Securing business spend: Our security features and certifications

Why security is important for your finance and accounting team

Finance and accounting professionals are responsible for managing their company's financial data, including sensitive information such as bank account details, credit card information, and other transaction details. A single data breach can lead to significant financial loss, reputational damage, and legal woes. Therefore, it’s crucial for finance teams and accounting professionals to choose a secure solution that can protect their company's financial data from cyber threats.

Moreover, controllers and CFOs have a legal obligation to ensure the security of their company's financial data. The General Data Protection Regulation (GDPR) and other data protection laws require businesses to implement appropriate security measures to protect personal data. Failure to comply with these regulations can result in hefty fines and dreadful legal implications.

We keep our security standards high

We understand that every finance team needs to manage their spend efficiently while ensuring the security and confidentiality of their financial data. That's why we have implemented robust security measures to protect your financial data from malicious cyber threats.

A glance into certification & compliance at Payhawk:

PCI DSS Compliant
Also known as Payment Card Industry Data Security Standard, PCI DSS is a set of security standards , which ensures the safe handling of credit card information. The standard is mandatory for all businesses that accept credit card payments from major card brands like Visa, Mastercard, American Express, and Discover.

The main goal of PCI DSS is to protect cardholder data from theft and fraud by establishing a set of security requirements that businesses must follow. These requirements include maintaining a secure network, protecting cardholder data, regularly monitoring and testing security systems, and maintaining an information security policy.

Businesses that are PCI DSS compliant, must validate their compliance annually or quarterly, depending on the volume of transactions they process. The validation process involves completing a self-assessment questionnaire, undergoing a vulnerability scan, or having an on-site audit performed by a qualified security assessor.
Compliance with PCI DSS is very important to us. Our platform is fully PCI DSS compliant, as we ensure that we protect all customer credit card data at all times. We undergo regular security audits and vulnerability scans to ensure that we maintain the highest level of security for your business spend.

ISO 27001 certified
We’re also proud to be ISO 27001 certified. This certification demonstrates our commitment to maintaining the highest level of information security for our customers. ISO 27001 is an international standard that outlines best practices for managing information security. The standard was first published jointly by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) in 2005, and revised in 2013 and most recently in 2022.

To become ISO 27001 certified, organisations must undergo a rigorous audit process. The audit process involves a comprehensive review of the organisation's information security policies, procedures, and controls to ensure that they meet the requirements of the standard.

SOC 2 Type 2 compliant
Only about a tenth of expense management solution providers on the market have obtained their SOC 2 Type 2 reports. And we are pleased to report that we are now SOC 2 Type 2 compliant as well. The SOC 2 compliance standard is one of the most widely recognised standards for reporting on controls in place over data processing systems.

It’s a voluntary compliance process developed by the American Institute of CPAs (AICPA) that specifies how service organisations should manage customer data. The standard is based on the Trust Services Criteria, which includes five principles: security, availability, processing integrity, confidentiality, and privacy.

These SOC 2 reports tailors to the uniqueness of each organisation. Depending on their specific business practices, each organisation can design controls that follow one or more of the principles. An independent auditor then evaluates these controls to determine the efficiency of their design and how they operate.

GDPR compliance

• What is the GDPR?

The General Data Protection Regulation (GDPR) or Regulation (EU) 2016/679 is an EU data protection law that was implemented in the European Union (EU) on May 25, 2018. It replaced the Data Protection Directive of 1995 and introduced significant changes to how personal data is processed within the EU. The equivalent of the GDPR in the United Kingdom is the Data Protection Act 2018 (DPA 2018), which incorporates the GDPR into UK law and provides additional provisions specific to the UK. The DPA 2018 was enacted to ensure continuity of data protection regulations in the UK after its departure from the European Union.

• What is Payhawk’s approach to GDPR compliance?

