// Trust & Security Report

    Expensify, Inc. logo

    Expensify, Inc.

    Spend management, expense reporting, corporate cards, travel, bill pay, payroll

    Certifications held

    6

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 1 Type 2
    HELD

    SOC 1 Type 2 Report [listed as downloadable report in Trust Center Reports section; annual audit by qualified independent third-party auditors confirmed]

    Verify on trust.expensify.com
    SOC 2 Type 2
    HELD

    Undergoing annual SOC 1 Type 2 and SOC 2 Type 2 audits by qualified, independent third-party auditors

    Verify on help.expensify.com
    PCI DSS 4.0.1
    HELD

    PCI DSS 4.0.1 [listed under Compliance section of Trust Center; geographically redundant, PCI-compliant data center architecture confirmed]

    Verify on trust.expensify.com
    GDPR
    HELD

    GDPR [listed as COMPLIANT in Trust Center compliance section; EU-U.S. Data Privacy Framework and Standard Contractual Clauses in place for EEA transfers]

    Verify on trust.expensify.com
    CCPA
    HELD

    CCPA COMPLIANT [explicitly listed in Trust Center Compliance section with detailed California rights provisions in Privacy Policy]

    Verify on trust.expensify.com
    Digital Operational Resilience Act (DORA)
    HELD

    Digital Operational Resilience Act [listed in Trust Center compliance section; EU financial services clients may request supporting documentation]

    Verify on trust.expensify.com
    > Show 2 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED
    HIPAA
    NOT CONFIRMED

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States (AWS primary infrastructure). EEA/UK data transfers covered by Standard Contractual Clauses and EU-U.S. Data Privacy Framework. No customer-selectable multi-region data residency found. UK/EEA card-related data handled by Transact Payments Malta Limited and Transact Payments Limited (Gibraltar FSC regulated).

    Expensify uses 'Concierge AI' for automated expense categorization and policy enforcement on user data. OpenAI L.L.C. is listed as a subprocessor but only for content moderation of member-generated community/chat posts to enforce Acceptable Use Policy. Privacy policy states: 'third party service providers such as OpenAI, L.L.C., to ensure compliance with our Acceptable Use Policy and Content Standards.' No evidence that customer expense data, receipts, or financial records are used to train any AI model. Mobile analytics software explicitly does not link to PII.

    // Security controls

    Encryption in transit

    HTTPS + TLS enforced for all web connections

    help.expensify.com

    Encryption at rest

    Dual-control key system: encryption key split into two parts stored in separate secure locations, managed by different employees

    help.expensify.com

    Cloud infrastructure

    Amazon Web Services (cloud infrastructure), Cloudflare (CDN and security), DocuSign (document management), GitHub (version control) - all listed as subprocessors

    trust.expensify.com

    Penetration testing

    Annual third-party penetration tests conducted by external experts

    help.expensify.com

    Bug bounty / vulnerability disclosure

    No formal bug bounty platform (HackerOne or Bugcrowd not confirmed). Responsible disclosure via security@expensify.com with PGP public key published at use.expensify.com/keys

    use.expensify.com

    Vulnerability monitoring

    Vulnerability and system monitoring procedures established; control self-assessments conducted

    trust.expensify.com

    Employee security

    Background checks for all employees and contractors, refreshed annually; NDAs required; ongoing security and privacy training mandatory

    help.expensify.com

    Endpoint management

    MDM system utilized; remote access encryption enforced

    trust.expensify.com

    Business continuity

    Continuity and Disaster Recovery plans established; Change management and Whistleblower policies in place

    trust.expensify.com

    Data governance

    Data retention procedures and data classification policy established; DPAs signed with all subprocessor vendors

    trust.expensify.com

    // Products & data scope

    Expensify Individual / FreePersonal expense tracking

    data: Personal expense data, receipt images, basic bank transaction data. Limited SmartScans per month on free tier.

    Free to use individually. No enterprise controls. Data handled under standard privacy policy.

    Expensify Collect ($5/member/month)SMB expense management

    data: Company expense data, receipts, ACH reimbursements, Expensify Card transactions, QuickBooks/Xero integration data

    Flat per-member billing regardless of activity. Includes unlimited SmartScans, ACH reimbursement, Expensify Card, and accounting integrations. SOC 2 and PCI DSS coverage applies.

    Expensify Control ($9/member/month)Enterprise expense management

    data: Enterprise financial data, expense reports, SAML/SSO identity data, NetSuite/Sage Intacct ERP integration, custom reporting

    Active-member billing model. Adds enterprise controls: SAML/SSO, multiple approval layers, advanced integrations. Full SOC 1/SOC 2/PCI DSS coverage. Enterprise agreements available via Statement of Work.

    Expensify Card (Visa Commercial Card)Corporate card program

    data: PCI-regulated cardholder data, credit card transactions, spend controls

    Issued by The Bancorp Bank, N.A. (US). EEA/UK cards issued by Transact Payments Malta Limited (MFSA regulated) and Transact Payments Limited (Gibraltar FSC regulated). PCI DSS 4.0.1 directly applicable.

    Expensify TravelBusiness travel management

    data: Travel booking data, traveler PII (name, dates, preferences), payment data

    Powered by Spotnana Technology Inc. (listed as subprocessor in Privacy Policy). Separate Travel Terms apply. Traveler data shared with Spotnana for booking fulfillment.

    Expensify PayrollPayroll processing

    data: SSN, EIN, bank routing/account numbers, tax withholding (dependents, filing status), employment data, government-issued IDs

    Highest sensitivity product. Subject to separate Payroll Terms. Collects SSN and financial identifiers. Requires additional DPA review for HR/payroll use cases. Separate subprocessors may apply.

    Expensify Bill Pay and InvoicingAccounts payable / receivable

    data: Vendor/client bank details, payment amounts, ACH transaction data, check printing data

    Members authorize ACH debits/credits from linked financial accounts. Check printing via third-party provider. Accuracy of bank details is user's responsibility.

    // What to watch

    • Payroll product collects SSN, EIN, bank routing numbers, and tax data - significantly higher sensitivity than core expense management. Warrants separate DPA and vendor review for payroll use cases.
    • OpenAI L.L.C. is a listed subprocessor for content moderation of member-generated chat/forum posts (not expense financial data). Verify if your deployment involves community features before sending data.
    • Spotnana Technology Inc. handles travel booking data as a subprocessor under separate Travel Terms. Assess independently if travel module is in scope.
    • No formal bug bounty platform (HackerOne or Bugcrowd) confirmed. Only email disclosure channel (security@expensify.com with PGP). Gap for a PCI-scoped financial product.
    • DORA listed on trust center but formal compliance certification vs. self-attestation not confirmed. EU financial services customers should request specific documentation.
    • No ISO 27001 certification despite enterprise positioning and PCI/SOC 2 program maturity.
    • McAfee SECURE referenced in older help docs - this program was discontinued and should be treated as legacy content, not a current certification.

    // At a glance

    Pricing model

    Freemium + per-user SaaS. Free individual tier (limited SmartScans). Collect: $5/member/month (all workspace members billed). Control: $9/member/month (active members only). Enterprise via Statement of Work with custom terms. UK: GBP 5/month; Australia: AUD 8/month; NZ: NZD 9/month.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Expensify, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.expensify.com

    > Browse all vendor trust reports