Q&A on GDPR

• Where does Pleo store customer data?

Our servers are located in AWS eu-west-1 (Ireland) and locally backed up, but we also send important backups to a different region for safety. We call them secondary backups, and they're located in eu-central-1 (Frankfurt).

• How long is data stored?

We will not process personal data for a longer period than is necessary, as per our Privacy Notice. To fulfil the regulatory requirements deriving from the Anti-Money Laundering obligations Directive and the local Bookkeeping Laws, data is stored for at least 5 years from the end of the business relationship, according to local applicable laws. Any data which does not fall within the scope of the mentioned legislations is deleted at the termination of the business relation and in accordance with Pleo Privacy Notice. The data retention obligations will differ within the Pleo Group, subject to applicable local laws.

If you wish to object to any data processing, please send an email to [email protected].

• Which security measures are in place? 

To see the full list of Technical and Organizational measures introduced by Pleo, please refer to our Data Processing Agreement available on the website. For information only, please find below some of the security measures in place to ensure that customer (and employee) data is treated securely and in compliance with GDPR and any other relevant local legislation.  

• ID documents that customers upload during verification are securely stored in AWS (s3) and are only accessible to Pleo’s Compliance team. This personal data is encrypted between the client and the server.
• Pleo passes the highest level of PCI-DSS Examination every year and maintains a yearly Google Security Assessment.
• In the event Pleo transfers data to a country outside of the EU/EEA - e.g. the US - Pleo ensures that the transfer is done according to GDPR safeguards. This includes entering into applicable Standard Contractual Clauses with the sub-processor, Transfer Impact Assessments, along with the implementation of technical measures to ensure the protection of Pleo customer data.

• How can I get a copy of the data that Pleo stores about me / my company?

To receive information on data stored or processed by Pleo on your behalf, please contact [email protected]. For security purposes, Pleo might require additional information to validate the truthfulness of the request received

• How can I exercise my rights under GDPR?

You can exercise any of your rights by sending an email to [email protected]. For more information, please go through our Privacy Notice. 

• Where can I find information on your sub-processors?

Please find all the information related to our partners, including our sub-processors on our data recipients dedicated webpage. In our Pleo Legal Page, you can find our Data Processing Agreement (DPA), our Cookie Policy, information on our data recipients and more. 

Regarding security at Pleo, please visit our Trust and Security page.