Data processing, security certifications, and data retention policy for Perk

At Perk, we are committed to maintaining the highest standards of data integrity and transparency. We want to ensure you have clear information regarding how we handle your data.

Data processing and hosting

To maintain transparency regarding the information we handle, we provide a detailed inventory of the data types involved in our services. If you choose to expand your use of the platform—for instance, by adding travel planning or events solutions—the scope of data processing will adjust to facilitate those specific services. 

For a granular and up-to-date description of all processed categories of personal data, please refer to Section 3 of our template Data Processing Agreement, available at the the legal section of the Perk website.

Perk processes personal data based on your primary location.

  • EEA-based customers: Data is processed in Ireland, Germany, Spain, and Switzerland.
  • US-based customers: Data is processed in the EEA locations and the United States.
  • UK-based customers: Data is processed in the EEA locations and the United Kingdom.

Note: Perk may share personal data within the Perk group subject to a formal internal data-sharing agreement to ensure seamless service delivery.

We maintain a transparent list of all third-party sub-processors. You can view the full list in the Perk Trust Center Sub-processors page.

Security certifications

Perk maintains a robust security program that incorporates industry-standard controls, rigorous policies, and continuous third-party verification. Currently, the Perk platform—including travel planning and spend management solutions—holds several key certifications, including ISO 27001:2022 and SOC 2 Type I

We are committed to the continuity of these protections by maintaining and renewing all existing security certifications previously held by Yokoy. Furthermore, we are actively expanding our certification coverage across the entire platform to ensure consistent, enterprise-grade security for all users.  For more information, see the Perk Trust Center.

Data retention for spend management

Perk ensures that data is retained in accordance with local legal requirements and global security standards. Our retention policies for spend management (formerly Yokoy) include the following:

  • Compliant archiving: All expense data and receipt images are stored in a secure cloud archive for legally required retention periods. For example, this includes a 10-year retention period for Switzerland and Liechtenstein to remain ESTV compliant.
  • Audit-proof storage: Data is stored such that it cannot be altered or deleted during the mandatory retention period, ensuring audit-proof archiving.
  • Offboarding and data export: Upon offboarding, customers may request a full export of their data, including receipts and attachments, in CSV or JSON formats. These exports are delivered securely via SFTP or time-limited cloud storage buckets.
  • Personal data deletion: Following a data export, customers can request the deletion of personal data. We offer options to retain data for the legal period, return all data to the customer, or perform a complete deletion upon request.
  • Finality of deletion: All deletions are performed according to local legal requirements and data protection regulations. Once data is deleted, it cannot be recovered.

For more specific information on our data handling and retention schedules, visit the Perk Trust Center.

Was this article helpful?