As a growing fintech company, Payhawk is committed to process the personal data of its users in a secure, lawful, and transparent manner, in compliance with the GDPR. Payhawk does not tolerate any behaviour whether or not by its employees, contractors or agents that in any way violates the requirements of the GDPR.

• How does Payhawk secure personal data?

Payhawk has implemented various technical measures for the integrity and security of the personal data we process. As a minimum, personal data is encrypted both “at rest” and “in transit” using industry standard AES 256 encryption.

• Where does Payhawk store personal data?
  Personal data, processed by Payhawk, is stored on Amazon Web Services (AWS) and Google Cloud Platform (GCP) servers, located within the EU. More specifically, personal data of German users is stored on our cloud servers in Germany, whereas personal data of other EU users is stored on our servers in Belgium.

Comprehensive security features

Two-factor authentication & single sign-on (Google): Two-factor authentication requires users to provide two forms of identification to access their account, typically a password and a unique code sent to their mobile device or email. Single sign-on (SSO) allows users to access multiple applications with a single set of login credentials. This reduces the need for users to remember multiple usernames and passwords, which can increase the risk of security breaches due to weak passwords or password reuse.

Card blocking option: Card auto-blocking option allows users to block their card if they suspect fraudulent activity or if the card is lost or stolen. This helps prevent unauthorised transactions and protects user accounts from potential financial losses.

Custom spend limits & workflows: Custom spend limits and workflows allow organisations to set specific spending limits and approval workflows for different users or departments. This helps prevent overspending and ensures that all expenses are properly authorised and accounted for.

In-house security teams: In-house security teams can help ensure the protection of user accounts and data by monitoring for potential security threats, responding to incidents, and implementing security best practices.

Vulnerability scanning: Vulnerability scanning can help identify potential security weaknesses in systems and applications, and help us address any potential security issues quickly.

DoS mitigation: DoS mitigation helps us prevent cyberattacks, and respond to service attacks proactively.

Threat detection: With our internal threat detection mechanisms, we quickly identify and respond to potential security breaches.

At Payhawk, we offer all of these comprehensive security features to ensure that our customers' accounts and data are fully protected. We have an in-house security team that regularly reviews and updates our security measures to help prevent and mitigate potential security threats, and maintain the highest standards of data security and privacy.

‘Threat-proof’ encryption technology

End-to-end encryption is a method of secure communication that prevents third parties from accessing data while it is being transferred between two devices or systems. This means that even if there is interception of data during transmission, or if stored on an insecure server, that data remains protected by encryption.

It is important to note, that no technology can be completely "hack-proof," as there is a possibility that a determined threat actor could find a vulnerability or exploit in any system. However, encryption is a critical security measure that can help protect sensitive data from unauthorised access.

We use end-to-end encryption to protect our customers' sensitive data, such as credit card numbers and personal information. Our encryption technology ensures the encryption of all data, both in transit and at rest.

Commitment to data protection and privacy

Third-Party security
Third-party security is a critical aspect of our commitment to data protection and privacy. We work with trusted third-party vendors and service providers who share our commitment to security and privacy. We conduct regular security assessments and due diligence on our vendors to ensure that they meet our high standards for security and privacy.

Responsible disclosure
Our commitment to data protection and privacy goes beyond just protecting data. We also encourage security researchers to report any potential security vulnerabilities or issues they discover in our systems or applications through our responsible disclosure program. We take all reports seriously and work quickly to address any identified issues to ensure the continued security and protection of our customers' data.

The ultimate solution for your peace of mind: Takeaways

Security is truly not an option but a necessity for finance and accounting professionals. It’s not a one-time effort, but a continuous process. At Payhawk, we constantly monitor our platform and update our security measures to stay ahead of emerging threats. We provide the highest standards of security and data quality for finance and accounting teams to ensure the safety and confidentiality of their financial data.

Business spend and security should always go hand in hand. Ready to experience the ultimate security solution your finance team can count on? Schedule a demo today.