in our secure cloud infrastructure.

Access control: All access to our database containing sensitive information is restricted through programmatic methods only.


Data in Transit: Communications between you and expensemanager are encrypted via industry best-practice HTTPS and Transport Layer Security (TLS).

Data at Rest: All databases and archival data are fully encrypted utilizing advanced key-management and key-rotation systems.

Continuous Monitoring

Testing: expensemanager has a comprehensive program to regularly test security systems and processes, which includes: Internal and External Vulnerability scans and penetration testing as approved by the Payment Card Industry Security Standards Council.

Real-time Audit Log: We also keep a real-time audit log of all data access and changes made by administrators, customers, employees and our automated system.

High Availability Infrastructure

Redundancy: All data centers are online and serving customers; no data center is “cold.” In case of failure, automated processes move customer data traffic away from the affected area. Core applications are deployed in an N+1 configuration, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.

Recoverability: Data is replicated to multiple data centers to assure its recoverability in the event that an outage. We fully test our backup systems on a systematic basis to assure that the they are functional.

Network Security

Protection: Security is provided on multiple levels: the operating system (OS) of the host platform, the virtual instance OS or guest OS, a firewall, and signed API calls. Each of these items builds on the capabilities of the others.

Architecture: Our network security architecture consists of multiple security zones of trust. Systems are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk.

Application Security

Testing: expensemanager uses advanced code testing tools to assure that our code meets OWASP standards.

IP Restrictions: expensemanager accounts are configured to only allow access from specific IP address.

Access Privileges and Roles: Access to data within expensemanager is governed by access rights, and can be configured to define granular access privileges.