Medius Trust Center

You have our commitment to data protection and privacy. Find the information you need on security, compliance, privacy, and cloud service performance for your source-to-pay solutions.

View Cloud Status


Our top priority is keeping our customers' data secure. We have stringent security measures at the organizational, architectural, and operational levels to ensure that your data and applications remain safe.

Organizational Security

All employees must take security, privacy, and compliance training when they start their employment with Medius and they must acknowledge that they have reviewed the Information Security Policy which dictates the rules and guidelines to avoid or minimize security risks on an ongoing basis via trainings and awareness programs.

Medius adheres to the principle of least privilege and has internal processes and controls to reduce the number of employees that have access to customer data, including controls, access reviews, and strict on and off boarding routines.

Architectural Security

Processing Relationship

Our customers serve as the data controller while Medius is the data processor for any customer data processed in our cloud services. This means that you have full control of the data entered into services, as well as all setup and configurations. Because you control your data—and we only process it—you won’t have to rely on us to perform day-to-day tasks such as:

Assigning security authorization and manipulating roles
Configuring business process flows, alerts, rules, and more
Monitoring business transactions
Looking at historical data and configuration changes

Data Encryption

Medius is built upon the Microsoft Azure platform from Microsoft. Transport Layer Security (TLS) protects user access via the internet, helping to secure network traffic from passive eavesdropping, active tampering, or message forgery. The Security Token Service is responsible for authenticating the end user.

Medius AP uses a role-based framework to control what an authenticated user can do within the application. All users are connected to one or more roles. A role defines what data objects and services users connected to the role can access and in what way. Roles are also used to define the user rights.

Operational Security

Medius applications are hosted in state-of-the-art Microsoft Azure data centers designed to protect mission-critical computer systems. Customer data is separated in unique SQL databases for each customer. All customer data in Microsoft Azure is stored in Europe, US or Australia depending on the customer's primary location and data is not transferred between locations.

Vulnerability Assessments

We periodically perform vulnerability scanning on our web application service to verify our security standards and resiliency.

Security testing is part of our Secure Software Development Lifecycle (SSDLC), and external penetration testing, conducted by an independent third party, is performed at least annually.

We conduct annual independent audits for compliance and industry standards certifications.


Regular audits ensure data security and privacy. Medius makes a significant investment in our commitment towards the ISO 27001:2022 standard, and SOC 1 Type 2 and SOC 2 Type 2 reports.

ISO 27001:2013

All information security work at Medius is based on the ISO/IEC 27001 standard, which preserves security of information through a risk management process. Our commitment to the ISO/IEC 27001 standard demonstrates that risks are adequately managed, are part of, and are integrated with, our operations and overall management structure. Expensya is ISO 27001 certified.

SOC 1 Type 2, SOC 2 Type 2

Medius AP Automation Suite provides SOC 1 and SOC 2 reporting. Medius complies with the reporting requirements stipulated by the American Institute of Certified Public Accountants (AICPA). We undergo yearly audits across all aspects of our production operations to ensure continued conformity.

Whistleblowing – report wrongdoing

Medius is committed to conducting its business at the highest ethical levels and does not tolerate wrongdoing. If wrongdoing happens, we want to take appropriate action. If you witness or experience any wrongdoing related to Medius, including violations of the Medius Code of Conduct, don’t hesitate to report your concern. You may report by sending an email to or by sending a letter to Kristin Widjer, Medius Whistleblowing, Klarabergsviadukten 90, 111 64 Stockholm, Sweden. Any report will be handled confidentially and in accordance with the Medius Whistleblowing policy.


Privacy Policy Cloud Status

Other Resources

Cookie Policy Anti-Slavery Statement

Recommended Security Resources

Read the piece by our Chief Information Security Officer, Torbjörn Andersson, on zero trust in SecurityWorldMarket: Cyberhotet ökar - svenska företag behöver höja beredskapen!

Related Blogs

How Do Banks Investigate Unauthorized Transactions?
How to Detect Fraud Transactions in Accounts Payable