Security & compliance, plainly stated.

Here’s how we run our security program, protect your data, and prove it. Same security we sell, applied to ourselves. No black box. No hand-waving. The full audit trail is one click away in our Trust Center.

0

SOC 2 exceptions
since 2018

21

Log sources into our private internal SIEM

125+

Custom insider threat & privileged-activity alerts

100%

Workbench used
internally on ourselves

The system we sell, applied to ourselves.

A formal, independently-audited program with risk records, control evidence, and exec-level review on a clock.

Placeholder image for Security & Compliance

ISMS & PIMS

A single, formally-defined management system covers how we run security and privacy day to day — scope, roles, controls, evidence, and review cadence. Independently audited every year on the same cycle, against the standards listed below.

Placeholder image for Security & Compliance

Annual risk assessment

Formal ISMS/PIMS risk assessment every year. Risk records tracked to remediation. The risk treatment plan is reviewed by executive leadership and the ISMS/PIMS Management Committee.

ISO/IEC 27001:2022

ISO/IEC 27701:2019

SOC 2 Type II — Security

PCI DSS SAQ-D

CSA STAR Level 1

EU-U.S. DPF (+ UK / Swiss)

NIST SP 800-171 Rev. 2

Third Party Penetration Testing

EU / UK GDPR

The four documents that answer 90% of vendor reviews.

Available to customers and prospects under NDA at security.expel.com. Most reviewers can close out their assessment with the first two.

SOC 2 Type II Report & Bridge Letter

Annual SOC 2 Type II against the Trust Services Criteria for Security, plus a bridge letter covering the gap between report period and today. Zero exceptions across every report since 2018.

NIST SP 800-171 report

Independent assessment of our controls against NIST SP 800-171 Rev. 2 — the standard for protecting controlled unclassified information. Full assessor report available under NDA.

Architecture overview

How Workbench is built and how customer data flows through it: tenancy model, encryption, infrastructure (GCP + AWS, U.S.), retention, and deletion. Written for security reviewers, not marketers.

AI datasheet

What AI/ML is in Workbench, where it runs, what data it sees, what it doesn’t train on, and the controls that govern it. Updated whenever the model, data flow, or retention posture changes.

Same product. Same SOC.
Same escalation paths as you.

Expel runs on Expel. We aren't a customer in name only — we sit in the same queue as every other tenant, with the same on-call engineers responding to alerts.

Placeholder image for Security & Compliance

Beta testers for new functionality

New Workbench features land in our tenant first. We break it, fix it, and refine the workflows before any customer ever sees them.

Placeholder image for Security & Compliance

Same escalation paths

Our SOC analysts triage Expel alerts using the same playbooks, severity model, and escalation paths they use for every other customer. No special-cased internal queue.

Placeholder image for Security & Compliance

Same detection library

We benefit from the same continuously-tuned detection library that protects every other tenant — and contribute back to it whenever we see something new in our own environment.

A private SIEM, a deep alert library, and humans who verify.

Separate from the SOC's customer-facing tooling, our internal security team runs a dedicated insider threat program against Expel itself.

Placeholder image for Security & Compliance

21 log sources feeding a private internal SIEM.

Identity, endpoint, productivity, code, infrastructure, and SaaS audit telemetry — segregated from any customer-facing system and accessible only to the internal security team.

Placeholder image for Security & Compliance

125+ custom alerts, tuned in-house

Detections covering both suspicious activity and privileged activity that may be legitimate but warrants verification. Every privileged action gets eyes on it; we confirm intent rather than assume it.

We surface gaps on purpose—then track them to done.

Four standing practices generate the work. Findings flow into a single backlog with owners, due dates, and exec-level visibility until each one is closed.

Placeholder image for Security & Compliance

Threat modeling

  • Performed on new services, material architecture changes, and high-risk integrations
  • Outputs become tracked risk records with owners and target dates
Placeholder image for Security & Compliance

Tabletop exercises

  • Annual incident response and BC/DR tabletops, including executive-level scenarios
  • After Action Reports drive concrete remediation items
Placeholder image for Security & Compliance

Threat intel reviews

  • Standing review of relevant intel against our environment
  • Material findings translate into detections, hardening tasks, or comms
Placeholder image for Security & Compliance

Business Impact Analysis

  • Annual BIA defining MTD, RTO, and RPO for critical systems
  • Feeds the BCP, DRP, and the risk register
Placeholder image for Security & Compliance

Annual third-party pen test

  • Independent assessor, full-scope
  • Findings tracked to remediation; summary letter available under NDA
Placeholder image for Security & Compliance

Tracked to completion

  • One backlog, one set of owners, one due-date discipline
  • Reviewed by the ISMS/PIMS Management Committee

Every vendor, every subprocessor, every AI tool — same gauntlet.

