ExpensePlus GDPR Compliance

ExpensePlus employs comprehensive technical and organisational measures to ensure GDPR compliance, acting as the Data Processor for its customers (who are the Data Controllers).

Key safeguards include robust data security, features that empower data subjects' rights, and a clear legal framework.

ExpensePlus acts as a data processor. The customer remains the data controller and is ultimately responsible for their own compliance with GDPR.

Technical and Organisational Safeguards


Data Hosting and Security

Data is hosted in secure, Tier 3 UK Data Centres that use state-of-the-art security, and meets some of the strictest of industry security requirements in order to have achieved ISO 27001 certification.

Server access is limited to only ExpensePlus employees - we never give our server passwords to anyone else, and therefore no one else even comes close to your data.

ExpensePlus is backed up daily and protected by 24/7 physical security access control, fire suppression and redundant power failure systems.


Encryption

Connections to the servers use industry-standard TLS (Transport Layer Security) encryption, ensuring data is secure in transit. All personally identifiable information (PII) is encrypted at rest.


Access Control

Access to production servers is limited to a small number of authorised ExpensePlus senior employees, and all access is logged and closely monitored.

Customers are encouraged to use the "principle of least privilege" to restrict user access within their own organisation.


User Authentication

Users are encouraged to use strong, machine-created passwords and can enable multi-factor authentication (MFA) for added security.


Auditing and Monitoring

The system undergoes annual penetration testing by a CREST approved organisation and uses weekly automated security scanning software to check for vulnerabilities.


Data Breach Policy

ExpensePlus has policies and procedures in place to handle potential security breaches and will notify data subjects, third parties, and applicable regulators as required by law.


Data Segregation and Backups

Each customer account has its own segregated database. Backups are performed daily and stored in separate secure locations to ensure data safety and availability.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Send us a message Send us a message