-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create Security.md #28352
Merged
Merged
Create Security.md #28352
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
--- | ||
title: Security | ||
description: Expensify prioritizes data security and maintains strict compliance standards to safeguard users' sensitive information. | ||
--- | ||
<!-- The lines above are required by Jekyll to process the .md file --> | ||
|
||
# Overview | ||
|
||
We take security seriously. Our measures align with what banks use to protect sensitive financial data. We regularly test and update our security to stay ahead of any threats. Plus, we're checked daily by McAfee for extra reassurance against hackers. You can verify our security strength below or on the <a href="https://www.trustedsite.com/verify?host=all.expensify.com&utm_campaign=mfes_redirect&utm_medium=referral&utm_source=mcafeesecure.com">McAfee SECURE site</a>. | ||
|
||
Discover how Expensify safeguards your information below! | ||
|
||
## The Gold Standard of Security | ||
|
||
Expensify follows the highest standard of security, known as the Payment Card Industry Data Security Standard. This standard is used by major companies like PayPal, Visa, and banks to protect online credit card information. It covers many aspects of how systems work together securely. You can learn more about it on the <a href="https://listings.pcisecuritystandards.org/pci_security/"> PCI-DSS website</a>. And, Expensify is also compliant with SSAE 16! | ||
|
||
|
||
## Data and Password Encryption | ||
|
||
When you press 'enter,' your data transforms into a secret code, making it super secure. This happens whether it's moving between your browser and our servers or within our server network. In tech talk, we use HTTPS+TLS for all web connections, ensuring your information is encrypted at every stage of the journey. This means your data is always protected! | ||
|
||
## Account Safety | ||
|
||
Protecting your data on our servers is our top priority. We've taken strong measures to ensure your data is safe when it travels between you and us and when it's stored on our servers. | ||
In our first year, we focused on creating a super-reliable, geographically redundant, and PCI compliant data center. This means your data stays safe, and our systems stay up and running. | ||
We use a dual-control key, which only our servers know about. This key is split into two parts and stored in separate secure places, managed by different Expensify employees. | ||
With this setup, sensitive data stays secure and can't be accessed outside our secure servers. | ||
|
||
## Our Commitment to GDPR | ||
|
||
The General Data Protection Regulation (GDPR), introduced by the European Commission, is a set of rules to strengthen and unify data protection for individuals in the European Union (EU). It also addresses the transfer of personal data outside the EU. This regulation applies not only to EU-based organizations but also to those outside the EU that handle the data of EU citizens. The compliance deadline for GDPR was May 25, 2018. | ||
|
||
Our commitment to protecting the privacy of our customer’s data includes: | ||
|
||
- Being active participants in the EU-US Privacy Shield and Swiss-US Privacy Shield Frameworks. | ||
- Undergoing annual SSAE-18 SOC 1 Type 2 audit by qualified, independent third-party auditors. | ||
- Maintaining PCI-DSS compliance. | ||
- Leveraging third-party experts to conduct yearly penetration tests. | ||
- All employees and contractors are subject to background checks (refreshed. annually), sign non-disclosure agreements, and are subject to ongoing security and privacy training. | ||
|
||
|
||
We have worked diligently to ensure we comply with GDPR. Here are some key changes we made: | ||
|
||
|
||
- **Enhanced Security and Data Privacy**: We've strengthened our security measures and carefully reviewed our privacy policies to align with GDPR requirements. | ||
- **Dedicated Data Protection Officer**: We've appointed a dedicated Data Protection Officer who can be reached at [privacy@expensify.com](mailto:privacy@expensify.com) for any privacy-related inquiries. | ||
- **Vendor Agreements**: We've signed Data Processing Addendums (DPAs) with all our vendors to ensure your data is handled safely during onward transfers. | ||
- **Transparency**: You can find details about the sub-processors we use on our website. | ||
- **Privacy Shield Certification**: We maintain certifications for the E.U.-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield, which help secure international data transfers. | ||
- **GDPR Compliance**: We have a Data Processing Addendum that outlines the terms to meet GDPR requirements. You can request a copy by contacting [concierge@expensify.com](mailto:concierge@expensify.com). | ||
- **User Control**: Our product tools allow users to export data, manage preferences, and close accounts anytime. | ||
|
||
**Disclaimer**: Please note that the information on this page is for informational purposes only and is not intended as legal advice. It's essential to consult with legal and professional counsel to understand how GDPR may apply to your specific situation. |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Expensify prioritizes data security and maintains strict compliance standards to safeguard users' sensitive information.