Risk-tiered, documented, and signed before deployment. Reassessed on a published cadence. Subprocessor list is public; advance notice on every change.

Placeholder image for Security & Compliance

Third Party Assessment (3PA) program

  • Security and privacy assessment before any new vendor is deployed
  • Risk-tiered reassessments on a published cadence
  • SOC 2 Type II required for vendors handling sensitive or customer data
  • Privacy Impact Assessments integrated where applicable
  • DPAs executed with every vendor processing personal data on Expel’s behalf
Placeholder image for Security & Compliance

What we ask of every vendor

  • Independent attestation of security controls (or evidence in lieu)
  • Privacy posture and lawful basis for any personal data processed
  • Subprocessor disclosure and chain-of-custody documentation
  • Incident notification commitments and contact paths
  • Termination and data-return / destruction procedures

Controls built for AI.

3PA covers the vendor; this framework covers the model. AI-specific evaluation criteria for data exposure, prompt & output handling, autonomy limits, and reversibility — applied to anything that touches a business system.

  • Zero Data Retention (ZDR) verification
  • Rate limiting and kill-switch capability evaluated
  • Data minimization controls assessed
  • Risk-tiered approval; conservative defaults

Subprocessor List

Published and kept current at expel.com/notices. 30-day advance notification before adding or changing a subprocessor.

The rest of the questionnaire, in one slide.

The standard controls reviewers expect to see. All documented in full in the Trust Center; the headlines are here.

Domain Headline controls
Encryption & data handling
  • TLS 1.2+ in transit, AES-256 at rest
  • KMS-backed keys on GCP/AWS (U.S.)
  • Alert data retained up to 15 months, configurable per contract
  • Media sanitization to NIST SP 800-88 Rev. 1 and DoD 5220.22-M
Identity & access
  • Enterprise IdP, MFA enforced, SCIM provisioning
  • Cadenced access reviews; privileged access tracked separately
  • Same-day termination (target ≤ 24 hours)
Endpoint & network
  • EDR + MDM on every managed endpoint, full-disk encryption, screen-lock enforcement
  • WAF on production traffic, web filtering, DNS security, network segmentation
Vulnerability management
  • Continuous endpoint scanning, SCA + SAST across repositories, runtime container security
  • Annual third-party pen test
  • Formal emerging-CVE process
Privacy roles & rights
  • Processor for customer security data; controller for our own employee/marketing/website data
  • GDPR / UK GDPR / CCPA-CPRA / PIPEDA / Australia Privacy Act aligned
  • DSARs handled in 30–45 days
  • No direct or unfettered government access — lawful process required, reviewed by Legal, customer notified unless prohibited
Business continuity & availability
  • Formal BCP and DRP (Continuity of Operations Plan) — reviewed annually
  • Annual BIA defining MTD/RTO/RPO
  • Workbench availability monitored continuously; SLA compliance tracked as an ISMS metric
People & policy
  • Pre-employment background screening
  • Security & privacy training on hire (≤30 days) and annually; completion tracked and audited under ISMS/PIMS
  • Full policy library — InfoSec, Acceptable Use, Data Protection, Incident Response, Vulnerability Management, Risk & Testing, Third Party Risk, Media Protection, Physical & Environmental, etc.

Find something odd? Tell us.

If you find a bug, defect, vulnerability, or even just something that seems a bit off with anything Expel does, please let us know. Positive engagement with the community is part of how we make Workbench—and by extension your enterprise and the internet as a whole—more secure.

bug-reports@expel.com

Send a description of the issue, steps to reproduce, and any supporting detail. We’ll route it to the right team and get back to you.

Public security research is a critical and ongoing component of the industry, and we welcome discussion with researchers. Our commitment: transparent in what we’re doing, respectful to all parties involved, and timely in our responses. It’s our vulnerability after all — we’re the ones who need to be responsible.

expel X icon

The receipts are in the Trust Center.

Have a question, or need the docs?
SOC 2 Type II, ISO 27001 & 27701, NIST 800-171, PCI SAQ-D, Pen Test Summary, Full Policy Library.
Request access under NDA.