SpendGenie
Enterprise-grade security

Your data is safe with SpendGenie

We take security seriously at every layer — from the infrastructure we run on to the policies your team operates within. Your financial data is protected by enterprise-grade controls.

SOC 2 Type IIGDPR CompliantISO 27001256-bit Encryption
Certifications & compliance

Independently verified security

Certified

SOC 2 Type II

Independently audited by a certified third-party auditor. Our security controls are verified and meet the highest standards for SaaS companies.

Compliant

GDPR Compliant

Fully compliant with EU General Data Protection Regulation. We process personal data lawfully, transparently, and with user rights respected.

Certified

ISO 27001

Our information security management system meets the international standard for systematic risk management and ongoing security improvement.

Compliant

PCI DSS

Payment data is processed according to Payment Card Industry Data Security Standards. We never store raw card numbers.

Security at every layer

Data Encryption

  • 256-bit AES encryption for all data at rest
  • TLS 1.3 for all data in transit
  • End-to-end encryption for sensitive fields
  • Encrypted backups stored in multiple regions
  • Keys managed via AWS KMS with automated rotation

Access Control

  • Role-based access control (RBAC) for all users
  • Multi-factor authentication (MFA) required
  • SSO / SAML 2.0 support for Business plans
  • Session timeout and token expiry controls
  • Principle of least privilege across all systems

Infrastructure Security

  • Hosted on AWS with enterprise security configuration
  • Data residency in UK/EU regions by default
  • Network isolation with private VPC and strict firewall rules
  • Automated vulnerability scanning and patching
  • 99.9% uptime SLA with failover and redundancy

Monitoring & Response

  • 24/7 security monitoring and anomaly detection
  • Full audit logs for every access and action
  • Automated intrusion detection and alerting
  • Incident response plan with defined escalation paths
  • Regular third-party penetration testing

How we handle your data

Data residency

All customer data is stored within UK/EU regions by default. We do not transfer data outside these regions without explicit consent.

Data retention

You control your data retention. Export or delete your data at any time. On cancellation, data is retained for 30 days and then permanently deleted.

No data selling

We will never sell, rent, or share your expense data with third parties for advertising or any non-service purpose.

Breach notification

In the event of a security incident affecting your data, we will notify you within 72 hours in accordance with GDPR requirements.

Responsible disclosure

We take vulnerability reports seriously. If you discover a security issue in SpendGenie, please report it responsibly at:

security@spendgenie.com

We acknowledge all reports within 48 hours and provide regular updates on remediation status.

99.9%
Uptime SLA
72 hrs
Max breach notification
Zero
Data breaches in history
Annual
Third-party pen testing

Security questions? We're here.

Our security team is available to answer any questions from your IT or compliance team.

Contact Security Team Start Free Trial