Trust & compliance at Expel
Security & compliance, plainly stated.
Here’s how we run our security program, protect your data, and prove it. Same security we sell, applied to ourselves. No black box. No hand-waving. The full audit trail is one click away in our Trust Center.
0
SOC 2 exceptions
since 2018
21
Log sources into our private internal SIEM
125+
Custom insider threat & privileged-activity alerts
100%
Workbench used
internally on ourselves
Compliance program
The system we sell, applied to ourselves.
A formal, independently-audited program with risk records, control evidence, and exec-level review on a clock.
Active certifications & attestations
ISO/IEC 27001:2022
ISO/IEC 27701:2019
SOC 2 Type II — Security
PCI DSS SAQ-D
CSA STAR Level 1
EU-U.S. DPF (+ UK / Swiss)
NIST SP 800-171 Rev. 2
Third Party Penetration Testing
EU / UK GDPR
Trust Center documents
The four documents that answer 90% of vendor reviews.
Available to customers and prospects under NDA at security.expel.com. Most reviewers can close out their assessment with the first two.
Annual SOC 2 Type II against the Trust Services Criteria for Security, plus a bridge letter covering the gap between report period and today. Zero exceptions across every report since 2018.
Independent assessment of our controls against NIST SP 800-171 Rev. 2 — the standard for protecting controlled unclassified information. Full assessor report available under NDA.
How Workbench is built and how customer data flows through it: tenancy model, encryption, infrastructure (GCP + AWS, U.S.), retention, and deletion. Written for security reviewers, not marketers.
What AI/ML is in Workbench, where it runs, what data it sees, what it doesn’t train on, and the controls that govern it. Updated whenever the model, data flow, or retention posture changes.
We use Workbench on Expel
Same product. Same SOC.
Same escalation paths as you.
Expel runs on Expel. We aren't a customer in name only — we sit in the same queue as every other tenant, with the same on-call engineers responding to alerts.
Insider threat program
A private SIEM, a deep alert library, and humans who verify.
Separate from the SOC's customer-facing tooling, our internal security team runs a dedicated insider threat program against Expel itself.
Security as a programmatic discipline
We surface gaps on purpose—then track them to done.
Four standing practices generate the work. Findings flow into a single backlog with owners, due dates, and exec-level visibility until each one is closed.
Threat modeling
- Performed on new services, material architecture changes, and high-risk integrations
- Outputs become tracked risk records with owners and target dates
Tabletop exercises
- Annual incident response and BC/DR tabletops, including executive-level scenarios
- After Action Reports drive concrete remediation items
Threat intel reviews
- Standing review of relevant intel against our environment
- Material findings translate into detections, hardening tasks, or comms
Business Impact Analysis
- Annual BIA defining MTD, RTO, and RPO for critical systems
- Feeds the BCP, DRP, and the risk register
Annual third-party pen test
- Independent assessor, full-scope
- Findings tracked to remediation; summary letter available under NDA
Tracked to completion
- One backlog, one set of owners, one due-date discipline
- Reviewed by the ISMS/PIMS Management Committee
Vendors, subprocessors & AI tooling
Every vendor, every subprocessor, every AI tool — same gauntlet.
Risk-tiered, documented, and signed before deployment. Reassessed on a published cadence. Subprocessor list is public; advance notice on every change.
AI Integration Security Decision Framework
Controls built for AI.
3PA covers the vendor; this framework covers the model. AI-specific evaluation criteria for data exposure, prompt & output handling, autonomy limits, and reversibility — applied to anything that touches a business system.
- Zero Data Retention (ZDR) verification
- Rate limiting and kill-switch capability evaluated
- Data minimization controls assessed
- Risk-tiered approval; conservative defaults
Subprocessor List
Published and kept current at expel.com/notices. 30-day advance notification before adding or changing a subprocessor.
The rest of the questionnaire, in one slide.
The standard controls reviewers expect to see. All documented in full in the Trust Center; the headlines are here.
| Domain | Headline controls |
|---|---|
| Encryption & data handling |
|
| Identity & access |
|
| Endpoint & network |
|
| Vulnerability management |
|
| Privacy roles & rights |
|
| Business continuity & availability |
|
| People & policy |
|
Find something odd? Tell us.
If you find a bug, defect, vulnerability, or even just something that seems a bit off with anything Expel does, please let us know. Positive engagement with the community is part of how we make Workbench—and by extension your enterprise and the internet as a whole—more secure.
Report a vulnerability
Send a description of the issue, steps to reproduce, and any supporting detail. We’ll route it to the right team and get back to you.
How we’ll work with you
Public security research is a critical and ongoing component of the industry, and we welcome discussion with researchers. Our commitment: transparent in what we’re doing, respectful to all parties involved, and timely in our responses. It’s our vulnerability after all — we’re the ones who need to be responsible.