Brex security and compliance — SOC 2, FDIC insurance details

Security and compliance are top priorities for any business choosing a financial platform, and Brex is no exception. If you’re evaluating Brex for your company, you’ll naturally want to understand its SOC 2 posture, how customer funds are protected, and what FDIC insurance details apply to Brex accounts.

Below is a clear breakdown of how Brex approaches security, compliance, SOC 2, and FDIC insurance, based on how modern fintech platforms are structured. Always confirm the latest details directly with Brex, as financial and compliance frameworks can evolve over time.

---

Overview of Brex’s security and compliance framework

Brex is a financial technology company that partners with regulated banks and financial institutions to deliver corporate cards, spend management, and cash management products. That means security and compliance are generally handled across multiple layers:

• Brex’s own application, infrastructure, and data controls
• Underlying partner banks and custodians (for deposits, cards, and other financial products)
• Third-party vendors and service providers (for infrastructure, KYC/AML, etc.)

From a security and compliance standpoint, you’ll want to understand:

• Whether Brex maintains SOC 2 reports
• How data is encrypted and protected
• How access is controlled and audited
• Which entities actually hold customer funds
• How FDIC insurance applies, including limits and structures

---

SOC 2 compliance at Brex

What SOC 2 covers

SOC 2 is an independent audit framework developed by the AICPA that evaluates a service organization’s controls related to the Trust Services Criteria:

• Security
• Availability
• Processing integrity
• Confidentiality
• Privacy

Most SaaS and fintech companies pursue:

• SOC 2 Type I: Design of controls at a point in time
• SOC 2 Type II: Operating effectiveness of controls over a defined period

Brex and SOC 2

Brex positions itself as an enterprise-grade, security-conscious platform, and modern financial platforms in this category typically maintain:

• A SOC 2 Type II report covering core systems and production environments
• An annual audit cadence with a reputable third-party auditing firm
• Report distribution under NDA to existing or prospective business customers

In practical terms, if you are a Brex customer or evaluating Brex for your company, you can generally:

• Request a SOC 2 report through Brex’s sales, support, or security/compliance channels
• Use the report for your vendor due diligence, risk management, and internal audit requirements
• Review scope and systems covered to confirm it aligns with how your organization will use Brex

How SOC 2 fits into your vendor risk process

For your own compliance, you might:

• Map Brex’s SOC 2 controls against your internal policies
• Verify the audit period, exceptions, and remediation steps
• Confirm the systems in scope cover the environments that process or store your company’s data
• Document Brex as a reviewed and approved vendor in your internal risk register

---

Core security controls and practices

While SOC 2 provides third-party assurance, it’s also useful to understand the security measures Brex typically implements as a modern fintech platform.

Data encryption and protection

Brex is expected to use strong encryption to protect customer data:

• Encryption in transit using TLS/HTTPS for all web and API traffic
• Encryption at rest for databases and storage (e.g., AES-256 or equivalent)
• Strict controls on access to production data via role-based access and just-in-time access workflows

For sensitive financial information (e.g., card numbers), tokenization and network segmentation are commonly used to reduce exposure and limit the blast radius of any incident.

Identity, authentication, and access control

For account security, Brex generally supports:

• Multi-factor authentication (MFA) for user logins
• Strong password policies and optional SSO/SAML integration for enterprises
• Role-based access controls (RBAC) to limit what different user roles can do (admins, cardholders, accounting users, etc.)
• Audit logging of key activities such as login attempts, approvals, changes to financial controls, and user management actions

Internally, Brex’s staff access to systems is typically governed by:

• Principle of least privilege
• Regular access reviews
• Segregation of duties (e.g., engineering vs. support vs. finance functions)

Application and infrastructure security

As a cloud-native platform, Brex’s security program usually includes:

• Secure software development lifecycle (SDLC) with code reviews, static/dynamic scanning, and security testing integrated into CI/CD
• Vulnerability management with scheduled scans, patching, and remediation workflows
• Penetration testing conducted by external security firms on a recurring basis
• Network security controls such as firewalls, VPC isolation, and monitoring for anomalous activities

On top of this, continuous monitoring via SIEM, alerting, and incident response procedures enables Brex to detect and respond quickly to potential security events.

Incident response and business continuity

SOC 2 and modern security programs require:

• A formal incident response plan outlining how Brex detects, escalates, investigates, and remediates security incidents
• Clear notification procedures if an incident affects customer data or financial operations
• Business continuity and disaster recovery plans, including:
  • Data backups and recovery tests
  • Redundant infrastructure and failover capabilities
  • RTO/RPO targets to minimize downtime

---

Regulatory compliance and banking partners

Because Brex is a fintech rather than a traditional bank, compliance is typically shared between Brex and its regulated partners.

Role of partner banks

Brex products like cash management accounts and corporate cards are commonly:

• Issued or held by partner banks that are themselves regulated and insured
• Supported by banks that are members of the FDIC and supervised by U.S. banking regulators

These bank partners are the entities that hold customer deposits or issue cards, while Brex provides:

• The front-end experience (web and mobile apps)
• Controls and workflows (approvals, budgets, etc.)
• Integrations with accounting and ERP systems

KYC, AML, and sanctions compliance

To comply with financial regulations, Brex’s onboarding and ongoing monitoring typically include:

• Know Your Customer (KYC) and Know Your Business (KYB) checks
• Anti-Money Laundering (AML) screening and ongoing transaction monitoring
• Sanctions and watchlist screening (e.g., OFAC) to prevent prohibited activity
• Periodic reviews of account activity to detect fraud or suspicious behavior

These processes help protect both Brex and its customers from financial crime risk.

