Security

Versa transmits structured receipt and travel transaction data between suppliers and financial systems. Protecting this data is fundamental to how the platform is built and operated.

Versa maintains a comprehensive security program covering infrastructure, application security, access controls, and operational practices.

Last updated: March 12, 2026

Compliance

Versa is SOC 2 Type II certified, audited by Johanson Group LLP. Our audit evaluates the effectiveness of controls related to security.

A full copy of the SOC 2 report is available under NDA through our Trust Center. Additional security documentation and compliance artifacts are also available there.

Infrastructure Security

Versa runs on secure, cloud-hosted infrastructure with industry-standard safeguards including:

• Encryption in transit using TLS
• Encryption at rest for stored data
• Network isolation and firewall controls
• Continuous infrastructure monitoring
• Regular vulnerability scanning

Access Controls

Access to production systems is strictly limited. Controls include:

• Role-based access control
• Least-privilege access policies
• Multi-factor authentication
• Audit logging for privileged activity
• Periodic access reviews

Application Security

Versa follows secure development practices across the software lifecycle including:

• Code review requirements
• Dependency vulnerability scanning
• Automated security checks in CI/CD
• Secrets management
• Regular patching and updates

Financial Data Handling

Versa handles structured receipt and transaction data from merchants and travel suppliers. Versa does not store payment card numbers or process card payments. Where payment metadata is transmitted (such as last-four digits of a card number), it is treated as sensitive financial information and protected by the platform’s security controls.

Incident Response

Versa maintains an incident response program to rapidly detect, investigate, and respond to potential security events. Customers are notified of confirmed security incidents affecting their data in accordance with applicable contractual and regulatory requirements.

Subprocessors

Versa works with a limited number of infrastructure and service providers to operate the platform. A current list of subprocessors is available at versa.org/legal/subprocessors.

Privacy and Data Protection

Versa processes personal data only as necessary to deliver the platform and related services. Additional information is available in our legal documentation:

• Privacy Policy
• Data Processing Agreement

Responsible Disclosure

If you believe you have identified a security vulnerability in Versa systems, please report it to security@versa.org. We appreciate responsible disclosure and will work to investigate and address valid reports promptly.