Security | Compliance | Privacy
Medius Trust Center
You have our commitment to data protection and privacy. Find the information you need on security, compliance, privacy, and cloud service performance for your source-to-pay solutions.
Security
Our top priority is keeping our customers' data secure. We have stringent security measures at the organizational, architectural, and operational levels to ensure that your data and applications remain safe.
Organizational Security
All employees must take security, privacy, and compliance training when they start their employment with Medius and they must acknowledge that they have reviewed the Information Security Policy which dictates the rules and guidelines to avoid or minimize security risks on an ongoing basis via trainings and awareness programs.
Medius adheres to the principle of least privilege and has internal processes and controls to reduce the number of employees that have access to customer data, including controls, access reviews, and strict on and off boarding routines.
Architectural Security
Processing Relationship
Our customers serve as the data controller while Medius is the data processor for any customer data processed in our cloud services. This means that you have full control of the data entered into services, as well as all setup and configurations. Because you control your data—and we only process it—you won’t have to rely on us to perform day-to-day tasks such as:
- Assigning security authorization and manipulating roles
- Configuring business process flows, alerts, rules, and more
- Monitoring business transactions
- Looking at historical data and configuration changes
Data Encryption
Medius is built upon the Microsoft Azure platform from Microsoft. Transport Layer Security (TLS) protects user access via the internet, helping to secure network traffic from passive eavesdropping, active tampering, or message forgery. The Security Token Service is responsible for authenticating the end user.
Medius AP uses a role-based framework to control what an authenticated user can do within the application. All users are connected to one or more roles. A role defines what data objects and services users connected to the role can access and in what way. Roles are also used to define the user rights.
Operational Security
Medius applications are hosted in state-of-the-art Microsoft Azure data centers designed to protect mission-critical computer systems. Customer data is separated in unique SQL databases for each customer. All customer data in Microsoft Azure is stored in Europe, US or Australia depending on the customer's primary location and data is not transferred between locations.
Vulnerability Assessments
We periodically perform vulnerability scanning on our web application service to verify our security standards and resiliency.
Security testing is part of our Secure Software Development Lifecycle (SSDLC), and external penetration testing, conducted by an independent third party, is performed at least annually.
We conduct annual independent audits for compliance and industry standards certifications.
Compliance
Regular audits ensure data security and privacy. Medius makes a significant investment in our commitment towards the ISO 27001:2022 standard, and SOC 1 Type 2 and SOC 2 Type 2 reports.
ISO 27001:2013
All information security work at Medius is based on the ISO/IEC 27001 standard, which preserves security of information through a risk management process. Our commitment to the ISO/IEC 27001 standard demonstrates that risks are adequately managed, are part of, and are integrated with, our operations and overall management structure.
SOC 1 Type 2, SOC 2 Type 2
As a SOC 1 and SOC 2-certified organization, Medius complies with the reporting requirements stipulated by the American Institute of Certified Public Accountants (AICPA). We undergo yearly audits across all aspects of our production operations and have sustained and surpassed all requirements.
Privacy
View our privacy policy here.
Data Protection Addendum
Personal Data Transfer statement and Sub-processors used for the Medius Spend Management Suite
In our contract with our customers, we commit that every transfer of personal data made in our capacity as data processor is compliant with data protection laws.
Sub-processors are our vendors that process your personal data to help us provide our services. All our sub-processors are bound by agreements with safeguards that are at least as restrictive as the safeguards and standards that we apply to personal data in our direct control. We conduct regular reviews of each sub-processor used to ensure that your personal data is protected as required by data protection laws and our customer contractual commitments.
Below is a list of all sub-processors currently used by us for the provision of our services. Please note that not all sub-processors are used in the provision of all our services as further detailed in the “Services” column below.
