Medius Trust Center

You have our commitment to data protection and privacy. Find the information you need on security,
compliance, privacy, and cloud service performance for your source-to-pay solutions.

Medius Trust Center

You have our commitment to data protection and privacy. Find the information you need on security,
compliance, privacy, and cloud service performance for your source-to-pay solutions.

Security

Our top priority is keeping our customers' data secure. We have stringent security measures at the organizational, architectural, and operational levels to ensure that your data and applications remain safe.

All employees must take security, privacy, and compliance training when they start their employment with Medius and they must acknowledge that they have reviewed the Information Security Policy which dictates the rules and guidelines to avoid or minimize security risks on an ongoing basis via trainings and awareness programs.

Medius adheres to the principle of least privilege and has internal processes and controls to reduce the number of employees that have access to customer data, including controls, access reviews, and strict on and off boarding routines.

Our customers serve as the data controller while Medius is the data processor for any customer data processed in our cloud services. This means that you have full control of the data entered into services, as well as all setup and configurations. Because you control your data—and we only process it—you won’t have to rely on us to perform day-to-day tasks such as:

  • Assigning security authorization and manipulating roles
  • Configuring business process flows, alerts, rules, and more
  • Monitoring business transactions
  • Looking at historical data and configuration changes

Medius is built upon the Microsoft Azure platform from Microsoft. Transport Layer Security (TLS) protects user access via the internet, helping to secure network traffic from passive eavesdropping, active tampering, or message forgery. The Security Token Service is responsible for authenticating the end user.

Medius AP uses a role-based framework to control what an authenticated user can do within the application. All users are connected to one or more roles. A role defines what data objects and services users connected to the role can access and in what way. Roles are also used to define the user rights.

Medius applications are hosted in state-of-the-art Microsoft Azure data centers designed to protect mission-critical computer systems. Customer data is separated in unique SQL databases for each customer. All customer data in Microsoft Azure is stored in Europe, US or Australia depending on the customer's primary location and data is not transferred between locations.

We periodically perform vulnerability scanning on our web application service to verify our security standards and resiliency.

Security testing is part of our Secure Software Development Lifecycle (SSDLC), and external penetration testing, conducted by an independent third party, is performed at least annually.

We conduct annual independent audits for compliance and industry standards certifications.

Compliance

Regular audits ensure data security and privacy. Medius makes a significant investment in our commitment towards the
ISO 27001:2022 standard, and SOC 1 Type 2 and SOC 2 Type 2 reports.

ISO 27001:2013

All information security work at Medius is based on the ISO/IEC 27001 standard, which preserves security of information through a risk management process. Our commitment to the ISO/IEC 27001 standard demonstrates that risks are adequately managed, are part of, and are integrated with, our operations and overall management structure. Expensya is ISO 27001 certified.

SOC 1 Type 2, SOC 2 Type 2

Medius AP Automation Suite provides SOC 1 and SOC 2 reporting. Medius complies with the reporting requirements stipulated by the American Institute of Certified Public Accountants (AICPA). We undergo yearly audits across all aspects of our production operations to ensure continued conformity.

Whistleblowing – report wrongdoing

Medius is committed to conducting its business at the highest ethical levels and does not tolerate wrongdoing. If wrongdoing happens, we want to take appropriate action. If you witness or experience any wrongdoing related to Medius, including violations of the Medius Code of Conduct, don’t hesitate to report your concern. You may report by sending an email to whistleblower@medius.com or by sending a letter to Kristin Widjer, Medius Whistleblowing, Klarabergsviadukten 90, 111 64 Stockholm, Sweden. Any report will be handled confidentially and in accordance with the Medius Whistleblowing policy.

Policies

Privacy Policy

Understand how we may collect and use your personal information.

Cookie Policy

Understand how we, and our partners, use cookies to optimize your website experience.

Anti-Slavery Statement

We ensure slavery and human trafficking are not taking place within our supply chains.

Medius system status

View the current performance of Medius cloud systems.

Check status

More resources you might like.

Cyber threat is increasing.

Read an article by our Chief Information Security Officer, Torbjörn Andersson, on zero trust in SecurityWorldMarket.

Note: this article is in Swedish.

How do banks investigate unauthorized transactions?

As digital banking becomes more prevalent, so does the risk of fraud. Delve into the various facets of bank investigations.

How to detect fraud transactions in accounts payable.

Discover how AP automation plays a pivotal role in detecting and eliminating fraudulent transactions, ensuring the continuity of timely production.