// Trust & Security Report
Expensify, Inc.
Spend management, expense reporting, corporate cards, travel, bill pay, payroll
Certifications held
6
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.expensify.com“SOC 1 Type 2 Report [listed as downloadable report in Trust Center Reports section; annual audit by qualified independent third-party auditors confirmed]”
Verify on help.expensify.com“Undergoing annual SOC 1 Type 2 and SOC 2 Type 2 audits by qualified, independent third-party auditors”
Verify on trust.expensify.com“PCI DSS 4.0.1 [listed under Compliance section of Trust Center; geographically redundant, PCI-compliant data center architecture confirmed]”
Verify on trust.expensify.com“GDPR [listed as COMPLIANT in Trust Center compliance section; EU-U.S. Data Privacy Framework and Standard Contractual Clauses in place for EEA transfers]”
Verify on trust.expensify.com“CCPA COMPLIANT [explicitly listed in Trust Center Compliance section with detailed California rights provisions in Privacy Policy]”
Verify on trust.expensify.com“Digital Operational Resilience Act [listed in Trust Center compliance section; EU financial services clients may request supporting documentation]”
> Show 2 unconfirmed / not-held certifications
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
United States (AWS primary infrastructure). EEA/UK data transfers covered by Standard Contractual Clauses and EU-U.S. Data Privacy Framework. No customer-selectable multi-region data residency found. UK/EEA card-related data handled by Transact Payments Malta Limited and Transact Payments Limited (Gibraltar FSC regulated).
Expensify uses 'Concierge AI' for automated expense categorization and policy enforcement on user data. OpenAI L.L.C. is listed as a subprocessor but only for content moderation of member-generated community/chat posts to enforce Acceptable Use Policy. Privacy policy states: 'third party service providers such as OpenAI, L.L.C., to ensure compliance with our Acceptable Use Policy and Content Standards.' No evidence that customer expense data, receipts, or financial records are used to train any AI model. Mobile analytics software explicitly does not link to PII.
// Security controls
Encryption at rest
Dual-control key system: encryption key split into two parts stored in separate secure locations, managed by different employees
help.expensify.comCloud infrastructure
Amazon Web Services (cloud infrastructure), Cloudflare (CDN and security), DocuSign (document management), GitHub (version control) - all listed as subprocessors
trust.expensify.comPenetration testing
Annual third-party penetration tests conducted by external experts
help.expensify.comBug bounty / vulnerability disclosure
No formal bug bounty platform (HackerOne or Bugcrowd not confirmed). Responsible disclosure via security@expensify.com with PGP public key published at use.expensify.com/keys
use.expensify.comVulnerability monitoring
Vulnerability and system monitoring procedures established; control self-assessments conducted
trust.expensify.comEmployee security
Background checks for all employees and contractors, refreshed annually; NDAs required; ongoing security and privacy training mandatory
help.expensify.comBusiness continuity
Continuity and Disaster Recovery plans established; Change management and Whistleblower policies in place
trust.expensify.comData governance
Data retention procedures and data classification policy established; DPAs signed with all subprocessor vendors
trust.expensify.com// Products & data scope
data: Personal expense data, receipt images, basic bank transaction data. Limited SmartScans per month on free tier.
Free to use individually. No enterprise controls. Data handled under standard privacy policy.
data: Company expense data, receipts, ACH reimbursements, Expensify Card transactions, QuickBooks/Xero integration data
Flat per-member billing regardless of activity. Includes unlimited SmartScans, ACH reimbursement, Expensify Card, and accounting integrations. SOC 2 and PCI DSS coverage applies.
data: Enterprise financial data, expense reports, SAML/SSO identity data, NetSuite/Sage Intacct ERP integration, custom reporting
Active-member billing model. Adds enterprise controls: SAML/SSO, multiple approval layers, advanced integrations. Full SOC 1/SOC 2/PCI DSS coverage. Enterprise agreements available via Statement of Work.
data: PCI-regulated cardholder data, credit card transactions, spend controls
Issued by The Bancorp Bank, N.A. (US). EEA/UK cards issued by Transact Payments Malta Limited (MFSA regulated) and Transact Payments Limited (Gibraltar FSC regulated). PCI DSS 4.0.1 directly applicable.
data: Travel booking data, traveler PII (name, dates, preferences), payment data
Powered by Spotnana Technology Inc. (listed as subprocessor in Privacy Policy). Separate Travel Terms apply. Traveler data shared with Spotnana for booking fulfillment.
data: SSN, EIN, bank routing/account numbers, tax withholding (dependents, filing status), employment data, government-issued IDs
Highest sensitivity product. Subject to separate Payroll Terms. Collects SSN and financial identifiers. Requires additional DPA review for HR/payroll use cases. Separate subprocessors may apply.
data: Vendor/client bank details, payment amounts, ACH transaction data, check printing data
Members authorize ACH debits/credits from linked financial accounts. Check printing via third-party provider. Accuracy of bank details is user's responsibility.
// What to watch
- Payroll product collects SSN, EIN, bank routing numbers, and tax data - significantly higher sensitivity than core expense management. Warrants separate DPA and vendor review for payroll use cases.
- OpenAI L.L.C. is a listed subprocessor for content moderation of member-generated chat/forum posts (not expense financial data). Verify if your deployment involves community features before sending data.
- Spotnana Technology Inc. handles travel booking data as a subprocessor under separate Travel Terms. Assess independently if travel module is in scope.
- No formal bug bounty platform (HackerOne or Bugcrowd) confirmed. Only email disclosure channel (security@expensify.com with PGP). Gap for a PCI-scoped financial product.
- DORA listed on trust center but formal compliance certification vs. self-attestation not confirmed. EU financial services customers should request specific documentation.
- No ISO 27001 certification despite enterprise positioning and PCI/SOC 2 program maturity.
- McAfee SECURE referenced in older help docs - this program was discontinued and should be treated as legacy content, not a current certification.
// At a glance
Pricing model
Freemium + per-user SaaS. Free individual tier (limited SmartScans). Collect: $5/member/month (all workspace members billed). Control: $9/member/month (active members only). Enterprise via Statement of Work with custom terms. UK: GBP 5/month; Australia: AUD 8/month; NZ: NZD 9/month.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Expensify, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.expensify.com