Trust & Security

Credentials are hashed and salted within the services. Credentials, keys and certificates are encrypted at the file level or stored in a restricted vault. Pleo favors TLS 1.2 with AES256 and SHA384 to encrypt data in transit.

AWS encrypts all data stored on physical media within their data centres. Additionally, personal and usage data is partially encrypted within internal databases and other services (such as S3 buckets, etc) according to the data usage and sensitivity of the information using server-side encryption using 256-bit Advanced Encryption Standard (AES) keys.

Pleo provisions access following the principle of least privilege, leveraging role-based access controls. Access rights are monitored and reviewed and credential management solutions are leveraged to provision accounts. Multi-Factor Authentication (MFA) is required for the console that manages server provisioning, network administration, etc. MFA is also required for the VPN network access to the back-end environment.

Pleo leverages AWS data centres to provide the Services. AWS data centres are located in the EU/EEA. Customer data is stored and processed at data centers located in Ireland (eu-west-1).

Pleo is dedicated to ensuring the continuity and reliability of its systems. Our production environment is built with robust redundancies and is configured for automatic failover to maintain service during disruptions. We also prioritise scalability to manage demand fluctuations efficiently. To further strengthen our preparedness, the Pleo team engages in annual business continuity and disaster recovery exercises, ensuring we can respond swiftly and effectively to any unforeseen events, keeping our operations running smoothly for our customers.

At Pleo, we actively maintain a bug bounty program through HackerOne. The bug bounty program is a key part of our proactive approach to cybersecurity, allowing us to continuously improve and address potential risks before they impact our users.

Pleo undergoes rigorous third-party assessments and audits to ensure compliance with several key standards and certifications. These include PCI-DSS for secure payment processing, Google's Cloud Application Security Assessment (CASA) for cloud security, and HackerOne's Bug Bounty Penetration Testing to identify and fix vulnerabilities. Additionally, Pleo conducts a CAIQ Self-Assessment to benchmark against industry best practices and ensures adherence to GDPR, which protects the privacy and data of EU citizens. These efforts demonstrate Pleo's commitment to maintaining the highest standards of security and privacy.

Pleo is a centralised business spending solution for forward-thinking teams. Pleo enables employees to buy the things they need for work, while keeping companies in full control of all spending. With the help of breakthrough technology and commercial cards, Pleo eliminates expense reports, reduces administrative complexity and simplifies bookkeeping. Find out more.

Pleo works with companies of all sizes, across every industry. What unites those businesses is that they’ve experienced the pain of traditional spend management: shared cards, chasing receipts, expense reports and reimbursements. They’re ready to move past the confusion and complexity that has defined spend management for so long. Meet our customers.

Pleo was founded in Copenhagen in 2015 by fintech veterans Jeppe Rindom and Niccolo Perra, both early team members of the Danish startup success, Tradeshift, with years of experience building successful financial products. Today, the Pleo team is 800-strong, with seven European office locations (London, Stockholm, Berlin, Madrid, Lisbon, Paris and our HQ in Copenhagen). Here’s our story.

Yes. Pleo provides, upon request, access to our compliance reports under Non-Disclosure Agreement (NDA)

Yes, Pleo maintains a security awareness program that provides training to employees. All employees must complete training upon hiring and annually thereafter, as well as acknowledge all relevant corporate policies. Employees with elevated privileges must also undergo role-based training.

For any questions regarding our certifications or security program, you may reach out to us at security@pleo.io