Deep Dive: Our commitment to GDPR

Matt Moore
Matt Moore Expensify Customer, Expensify Success Coach - Admin, Expensify Team, Expensify Student Ambassador Posts: 132 Expensify Team
edited September 2020 in Deep Dive Docs

At Expensify, we are committed to being transparent with our customers regarding our privacy practices and compliance with European Union (EU) privacy regulations. We value your trust and are dedicated to protecting your privacy.

Our commitment to protecting the privacy of our customer’s data includes:

  • Being active participants in the EU-US Privacy Shield and Swiss-US Privacy Shield Frameworks
  • Undergoing annual SSAE-18 SOC 1 Type 2 audit by a qualified, independent third-party auditors
  • Maintaining PCI-DSS compliance
  • Leveraging third-party experts to conduct annual penetration tests
  • All employees and contractors are subject to background checks (refreshed annually), sign non-disclosure agreements and are subject to ongoing security and privacy training

What is GDPR? 

General Data Protection Regulation (GDPR) proposed by the European Commission will strengthen and unify data protection for individuals within the European Union (EU), whilst addressing the export of personal data outside the EU. The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they handle EU citizens’ personal data. The compliance deadline for GDPR was May 25, 2018.

Preparing for the GDPR 

We have been working hard to ensure compliance with GDPR ahead of the deadline. Below are some of the things we revised in light of GDPR:

  1. We have strengthened our security infrastructure and have reviewed our data privacy policies in anticipation of GDPR
  2. We have appointed a dedicated Data Protection Officer, who can be reached via email at
  3. We have signed Data Processing Addendums (DPAs) with all of our vendors to ensure the onward transfer of your data is safe
  4. We have published details regarding the sub-processors we use here.
  5. We maintain E.U.-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield certification for international data transfers
  6. We have a Data Processing Addendum that sets out terms for us to meet our GDPR requirements with our customers; you can request this by messaging
  7. We provide tools for users to export their data, manage their preferences and close their account on their own, at any time, in the product.



The content on this page is provided for informational purposes only and the information shared here is not meant to serve as legal advice. You should work with legal and other professional counsel to determine exactly how the GDPR may or may not apply to you.