SOC 2 Type 2 Certified

Spendflo is SOC 2 Type II certified. The Type II audit is the most robust, providing a sustained compliance period with consistent, reliable safeguards to protect our customer’s data. Spendflo is committed to conducting an annual SOC 2 audit.


ISO 27001 Certification

Spendflo has also achieved ISO 27001 certification, which is a globally recognized standard for information security management systems (ISMS). This certification validates our dedication to managing information security risks effectively; ensuring the confidentiality, integrity, and availability of customer data

GDPR and Data Privacy

Spendflo considers your data as belonging to you and your clients. We will never sell or share the data you and your users have created in Spendflo: Our business provides a safe, secure, and private way for your clients to communicate within your set boundaries using our SDK.

We handles your data in accordance with the UK and the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). We are fully committed to accommodating all provisions granted by these regulations, including access and erasure rights.

To understand how we store and process your data, read our Privacy Policy and our Data Processing Agreement.



To safeguard your data, Spendflo employs strong cryptography standards following NIST guidelines. All data is encrypted in transit and at rest using TLS version 1.3 and AES 256-bit encryption, providing robust protection against unauthorized access.

Secure Development

At Spendflo, we prioritize secure development practices. Our code review standards adhere to our Software Development Life Cycle (SDLC) policies, ensuring that all code undergoes thorough review. Additionally, segregated development and production environments run comprehensive, automated tests before deploying code to customer applications. Our incident response and Service Level Agreement (SLA) policies enable us to quickly identify, contain, and resolve any issues, ensuring the integrity, confidentiality, and privacy of our service.

VAPT (Vulnerability Assessment and Penetration Testing)

Spendflo engages reputable, independent, third-party auditors to conduct penetration and intrusion testing. We take pride in the fact that intensive testing has not revealed any exploitable vulnerabilities in Spendflo's API and services. If you are interested in reviewing our penetration testing report, please contact us to initiate a Mutual Non-Disclosure Agreement (MNDA) process, followed by the report sharing.

Security Policy

EncryptionYour data is encrypted in transit and at rest, with strong cryptography standards following NIST guidelines. We use TLS version 1.3 and AES 256-bit to encrypt data.Secure Development

Our code review standards mean all code is reviewed as part of our Software Development Life Cycle (SDLC) policies, and segregated development and production environments run comprehensive, automated tests before our code is live in customer apps. Our incident response and SLA policies ensure we can inform of, contain and resolve any issues that arise quickly, maintaining the integrity, confidentiality, and privacy of the service.

Penetration Testing

For our penetration and intrusion testing, we utilize a reputable independent, third-party Auditor. We are proud that intensive testing has found no exploitable vulnerabilities in Spendflo’s API and services. If you’re interested in reviewing our penetration testing report, please contact us for an MNDA to sign, followed by the report.

Data Center Security

Spendflo's services operate on Amazon Web Services (AWS), a renowned and highly secure cloud infrastructure provider. AWS offers industry-leading security measures, including full redundancy and robust disaster recovery protocols. Within AWS, Spendflo runs in a separate Virtual Private Cloud (VPC) with strict firewall rules, continuous monitoring, and limited access controls to prevent unauthorized network requests.

Security Standards

Strict access controls and policies prevent access to your data by anyone outside and including Spendflo employees, except in the case of severe incidents and outages where specific engineering staff members will receive access, and the instances will be reported to you. Our team is using separate, secure hardware to access Spendflo systems that are kept continually monitored and up-to-date with the latest security patches and malware protection. Our staff undergoes background checks and regular security training and are under strict confidentiality agreements.

Reliability, Availability, and SLAs

Spendflo understands the importance of service availability to our customers. We have implemented multiple redundancies and perform daily backups of all data. Our services are monitored round the clock, and we have a dedicated team of on-call engineers available 24/7, 365 days a year. We follow rigorous incident response and disaster recovery protocols, which are regularly rehearsed to ensure readiness.For customers with a commercial agreement, we offer service level agreements (SLAs) guaranteeing uptime, incident response times, and support availability. Our historical uptime exceeds 99.9%, and we will notify you of any planned downtime for system maintenance. Spendflo is trusted by numerous partners, including public companies and organizations handling sensitive financial data. We are proud of the trust our partners place in us and the confidence they have in the safety and confidentiality of their data.

Contact Us

To report a potential vulnerability or for any other questions, you can contact our security team at We do not run a bug bounty program at this time.