Security, Privacy & Controls

We use a layered approach to security across infrastructure, application controls, access management and operational processes. That includes secure cloud hosting, network controls, monitoring, encryption, restricted administrative access and a documented response process for incidents.

Prospend data is stored exclusively within the AWS Sydney Region (ap-southeast-2). To ensure maximum reliability, your information is redundantly spread across multiple physically distinct data centers within Sydney. This architecture for storage is designed for 99.999999999% durability.

 ProSpend's platform infrastructure is cloud hosted on Amazon Web Services (AWS). If any clients need more detail on hosting location, architecture or data flow, our team can provide a high-level overview during the security review process. 

 Yes. Data is protected in transit using modern transport encryption, and data at rest is encrypted within our managed environment and backups.Backups of the database are encrypted on rest and have a 35 day retention period. 

 ProSpend combines platform controls with operational safeguards. Depending on the module, this includes configurable approval workflows, approval limits, supplier verification controls, duplicate detection, bank-detail checking, exception routing and audit trails. These controls are designed to reduce the risk of unauthorised or incorrectly approved spend. 

 We apply least-privilege principles so team members only receive the access required for their role. Access to sensitive internal systems is restricted and protected using identity controls such as single sign-on, multi-factor authentication and network restrictions where appropriate. Administrative actions are limited to authorised personnel. 

 Security responsibilities form part of onboarding and ongoing staff awareness training. Third-party providers are engaged only where necessary to deliver the service, and access is controlled based on business need, contractual confidentiality obligations and the principle of minimum necessary access. 

 Yes. ProSpend conducts periodic security testing, including penetration testing. Findings are assessed, prioritised and remediated through our internal processes. For qualified prospects, we can share a high-level summary of recent testing under appropriate confidentiality terms. 

 We maintain a documented incident response process with defined ownership, triage, internal escalation, communication and post-incident review steps. Our team monitors production systems and supports rapid investigation and remediation if an issue is detected. 

 Yes. We maintain encrypted backups and documented recovery procedures designed to support business continuity. Detailed recovery objectives and architecture specifics can be discussed as part of customer due diligence, where required. 

ProSpend is not currently certified to ISO 27001 or SOC 2. We are continuing to mature our security program and working toward formal certification. In the meantime, we maintain practical security controls and operating disciplines to protect customer data and support customer due diligence. We will continue to provide updates on our security roadmap to prospects and customers.

 Our security practices are informed by established security and risk-management principles, and we maintain controls designed to support secure handling of customer information. Where relevant, we also use established compliance and cloud-security guidance to inform how our environment is operated and reviewed. 

We handle personal information in line with our Privacy Policy and applicable privacy obligations. Where third-party service providers are used to help us deliver the service, we limit disclosures to what is necessary, select providers carefully and require appropriate confidentiality and security protections.

 You can review our Terms of Use and Privacy Policy on our website. Commercial terms, including liability and any negotiated protections, are governed by the relevant customer agreement and applicable terms. 

Yes. Customers with formal procurement, IT or risk review processes can request additional information from our technical teams. Depending on the stage of review, this may include a security overview, architecture summary, privacy and legal documents, and a high-level penetration test summary.

 Yes, ProSpend supports audit trails to track and log user activity within the system. This can be accessed by Admins. 

 Yes, ProSpend supports user roles. These are fixed, system-defined roles rather than custom configurable roles. 

 ProSpend enforces a minimum password length and prevents reuse of the same password. 

 Yes, sensitive data is indeed encrypted at rest, this includes and not limited to Oauth tokens, Passwords, account card codes.