Medius Trust Center
You have our commitment to data protection and privacy. Find the information you need on security,
compliance, privacy, and cloud service performance for your source-to-pay solutions.
Medius Trust Center
You have our commitment to data protection and privacy. Find the information you need on security,
compliance, privacy, and cloud service performance for your source-to-pay solutions.
Security
Our top priority is keeping our customers' data secure. We have stringent security measures at the organizational, architectural, and operational levels to ensure that your data and applications remain safe.
All employees must take security, privacy, and compliance training when they start their employment with Medius and they must acknowledge that they have reviewed the Information Security Policy which dictates the rules and guidelines to avoid or minimize security risks on an ongoing basis via trainings and awareness programs.
Medius adheres to the principle of least privilege and has internal processes and controls to reduce the number of employees that have access to customer data, including controls, access reviews, and strict on and off boarding routines.
Our customers serve as the data controller while Medius is the data processor for any customer data processed in our cloud services. This means that you have full control of the data entered into services, as well as all setup and configurations. Because you control your data—and we only process it—you won’t have to rely on us to perform day-to-day tasks such as:
- Assigning security authorization and manipulating roles
- Configuring business process flows, alerts, rules, and more
- Monitoring business transactions
- Looking at historical data and configuration changes
Medius is built upon the Microsoft Azure platform from Microsoft. Transport Layer Security (TLS) protects user access via the internet, helping to secure network traffic from passive eavesdropping, active tampering, or message forgery. The Security Token Service is responsible for authenticating the end user.
Medius AP uses a role-based framework to control what an authenticated user can do within the application. All users are connected to one or more roles. A role defines what data objects and services users connected to the role can access and in what way. Roles are also used to define the user rights.
Medius applications are hosted in state-of-the-art Microsoft Azure data centers designed to protect mission-critical computer systems. Customer data is separated in unique SQL databases for each customer. All customer data in Microsoft Azure is stored in Europe, US or Australia depending on the customer's primary location and data is not transferred between locations.
We periodically perform vulnerability scanning on our web application service to verify our security standards and resiliency.
Security testing is part of our Secure Software Development Lifecycle (SSDLC), and external penetration testing, conducted by an independent third party, is performed at least annually.
We conduct annual independent audits for compliance and industry standards certifications.
Compliance
Regular audits ensure data security and privacy. Medius makes a significant investment in our commitment towards the
ISO 27001:2022 standard, ISO 9001, and SOC 1 Type 2 and SOC 2 Type 2 reports.
ISO 27001:2022
All information security work at Medius is based on the ISO/IEC 27001 standard, which preserves security of information through a risk management process. Our commitment to the ISO/IEC 27001 standard demonstrates that risks are adequately managed, are part of, and are integrated with, our operations and overall management structure. Medius Spend Management Suite and Expensya are both ISO 27001 certified.
/NQA-ISO-27001-Logo-UKAS.jpg){kind=logo}
ISO 9001:2015
ISO 9001 is an international management system standard that specifies requirements for a quality management system (QMS). At Medius, we use the ISO 9001 standard to demonstrate our ability to consistently provide products and services that meet customer and regulatory requirements, as well as our organization’s own requirements. Medius Spend Management Suite is ISO 9001 certified.
/NQA-ISO-9001-Logo-UKAS.jpg){kind=logo}
SOC 1 Type 2, SOC 2 Type 2
Medius has SOC 1 Type 2 and SOC 2 Type 2 reports covering Medius Spend Management Suite. Medius complies with the reporting requirements stipulated by the American Institute of Certified Public Accountants (AICPA). We undergo yearly audits across all aspects of our production operations to ensure continued conformity.
Whistleblowing – report wrongdoing
Medius is committed to conducting its business at the highest ethical levels and does not tolerate wrongdoing. If wrongdoing happens, we want to take appropriate action. If you witness or experience any wrongdoing related to Medius, including violations of the Medius Code of Conduct, don’t hesitate to report your concern. You may report by sending an email to whistleblower@medius.com or by sending a letter to Kristin Widjer, Medius Whistleblowing, Klarabergsviadukten 90, 111 64 Stockholm, Sweden. Any report will be handled confidentially and in accordance with the Medius Whistleblowing policy.
Policies
Cookie Policy
Understand how we, and our partners, use cookies to optimize your website experience.
Anti-Slavery Statement
We ensure slavery and human trafficking are not taking place within our supply chains.
More resources you might like.
How to empower whistleblowers in your company to prevent internal fraud.
See how crucial whistleblowers are in stopping internal fraud, especially with accounts payable automation. Get the stats, empowerment, and prevention strategies now.
How to detect fraud transactions in accounts payable.
Discover how AP automation plays a pivotal role in detecting and eliminating fraudulent transactions, ensuring the continuity of timely production.
How do banks investigate unauthorized transactions?
As digital banking becomes more prevalent, so does the risk of fraud. Delve into the various facets of bank investigations.