Non-affiliated sub-processors
|
Sub-processor |
Services |
Purpose |
Personal Data |
Geographic location |
EU third country transfer safeguards |
|
Microsoft Ireland Operations Limited |
All (excluding OnPay Solutions) |
Provider of cloud computing platform (Azure) |
Information on invoices (Name, email, phone number, ddress, title), user IDs, master data/supplier information (name, email, phone number, address) |
EU, USA, UK or Australia (follows customer primary location) except Azure AD user transfer services and Supplier Portal that are operated from EU. |
N/A |
|
Microsoft Ireland Operations Limited |
APA |
Exchange Online (e-mail delivery service) for capture |
Information on invoices (Name, email, phone number, ddress, title), user IDs, master data/supplier information (name, email, phone number, address) |
EU or USA (follows customer primary location) |
N/A |
|
Sendgrid Inc |
APA and Supplier Portal |
E-mail delivery services |
Information on invoices (Name, email address, phone number, address, title), customer user IDs, master data/supplier information (name, email, phone number, address), sender’s email address. |
USA |
2021 Standard Contractual Clauses, module Three (processor to processor) |
|
Papertrail Inc |
All (excluding OnPay) |
Log handling |
User ID, Email address, IP number, Name, title |
USA |
Old SCCs |
|
Solarwinds LLC |
APA |
Log handling |
Information on invoices (Name, email address, phone number, address, title), user IP number, user ID |
USA |
Old SCCs |
|
Freshworks Inc |
All |
Support system |
Name, email address, phone number, title and any other personal data provided by the user. |
USA |
? |
|
Kofax Sweden Technologies AB |
ReadSoft Online (add-on to APA) |
Capture service |
Information on invoices (Name, email address, phone number, address, title), user IDs, master data/supplier information (name, email, phone number, address |
EU, USA, UK or Australia (follows customer primary location) |
N/A |
|
ABBYY Europe GmbH |
APA |
Capture service |
Information on invoices (name, email address, phone number, address, title), master data/supplier information (name, email, phone number, address |
EU or USA (follows customer primary location) |
N/A |
|
DocuSign Inc |
DocuSign (add-on to Contract Management) |
On-demand electronic signature service |
Email address, name and title to recipient of the envelope, name and email to the customer user creating the envelope, name, email and title to customer signatory, IP address to the signatories, any personal data in contracts processed for signature |
USA (transaction data) and EU (e-document) |
Binding corporate rules |
|
Columbus Sweden AB |
M3 Cloud Edition Automation Connector Integration |
Integration between APA and M3 Cloud Edition |
User IDs, master data/supplier information (name, email, phone number, address) |
EU |
N/A |
|
Nomentia OY |
Pay |
Bank connectivity services |
Information in the payment file, name, email, title, phone number, street address, bank account details |
EU |
N/A |
|
NvoicePay [Inc] |
USA |
N/A |
|||
|
Comdata |
MediusPay 2.0 |
N/A |
|||
|
Flexential |
Medius Pay2.0 |
Hosting datacenter provider |
N/A |
||
|
*Datamatix |
Medius Pay 2.0 |
Check printing and mailing service provider |
N/A |
||
|
*Corpay |
Medius Pay 2.0 |
Virtual card provider |
N/A |
*Datamatix and Corpay currently under review.
Affiliated sub-processors
|
Sub-processor |
Purpose |
Personal Data |
Geographic location |
|
Medius Aps, Medius Business Process Software BV, Medius AS, Medius Sverige AB, MediusGo AB, Medius Poland Sp. Z.o.o. Dynamic Software in Sweden AB |
Technical or management support and R&D |
All data referenced in the personal data column in the “Non-affiliated” table above. |
EU |
|
Medius Software Limited |
Technical or management support and R&D |
All data referenced in the personal data column in the “Non-affiliated” table above. |
UK |
|
Medius Software Pty Ltd |
Technical or management support and R&D |
All data referenced in the personal data column in the “Non-affiliated” table above. |
Australia |
|
Medius Software Inc and OnPay Solutions Inc |
Technical or management support and R&D |
All data referenced in the personal data column in the “Non-affiliated” table above. |
USA |
Third country transfers and transfer impact assessments
We safeguard the personal data our customers entrust us to process when we transfer that data to a country that has not been deemed “adequate” by the European Commission or the UK Information Commissioner. We transfer customer personal data outside the European Union and the UK as necessary to provide our services to our customers. Safeguards that we rely upon is to use standard contractual clauses as follows:
- In respect of EU personal data, we rely on the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission under Implementing Decision (EU) 2021/914 of 4 June 2021 (the “EU SCCs”).
- In respect of UK personal data, we rely on the International Data Transfer Addendum to the EU SCCs, issued by the UK Information Commissioner.
For any third country transfer we also make a transfer impact assessment and evaluate the potential need of additional safeguards. [The transfer impact assessments below identify and describe the risks associated with the data transfer of customer data to third countries, as well as any supplementary measures we, or our sub-processors, have taken to safeguard customer data. Our Data Processing Addendum [LINK] contains further details that are not specific to onward transfers. Please see a list of our sub-processors [LINK to tables above] processing personal data to a third country. ]
Cloud Status
Other Resources
Recommended Security Resources
Read the piece by our Chief Information Security Officer, Torbjörn Andersson, on zero trust in SecurityWorldMarket: Cyberhotet ökar - svenska företag behöver höja beredskapen!
Related Blogs
How Do Banks Investigate Unauthorized Transactions?
How to Detect Fraud Transactions in Accounts Payable