Security and Privacy Compliance at Emburse - How we Safeguard your Data

June 7, 2024

7 min read

Colleen Carroll

Security and Privacy Compliance at Emburse - How we Safeguard your Data


In these days of heightened security risks, software companies must maximize their data protection capabilities. Emburse's Director of Security/Privacy Compliance explains the measures we take to keep our customers' data safe.

    Barely a week goes by without hearing of another organization whose security systems have been breached. This can take many forms, from ransomware that encrypts corporate data, to leaking customers’ personal information, to IP theft. Any one of these can have a catastrophic impact on a company’s financial and reputational wellbeing.

    Ensuring the security and privacy of customers’ information is vital to doing business. With the increase in the number and impact of cyber threats, along with new cyber and privacy regulations, data and systems must be protected. As a leader in expense and travel management software solutions, we recognize that our customers count on us to protect their data. Accurate and secure data processing is one of our top priorities and core to our service offerings.

    With over 20,000 customers across the world, we know it’s vital to be compliant with a broad range of global security requirements. Emburse complies with EU GDPR, UK GDPR, Canada PIPEDA, Australian Privacy Principles, California CCPA/CPRA, and other U.S. State comprehensive privacy laws. We have aligned our program to the internationally recognized ISO 27701 privacy standard and receive external certification. To achieve our security objectives, we are compliant with the leading security frameworks and standards including ISO 27001, PCI DSS, SOC 1, SOC 2, and NIST 800-53.

    Third-party risk management

    With the increased risk and demand for third-party risk management (TPRM), we understand the importance of our customers being able to perform timely due diligence on Emburse as a third party.

    From the 2023 EY Global Third-Party Risk Management Survey, there has been a significant increase in organizations investing in their TPRM programs over the last three years. 77% of organizations send between 101 to 350 questions on third-party control assessments. The largest domain in these assessments is related to cybersecurity and digital risks.

    To enable our customers to perform an efficient third party review, we have created security sites for customers to access all commonly requested security documents in one place. This includes security audit reports, penetration testing summaries, frequently asked questions, resiliency documents, and W-9 information. For access to the Emburse security sites, please ask your Emburse point of contact.

    How Emburse protects customer data

    • Customer tenants: Emburse uses the multi-tenant model and ensures that customers’ data remains segregated from other customers. Within Emburse, each tenant is identified by a unique customer identifier within all systems. Each customer is given the same application code but with customer-specific configuration options that adapt the application to their own needs.
    • Strong authentication: Emburse enables customers to use their single sign-on to protect their user accounts based on their password and MFA policies.
    • Access controls: Each of the Emburse products and services allows for different levels of access and roles for customer instances based on job responsibilities. Customers should implement access review of privileges to ensure it continues to meet their requirements.
    • Encryption of data at rest and transit: Emburse has minimum encryption requirements of TLS 1.2 and AES-256 for all customer data.
    • Data loss prevention (DLP): Emburse has DLP tools in place to help ensure unauthorized data does not leave the secure Emburse environment.
    • Awareness training: On an annual basis and upon hire, Emburse requires all employees and contractors to complete security and privacy awareness training. Additionally, developers complete secure development training to enforce security and privacy by design.
    • Monitoring and alerting: Emburse performs 24x7x365 monitoring of our infrastructure and environments. Automated monitoring and alerting for performance and availability considerations are in place and reviewed.
    • Tabletop exercises: Emburse conducts an annual tabletop exercise with a cross-functional group of employees from all departments of the organization. This annual event is structured to test the readiness of the team for response to a production event.
    • Penetration testing: Emburse performs annual penetration testing by a third-party firm. Any findings from the penetration test are remediated by the team.
    • Vulnerability management: Emburse performs frequent internal and external vulnerability scans in addition to a penetration test performed at least annually.

    Data privacy

    Emburse is compliant with U.S. state and international data privacy laws. We are in the final stages of completing the Data Privacy Framework for transatlantic data transfers between the United States and Europe. This helps us serve our international and multinational customers in meeting data privacy requirements.

    Risk management

    Emburse is constantly evaluating emerging security and privacy risks. This includes new types of attack vectors, changes in legal and regulatory requirements, and alignment to customer requests. We use tooling on endpoints and servers to perform real-time detection and response to threats, vulnerabilities, and abnormal activity. This also includes monitoring the dark web through Crowdstrike Recon for threat intelligence and threat hunting.

    Accuracy in data and financial information

    Our expense and spend management platforms often have an impact on our customers' finance teams, as our data feeds directly into our customers’ general ledgers. Emburse offers numerous general ledger integrations and provides accuracy of the financial data related to expense and spend management. Emburse performs annual SOC 1 reports that include internal controls over financial reporting (ICFR) so that our customers and their auditors can rely on the data and reports from the Emburse systems.

    Emburse is committed to keeping all of our customers’ data safe. For more information on Security and Privacy at Emburse visit our Security Site and Privacy Statement.