Security Overview


Procurify’s application services run on the cloud with the majority of our services and data being hosted in Amazon Web Services (AWS) facilities across multiple regions located in the US isolated in its own secure network. Procurify’s secondary provider is Google Cloud Platform (GCP) in US data centers.

Cloud Hosting - AWS & GCP

Procurify focuses on delivering the best spend management product to our customers. We partner with industry-leading companies to handle cloud hosting, employing their expertise and compliance with best practices in maintaining key systems infrastructure such as: DNS, routers, switches, load balancers, computer systems, database servers, caching systems and more. Procurify has selected Amazon Web Services (primary) and Google Cloud Platform (secondary) as our providers of cloud services.


Both Amazon and Google are pioneers in ensuring safety and security across all of their data centers and infrastructure through their 15+ years of experience of running industry leading web services. Their respective security documentation can be found on their websites here:

Procurify is hosted in SAS-70 II, SSAE 16 data centers that have achieved ISO 27001 & SOC3 certifications, among other certifications that are performed by third-party auditors to both AWS and GCP.

Severity and Expected Response Times

Procurify will provide the Customer with support related to server accessibility and performance 24 hours a day, 5 days a week. This is separate from and in addition to the support services specified in the Support Level Agreement and/or the Support Subscription Packages referenced in that document.

Expected response times for a ticket submitted by the Customer via email, or in-app request during support hours to report an incident which has been deemed by Procurify (in its reasonable discretion) to be related to server accessibility or performance shall depend upon the severity level assigned by Procurify to such ticket (in its reasonable discretion). Such severity definitions and expected response times are as follows:


Incident Response

In the event of an incident, Procurify will immediately work towards a resolution. Incidents are grouped as stated here:

  1. Our data centers (Amazon AWS & Google Cloud) will notify us about any physical or virtual breaches to the equipment that Procurify is hosted on. Procurify will respond according to best practices depending on the nature of the incident.
  2. If Procurify detects an Application Level Breach, our Development / Operation Teams will immediately investigate. We will determine the cause and affected Customer(s), notify those Customer(s), and restore any backups as necessary.

Information Security Policies

Access Control

Our team members are provided access with the appropriate permissions to perform in their role. They are provided access as needed, any requests for other platforms will have to be approved by their team lead.

User Access Management

Team members are given access to systems that are used by their team. Any change in their employment status will immediately cause a change in their ability to access systems, more information on this topic is located in the Human Resources section.

User Responsibilities

When invited to other systems, users will be granted the level of rights necessary to perform their role. Team members that require more access than initially granted will have to ask their team lead for permission to determine if additional rights are granted. In our Development Team, developers have access to code repositories that they are directly contributors to. Only Procurify's Lead Developer and CTO have the ability to work on production systems that Procurify is hosted on.

System and Application Access Control

Our main user directory is on Google G Suite (Google Apps for Business) allowing a centralized management of emails and documents created by team members. All services that we use are encouraged to be signed into via Google Login (SSO). For services without Google Login, team leads & our internal I.T. Team maintains admin control to software systems. This includes third-party SaaS applications, Amazon Web Services, and Google Cloud Platform.

Human Resources Policies

Procurify relies on other software platforms to ensure we are the most productive in serving our customers.

Prior to Employment

Procurify interviews candidates rigorously to ensure that team members are able to provide the best performance and care to our customers. Our People Operations team conducts reference checks.

During Employment

Once hired, only systems and software that are necessary for their work are granted to each team member. In addition, team members are provided with access to our headquarters in Vancouver, Canada, access to the control system alarm code and a RFID fob to the building and unit.

Termination and Change of Employment

Prior to the change of employment, People Operations will reach out to our I.T. Team and Team Leads to ensure we are ready to go through an “off-boarding” process to revoke user credentials and access control. This includes: G Suite Login, Software Credentials, API Tokens, ACLs, RFID Fob, and Alarm Code being revoked from the User. During the exit interview, our People Operations Manager will also ask for any property of Procurify to be returned immediately. Any outstanding tasks will be handled by the team lead.


Our customers’ security and privacy are paramount to us at Procurify. Our team makes utmost efforts to ensure that customers’ interactions with Procurify are conducted securely.


