Deep Dive: Our commitment to GDPR

Matt MooreMatt Moore Posts: 49Expensify Customer, Expensify Team Expensify Team
edited December 2019 in Deep Dives

At Expensify, we are committed to being transparent with our customers regarding our privacy practices and compliance with European Union (EU) privacy regulations. We value your trust and are dedicated to protecting your privacy.

Our commitment to protecting the privacy of our customer’s data includes:

  • Being active participants in the EU-US Privacy Shield and Swiss-US Privacy Shield Frameworks
  • Undergoing annual SSAE-16 SOC 1 Type 2 audit by a qualified, independent third-party auditors
  • Maintaining PCI-DSS compliance
  • Leveraging third-party experts to conduct annual penetration tests
  • All employees and contractors are subject to background checks (refreshed annually), sign non-disclosure agreements and are subject to ongoing security and privacy training

What is GDPR? 

General Data Protection Regulation (GDPR) proposed by the European Commission will strengthen and unify data protection for individuals within the European Union (EU), whilst addressing the export of personal data outside the EU. The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they handle EU citizens’ personal data. The compliance deadline for GDPR was May 25, 2018.

Preparing for the GDPR 

We have been working hard to ensure compliance with GDPR ahead of the deadline. Below are some of the things we revised in light of GDPR:

  1. We have strengthened our security infrastructure and have reviewed our data privacy policies in anticipation of GDPR
  2. We have appointed a dedicated Data Protection Officer, who can be reached via email at [email protected]
  3. We have signed Data Processing Addendums (DPAs) with all of our vendors to ensure the onward transfer of your data is safe
  4. We have published details regarding the sub-processors we use here.
  5. We maintain E.U.-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield certification for international data transfers
  6. We have a Data Processing Addendum here, that sets out terms for us to meet our GDPR requirements with our customers
  7. We provide tools for users to export their datamanage their preferences and close their account on their own, at any time, in product

Disclaimer

The content on this page is provided for informational purposes only and the information shared here is not meant to serve as legal advice. You should work with legal and other professional counsel to determine exactly how the GDPR may or may not apply to you.

Sign In or Register to comment.