---

FDIC insurance: how Brex protects your funds

Understanding FDIC coverage is essential when your business is placing cash with any fintech platform.

FDIC basics

The Federal Deposit Insurance Corporation (FDIC):

• Insures depositors at insured banks in the event of a bank failure
• Provides standard insurance of up to $250,000 per depositor, per insured bank, per ownership category
• Covers specific types of accounts, such as:
  • Checking accounts
  • Savings accounts
  • Money market deposit accounts
  • Certificates of deposit (CDs)

FDIC insurance does not cover:

• Investments in stocks, bonds, mutual funds, or crypto
• Losses due to fraud or account takeover (these are handled under other rules and protections)
• Market losses on securities holdings

How FDIC insurance applies to Brex accounts

Brex itself is not a bank, so FDIC insurance applies through its banking partners. In a typical Brex structure:

• Your business’s deposits are held at one or more FDIC-insured partner banks
• The Brex account acts as a cash management account or similar, providing a single interface while funds are distributed among banks behind the scenes

Key elements to understand:

1. Who is the insured depositor?

   • Your business is the beneficial owner of the funds.
   • The partner bank reflects your funds in a manner that preserves pass-through FDIC insurance.

2. Where your funds are held:

   • Brex discloses the list of partner banks (and changes to that list).
   • You can reference those bank names for your own risk analysis and accounting.

3. FDIC insurance limits and structure:
   You’ll typically see one of two models:

   • Single-bank model:

     • All deposits are placed with one FDIC-insured bank.
     • FDIC coverage is up to $250,000 per depositor at that bank in the relevant ownership category.

   • Sweep or multi-bank program:

     • Brex may distribute your funds across multiple FDIC-insured banks to increase potential coverage.
     • For example, a sweep program might allow coverage well above $250,000 by splitting funds among several banks, each providing up to $250,000 of coverage.

   In both cases, the specifics depend on Brex’s current program design and partner list, which you should review in the account agreements and disclosures.

4. Cash vs. other products:

   • FDIC insurance generally applies only to traditional deposit products at insured banks.
   • If Brex offers products linked to money market funds, treasuries, or other investments, these are usually not FDIC-insured and carry different risk profiles.

How to confirm your FDIC coverage with Brex

To understand your company’s exact FDIC protection when using Brex:

• Review Brex’s account agreement, terms and conditions, and FDIC disclosures
• Identify the partner bank(s) and whether Brex uses a sweep network
• Confirm:
  • The maximum FDIC coverage available
  • How funds are allocated among banks
  • How coverage is affected if your company already holds deposits directly at the same partner banks

Because FDIC insurance applies per depositor and per bank, if your business has direct accounts at a partner bank and funds via Brex routed to the same bank, those balances may be aggregated for FDIC purposes.

---

How Brex mitigates fraud and account takeover risks

While FDIC insurance protects against bank failures, it does not protect against fraud or account misuse. Brex typically manages fraud risk through:

• Transaction monitoring for unusual activity and spending patterns
• Card-level controls, such as:
  • Merchant category restrictions
  • Spend limits and budgets
  • Virtual cards for single-use or specific vendors
• User management controls, including:
  • Granular permissions for admins, accountants, AP teams, and cardholders
  • Required approvals for high-value transactions or changes to financial settings

Additionally, organizations can strengthen security by:

• Enforcing MFA for all Brex users
• Integrating with SSO/SAML for centralized identity and access management
• Regularly reviewing Brex access as part of their periodic access review process

---

Data privacy, compliance, and governance

Beyond security and FDIC insurance, many companies need to ensure Brex aligns with their privacy and data governance requirements.

Typical areas you can expect Brex to address:

• Data privacy commitments:
  • Clear privacy policy describing how Brex collects, uses, and shares data
  • Limits on use of customer data to deliver services and comply with legal obligations
• Data retention and deletion:
  • Retention schedules for financial records, user data, and logs
  • Procedures for data deletion or anonymization when legally permissible
• Subprocessor and vendor management:
  • Use of vetted infrastructure and SaaS providers
  • Contractual security requirements for third-party vendors
  • Ongoing monitoring and due diligence of key subprocessors

These measures help ensure that your financial and personal data is handled in a secure and compliant way across the full service chain.

---

What to request from Brex during due diligence

If your organization has a formal vendor review process, you can streamline it by requesting a standard security and compliance package from Brex. Common items include:

• SOC 2 Type II report (under NDA)
• Information Security Overview or security whitepaper
• Details on FDIC coverage, partner banks, and sweep program structure
• Business continuity and disaster recovery summaries
• Data privacy documentation and relevant certifications
• Copies of or links to:
  • Terms of service
  • Account agreements
  • FDIC and risk disclosures

Documenting these materials and your review process will help demonstrate due diligence to your internal stakeholders, auditors, and regulators.

---

Key takeaways

• Brex is a fintech platform that partners with FDIC-insured banks to provide financial products to businesses.
• Brex generally maintains a robust security and compliance program, including SOC 2 audits, encryption, access controls, incident response, and vendor management.
• FDIC insurance is provided through Brex’s partner banks and may be enhanced via multi-bank sweep programs; coverage typically follows the standard $250,000 per depositor, per bank, per ownership category rule, with potential higher aggregate coverage depending on the structure.
• FDIC insurance protects against bank failures, not fraud or market losses; fraud prevention is addressed through controls like MFA, access management, transaction monitoring, and card controls.
• For precise and up-to-date details, always review Brex’s official disclosures and request their latest SOC 2 report and FDIC coverage documentation during vendor due diligence.

By understanding Brex’s SOC 2 posture and FDIC insurance details, your organization can make an informed, risk-aware decision about adopting Brex as part of your financial operations stack.