Data storage is of greatest importance at Procurify. Each customer has an isolated data store, as opposed to single multi-tenant database systems. This allows us to ensure that each customer will have access to their data only when using Procurify. Our databases are hosted on the latest-generation database servers on Amazon Web Services. They are hosted across multiple data centers to provide redundancy, safety, and security in storing customer's data. In the event of an incident with our database cluster, we are able to efficiently and quickly restore from multiple sources of backup and route traffic from the previous database cluster to a new database cluster. Any file attachments are stored on Google Cloud Platform across their US data center network, which ensures files are replicated across multiple data centers securely.

Data Transfer

Any data transfer between customers and Procurify’s Web Application is done using a secure 256-bit HTTPS (SSL) connection. Our application and database servers are hosted within Amazon Web Services (AWS). Data transferred within AWS is done securely on a private network. Additionally, our application and database servers are behind firewalls that allow specific access and privileges to services. For example, our application servers are allowed direct access to the database server cluster through the network & user credentials.

Data Retention

Procurify retains data for active customers of the platform. Data is stored securely across data centers at Amazon Web Services and Google Cloud Platform. Customers which do not renew their Procurify Subscription, will have 90 days to export data from the platform. Procurify will remove data from inactive customers after the 90 day period.


Users of Procurify must go to their specific web application URL to login with their individual credentials. Logins can be achieved using an email and password, Google Login, or select Single Sign On (SSO) providers. Administrators of the Procurify instance have the ability to manage user credentials, roles, and revoke access as necessary. 

Based on the user role(s) that are assigned to each user, the system will show the appropriate pages that can be accessed. If a user tries to access different pages through different links, they will be redirected to the home page (Dashboard) of the application with an error stating that they do not have the proper permissions to access that page.

System Performance

Procurify wants our customers to have the best experience when using the platform and services. Procurify has designed the product to have multiple redundancies and distributed systems. There are multiple application servers that sit behind a state-of-the-art load balancer that routes traffic to an application server with the most resources available to serve requests. Similarly, the platform runs on the current generation database server clusters that are able to serve heavy traffic loads. In the result of a failure, our systems will automatically re-adjust and re-route traffic appropriately. In the event of a complete failure, we have the ability to restore the system from other infrastructure using system scripts to rebuild servers.

Data Access

Only authenticated users can access their Procurify Instance. Any objects created (order requisitions, expense reports, travel tickets, and accounts payable objects) are tied to the specific logins with the details, comments, and attachments. Changes that are made in the system are logged in an audit log with details on the action, previous information stored, and new changes. 

Administrator users are able to use importer and exporter systems within the settings page to work with their data. Such users are able to import initial setup data that may come from other systems. Additionally, it is possible to export data generated within Procurify to other formats for the purposes of audit or to import to other systems.


Procurify uses third party subprocessors who provide infrastructure and other services, each with access to certain customer data. Prior to engaging any third party subprocessor, Procurify performs due diligence (including evaluations of their privacy, security and confidentiality practices) and executes agreements binding subprocessors to written obligations to protect customer data.

Procurify may use the following subprocessors in the delivery of services (subject to change):

Software Development & Quality Assurance

Procurify's Development Team follows best practices recommended by the Scrum Alliance, outlined in Agile Software Development. The Scrum Masters and Product Owners have been trained officially by these teams on how to execute proper requirements planning, design, developer sprint planning, delivering code based on the requirements and Procurify's internal definition of 'done' (code quality, unit tests, code review, and review by our Product Management Team), quality assurance, staging, launching to production, and sprint retrospectives for our Software Development Lifecycle (SDLC).


As products are in development, each developer is given a containerized environment that gives them the necessary resources to run the application on a local environment with a sample database. Developers work within this environment and push code changes to a centralized and secure code repository.


This environment allows Procurify's Quality Assurance Team to test the latest work, reported bugs, and performance improvements. 

A Quality Assurance team member reviews the work of the developer and test their work on a staging environment that is hosted on AWS. This allows for our Quality Assurance Team to test for any issues or failures and request fixes before deploying the system to production.


Production systems environment access is restricted to Procurify's Lead Developer / CTO and are able to administer, monitor, and make improvements to the infrastructure. The Infrastructure Team is responsible for ensuring uptime of the system. 

Test Data

In order to address customer-specific issues, Procurify's Quality Assurance Team may request environments that replicate each customer’s interface. Procurify's internal tooling allows us to sanitize any sensitive data towards a staging environment. Once fixes are created and tested, these databases are removed from the staging environment. Procurify maintains an isolation silo of staging and production environments to ensure that team members do not access production data for testing purposes.

Revision Date: September 20, 2021