Data security is more important than ever

The amount of data that is currently processed by SpendLab is immense. Therefore, we have set up internal processes, systems and procedures to ensure the maximum security of data that is processed for our clients.

International Standardization Organization

An ISO certified organization

To be able to guarantee quality and data security, SpendLab has chosen to be certified for two ISO standards, namely ISO 9001:2015 and ISO 27001:2013. These standards provide organizations with the tools and guidelines to gain control over Quality (ISO:9001) and Information Security (ISO:27001).

Every year, SpendLab’s Information Security Management System (ISMS) is independently audited to ensure the effectiveness of the measures taken. Due to the fact that our solutions are data-driven, we deeply value a high degree of data security. This is also the reason why an extensive set of technical and organizational measures has been taken to meet the requirements set by ISO, but also by our clients. Some examples of measures that have been taken are:

  • The use of multi-factor authentication
  • Encryption of both data-in-transit and data-at-rest
  • Role Based Access on a need-to-know basis
  • IO Whitelisting
  • Encrypting and centrally managing equipment
  • Screening of personnel
  • Employing a specialized Security Officer and Data Protection Officer to safeguard the established internal processes, systems and procedures

General Data Protection Regulation


The General Data Protection Regulation (GDPR) has been active since 2018. This European regulation imposes strict requirements on organizations with regard to the processing of personal data. SpendLab only processes small amounts of personal data of its clients. Nevertheless, we are often asked how we process our client´s data and in what ways we do this.

SpendLab only processes data from our clients’ suppliers. Depending on how these suppliers invoice, we process personal data. During the analyses that are performed for clients, personal data rarely occurs. If this does happen however, the data will be anonymized if it turns out to be irrelevant to the possible file.

For more questions regarding the processing of personal data or our ISO certifications, please contact us at and/or

Veelgestelde vragen


No, SpendLab does not link anything to a client’s application. We work by means of a one-off data extraction from our client’s financial application.

Personal data is not relevant to SpendLab in order to conduct a successful Accounts Payable Recovery Audit. In practice, however, we do notice that personal data is stated by suppliers within invoice lines – in particular in the invoice description. This includes name and address details and, in exceptional situations, a license plate and/or a social security number.