Bank-level security procedures
At Payhawk, we built our expense management software with data privacy and security at front of mind. Our bank-level security procedures comply with global and regionally-specific laws and ensure the safety of your data. Our procedures include the following:
All of the sensitive fintech data stored in our system is encrypted at rest, which means it's protected when any application or service is not using it. This protection includes all information collected during the sign-up process and any changes you make to your account settings or permissions later on.
The platform uses two-factor authentication (2FA), which requires a combination of two types of identification — something you know (like a password) and something you have (like a physical token). The 2FA method can be either SMS or email based.
Password reset procedure
You get a unique password when you log in to the platform for the first time. You will then use this password for all subsequent logins until it's changed by an administrator if necessary.
We only store what's required for the performance of our services. We don't collect any unnecessary personal information about users. And we also ensure that any personal information we collect is relevant to our business purposes and necessary for providing outstanding customer service.
Security controls that protect your data
When it comes to your company's data security, you already know what's at stake. Keeping security controls up to date is essential. At Payhawk, we continue to analyze and improve our security controls to give you concrete assurance and confidence in the safety of our product.
We routinely update measures to protect your information from unauthorized access, loss, or misuse, including:
We have physical security measures to protect against unauthorized access, and only authorized personnel may access data on our servers and systems.
Our network architecture provides multiple layers of defense from the Internet, which is the most common point of entry for attackers. We monitor all traffic going into and out of our network for suspicious activity and block traffic if necessary. We also regularly audit logs for unusual activity to detect unauthorized attempts at gaining access or tampering with data.
We have also taken extensive precautions to protect all fintech data stored within our applications by deploying robust application security controls such as encryption, hashing, password policies, and monitoring tools that allow us to track sensitive events such as suspicious account logins that occur outside regular business hours.
General Data Protection Regulation (GDPR)
Ever since Regulation (EU) 2016/679 (“the GDPR”) and its Post-Brexit UK equivalent (the “UK-GDPR”) came into force, these regulations have introduced some specific requirements for businesses which process personal data. Amongst other things, businesses are required to implement appropriate technical and organisational measures to safeguard the personal data they process against unauthorized access or otherwise, known as a “personal data breach”.
As a solution which processes personal data of our customers, our platform's fully compliant with GDPR and all other local data protection laws. We understand that businesses operating within EU member states must abide by these strict regulations to protect EU citizens' data and privacy. And any failure to comply can result in hefty penalties and litigious consequences.
What does this mean for you?
We're completely committed to helping our customers fulfill their obligations under the GDPR through our State-of-the-art software security infrastructure. Apart from that, we gradually enhance our internal procedures to ensure that any personal data you provide us is handled responsibly.
At Payhawk, we don’t only look at data protection as a requirement that needs to be met, but rather that our clients put their trust in us and we live up to their expectations.
To ensure that personal data is processed in compliance with data protection regulations, we have also appointed a Data Protection Officer (DPO) who oversees our compliance with all aspects of the GDPR.
Should you have any questions related to how Payhawk processes personal data, please do not hesitate to contact our Data Protection Officer - Mihail Yanev at firstname.lastname@example.org.
Payment Card Industry Data Security Standard (PCI DSS)
The PCI DSS is a requirement for most vendors processing credit card transactions. It indicates that an external audit firm has vetted the vendor and that they are compliant with industry standards. The Payment Card Industry Data Security Standard (PCI DSS) also requires merchants who accept credit cards online or via mobile devices to use encryption technology when transmitting complete magnetic-stripe data.
At Payhawk, we must adhere to the Payment Card Industry Data Security Standard (PCI DSS), a set of rules that helps organisations protect customer information. Our platform is PCI Level 1 compliant, which means that all payment information is processed in an encrypted environment. We use various methods, including regular penetration testing and vulnerability assessments, to ensure our systems are secure. The testing can include the following:
● External scanning by third-party firms
● Internal vulnerability scanning using automated tools and manual testing
● Regular updates and patches from software vendors
Ongoing third-party security protocols
We take the security of our customers and their data very seriously. Our commitment to your privacy starts with our internal data protection practices, including ongoing third-party security protocols.
We validate the security of our vendors and ensure the safety of our API, data, and systems by implementing third-party security protocols. As part of this process, we have strict vendor onboarding procedures. These procedures include a robust assessment of security controls and compliance with industry standards (including appropriate ISO 27001 and related compliant standards).
At Payhawk, we continually monitor all of our suppliers to ensure that they continue to meet our requirements.
Our top security tips to keep data and employee accounts safe
To ensure the security of employee accounts and company data, here are the following security tips that account administrators can implement:
Look out for phishing and social engineering
As a rule, Payhawk employees will never contact you asking for your card details, such as card number, CVV code, SMS verification code, or password. Those requests are most likely fraudulent, and you should report them as soon as possible.
Check transactions regularly to confirm that your card hasn't been misused.
Create a culture of awareness within your company
Help your colleagues understand the dangers of fraud on the Internet. We should never have access to your credit card information. A card that has been exposed will be terminated for security reasons.
Implement strong authentication
You may use Google Authentication or SAML with Payhawk (and ensure you manage your user's authentication method centrally). In addition, you can subscribe your domain to services like HIBP to understand your password exposure.
Use the official Payhawk app and website to connect to your wallet
You can download the official Payhawk app from the Android and Apple stores and find our web portal for admins hosted on the same domain. If you discover alternative 'Payhawk' domains that aren't listed on our security page, they might be scams, and you should report them.
Keep devices up to date
No matter how careful you are, if you have a compromised phone, tablet, or laptop, someone may be able to access all of your applications and activity, including your wallet. Keeping your devices updated with appropriate protection will prevent this from happening.
Financial data security and Payhawk: Key takeaways
We all know how crucial security is and how important it is for businesses to maintain their data safely. In a world where cyberattacks are becoming more common, we want to ensure that your business expense management software is safe from data breaches.
At Payhawk, we make sure that we provide the highest level of financial data security for our customers; we use encryption technology, regular audits, and rigorous testing by external experts to keep all of our systems secure.
Fostering a culture of data security and awareness can go a long way in promoting safety within any organisation. And implementing periodic audits to discover and repair potentially vulnerable spots and investing resources into cutting-edge cyber protection services can help secure your networks for the future.
There is a tendency for enterprises to focus more on intelligent, automated expense tools than on finding robust systems that enhance financial data security. But this approach can only spell disaster, as there are many ways in which sensitive information can be compromised. At Payhawk, we're committed to ensuring that you're not sacrificing one for the other. Our unique solution is designed to efficiently automate your business' finance processes and empower your employees while still protecting your financial data.
Are you interested in seeing our safety protocols in action? Our expense management platform offers robust automated solutions your team will love, with data security as a priority. Book a demo today.