Data Security – Our passwords have passwords

We take zero chances when it comes to data security. Think of us as an impenetrable fortress that somehow floats in the air and is guarded by like, big, monster…things. Ok, so this metaphor went nowhere. The point is, neither will your data. We know how important data security is and we do it better than most. Here’s what we do to make sure your data stays safe and sound.

The Concur Trust Platform

What is it? It’s our plan to keep your data safe and sound using the following seven strategies

Service management - Modeled on the time-proven ITIL (IT Infrastructure Library) process family and audited to the ISO 20000 Service Management standard, we meet or exceed published service levels with the highest possible reliability in the most efficient manner. Periodic management reviews and continuous improvement processes mean that the Concur Trust Platform is continually honed to provide best in class service delivery.

Review our Security Overview document.

Privacy management - We collect only the minimum necessary personally identifiable information (PII) and use it only for stated purposes. Sensitive PII is encrypted when transmitted and stored on Concur systems. PII is transmitted to third parties only when specifically required to provide agreed upon business services. PII is never used for marketing or other purposes. Concur complies with the EU Directive 95/46 EC.

Security management - Concur Information Assurance processes are founded on and audited to the internationally recognized ISO 27001 Security Management standard. This ensures that our solutions are operated to meet the international standards for security management and provides the assurance that our services provide confidentiality, integrity and availability.

Access management - Highly configurable access controls enable you to set up and manage a precise level of control based on your company’s policy. Application administrators in your company can easily add users and assign specific roles and permissions that suit your needs.

Vulnerability management - We utilize industry recognized third party security specialists, enterprise-class systems and tools to scan our software and production environment to ensure that any weaknesses are promptly identified and mitigated.

Continuous monitoring - Concur utilizes enterprise-class systems and tools to continuously monitor all aspects and layers of the Concur solutions infrastructure from Intrusion Detection Systems to resource utilization.

Compliance management – Travel and expense management in most companies is financially relevant. In publicly traded companies, this means our solutions become an extension of a company’s financial operations. In response, Concur voluntarily and proactively subjects its expense management solutions to a number of widely recognized standards including:

• ISO 27001. The world standard for IT security management practices, Concur has been BS 7799 certified since 2004, and is the 18th organization in the U.S. to be audited against the newer ISO 27001.
• ISO 20000. The world standard for IT Service Management practices, Concur is audited bi-annually.
• SAS70 – Concur has attestations for both Concur expense management solutions and supporting hosting facilities.
• PCI Compliance. Concur is a VISA Registered CISP Compliant Service Provider. As a Level II Service Provider, Concur is audited annually by a PCI approved assessor.
• Additionally, Concur is a public company and hence required to be compliant with Sarbanes-Oxley. This reinforces Concur’s top-down security management to ensure the integrity, reliability and security of Concur systems.