Built for Trust

Security by design: How Moss embeds safety into every click

Marko Todorovic headshotMarko TodorovicJune 05, 2025

This article is part of our “Built for Trust” series, where leaders from Moss share how we approach security, reliability, and compliance across the platform.

In the first post of this series, Our Chief Risk Officer Jan talked about trust as Moss’ license to operate—and how our regulatory foundation and certifications help us earn it. But security doesn’t start and end with compliance. For our customers, it also has to show up in the product. It has to feel like part of the workflow.

And that’s exactly how we approach it. Our security model isn’t bolted on after the fact. We prioritise security by design, meaning it’s baked into the platform from the ground up—through every feature, permission and practice.

It’s something finance teams can see and feel in their day-to-day use, and something spenders benefit from, even if they never notice it directly.

Security you can feel in the workflow

Finance teams using Moss often sit at the centre of company operations. They’re handling everything from approvals to month-end close. Security, in that context, has to be an enabler—not a blocker.

That’s why we’ve made design decisions that strike the right balance between control and speed. For example:

  • Role-based access ensures that admins, approvers, accountants, and spenders all see only what they need to.
  • Custom approval flows let customers set up pre-spend controls that reduce risk before money moves.
  • Audit trails and activity logs are built-in, not retrofitted—so there’s full visibility over who did what, and when.
  • SSO and MFA support ensures access remains both simple and secure, allowing teams to work efficiently without opening the door to risk.

These aren’t just features—they’re risk mitigations. And because they’re embedded in the everyday experience, they become second nature to users.

Built on the “Need to Know” principle

Internally and externally, Moss follows the principle of least privilege. Only the people who need access to something, get access to it.

This applies to how we structure access inside our teams—but it’s just as important for our customers. A junior team member shouldn’t be able to view executive budgets. A sales rep shouldn’t be able to approve their own travel claim. And no one should be able to move money without the right checks in place.

That’s why we’ve invested in:

  • Granular permission settings for every role
  • Project- and department-based visibility rules
  • Real-time access controls that finance teams can adjust on their own

These tools give our customers confidence that they’re in control, without needing IT to manage access for them.

Security that works behind the scenes

Not every layer of protection is visible, and that’s by design. Moss’ infrastructure is continuously monitored, regularly tested, and updated in line with international best practices. Customers may not see every security layer—but they benefit from it every time they log in.

Here’s a glimpse of what runs in the background:

  • Encryption for all data, both in transit (TLS 1.2+) and at rest (AES-256), ensuring your information stays protected at every stage.
  • Ongoing vulnerability management, including automated scanning, third-party penetration testing, and remediation workflows to minimise exposure.
  • EU-based hosting infrastructure that’s compliant with GDPR, ISO 27001, and other relevant regulatory standards.
  • Strong internal access governance, including least-privilege access, separation of duties, and regular audit reviews, ensures only the right people have access to sensitive systems—no more, no less.
  • Security-by-design principles guide every layer of the platform, from development practices to infrastructure and operations. At Moss, protection isn’t an afterthought, it’s foundational.

All of this contributes to the security guarantees we make to customers—and to the ISO/IEC 27001 certification we maintain through ongoing independent audits.

Secure by design = trusted in practice

Security by design isn’t just a product strategy. It’s a mindset. It’s about embedding security thinking into how features are scoped, how teams are trained, and how updates are shipped.

It means our customers don’t have to “opt in” to secure practices—they’re already there. And as a result, finance teams can spend less time worrying about access, compliance, or visibility, and more time focusing on impact.

Ultimately, good security should make the business stronger. That’s what we’re building for.

Coming next in this series:
“Protecting Payments: How Moss Secures Spend Execution and Fights Fraud”
We’ll cover how Moss protects customer funds, prevents unauthorised spend, and works with partners like Mastercard to defend against real-world fraud risks.