Security

Last updated: March 2026

Expensio handles your personal and financial data, so we take security seriously. This page explains the measures we have in place to keep your information safe.

If you believe you have found a security vulnerability, please see the responsible disclosure section at the bottom of this page.

Data Encryption

All data transmitted between your browser and Expensio is encrypted in transit using HTTPS (TLS). We do not allow unencrypted HTTP connections.

Personal data stored in our database — including your email address, phone number, postal address, and postcode — is encrypted at the field level. This means your sensitive details are protected even in the unlikely event of unauthorised database access.

Password Security

Passwords are never stored in plain text. We use strong one-way hashing with a unique cryptographic salt per user. This means your password cannot be reversed, recovered, or read — not even by us.

We will never ask you for your password. If you receive any message claiming to be from Expensio and asking for your password, please treat it as fraudulent and contact us immediately.

Session Management

Authentication tokens are stored in HTTP-only cookies, which means they cannot be accessed by JavaScript running in the browser. This protects against cross-site scripting (XSS) attacks attempting to steal your session.

  • Cookies are set with SameSite and Secure flags to prevent cross-site request forgery (CSRF).
  • Sessions are invalidated immediately upon logout.
  • New accounts have a 7-day activation window. If email verification is not completed, the account and all associated data is automatically and permanently deleted.

File Handling

When you upload a CSV file for import, it is handled with care:

  • Uploaded files are immediately renamed using a cryptographic hash to prevent identification.
  • Files are stored securely and are only accessible to the processing system — not publicly.
  • Once a file has been processed and is no longer required, it is permanently deleted from our servers.

Infrastructure

Expensio is hosted on trusted, industry-leading cloud providers with strong security certifications:

  • Hetzner — primary server infrastructure, based in Germany and Finland (EU). Strict data protection standards.
  • DigitalOcean — additional compute and storage. SOC 2 Type II certified, GDPR compliant.
  • Amazon Web Services (AWS) — cloud storage, file delivery, and transactional email. ISO 27001 and SOC 1/2/3 certified.
  • Stripe — payment processing. PCI DSS Level 1 certified — the highest level of payment security. We do not store card details on our servers.

Access Controls

Access to your data within Expensio is strictly limited:

  • Only senior-level engineers may access user data, and only when required for maintenance, debugging, or legal compliance.
  • No one accesses your data out of curiosity or for any unauthorised reason.
  • We do not share or sell your data to any third party, and we do not access it unless required by law.
  • If we are legally required to disclose your data, we will notify you as soon as we are legally permitted to do so.

Data Breach Response

In the unlikely event of a data breach, we are committed to acting quickly and transparently:

  • We will notify the relevant supervisory authority within 72 hours of becoming aware, as required by law.
  • We will contact you directly if your personal data is at risk, without undue delay.
  • We will tell you what happened, what data was affected, the likely consequences, and the steps we are taking to fix it.

Responsible Disclosure

We welcome responsible disclosure of any security vulnerabilities you discover in Expensio. If you believe you have found a security issue, please:

  • Contact us by email at [email protected] before disclosing publicly.
  • Give us a reasonable amount of time to investigate and fix the issue.
  • Avoid accessing, modifying, or deleting data that does not belong to you.
  • Do not perform denial of service attacks, spam, or social engineering as part of any testing.

Report a vulnerability

If you have discovered a potential security issue, please contact us responsibly before disclosing it publicly. We will acknowledge your report promptly and work with you to resolve it.

[email protected]

© 2026 Expensio. All rights reserved.

TermsPrivacyCookiesSecurityBack to Home